Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
proxy: Distinguish between proxy and other local processes
The datapath used a simple sip == HOST_IP to detect local proxy traffic to bypass the proxy on the second pass through. This logic is flawed and causes the proxy to be bypassed in the following legitimate situations: * local process uses HOST_IP as source and talks to local endpoint * both egress and ingress proxy are injected between two local endpoints This commit fixes this situation by: * Introducing a new custom dialer for the proxy. This is required because net.Dial() does not allow to set a socket option between creating the socket and calling connect(). Access to the socket is required to set the SO_MARK before the connect() to ensure that the first SYN packet contains the proper SO_MARK. * Replace net.Listen() with custom code so we can set the SO_MARK before calling syscall.Listen() to ensure that all child sockets inherit the SO_MARK. This ensures that even the SYN+ACK generated by the kernel will haver proper packet markings. * Extending the SO_MARK to contain a magic marker in the lower 12 bits of skb->mark (0xFEA for ingress proxy, 0xFEB for egress proxy). Thus allowing to detect packets from the proxy by matching against the magic marker. The identity is moved to the upper 16 bits of skb->mark The skb->mark is cleared on veth traversal so we match against the magic marker at egress on the way out to cilium_host and set a flag in tc_index to indicate skipping the proxy. tc_index is preserved across veth boundaries. The mark is matched in a IP routing rule and causes packets from the proxies to use a different routing table. This allows to route all packets from proxies through cilium_host regardless of their destination. The BPF program attached to cilium_host can then perform the proxy reverse translation and route accordingly. * Only skipping the ingress proxy if the packet is coming from the ingress proxy. If the packet is coming from an egress proxy, it may still need to go through the ingress proxy of the destination endpoint. * Fixing the BPF program attached to cilium_host to recognize host IPs which are outside of the cluster prefix so it can route back into the host. * Adding a test to tests/10-proxy.sh which covers both an egress and ingress proxy in the path. Signed-off-by: Thomas Graf <thomas@cilium.io>
- Loading branch information
Showing
10 changed files
with
616 additions
and
144 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.