Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

datapath: Improve BPF SNAT address selection #17158

Open
brb opened this issue Aug 13, 2021 · 3 comments
Open

datapath: Improve BPF SNAT address selection #17158

brb opened this issue Aug 13, 2021 · 3 comments
Labels
feature/snat Relates to SNAT or Masquerading of traffic kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/kernel Requires upstream work in the Linux kernel.

Comments

@brb
Copy link
Member

brb commented Aug 13, 2021

Currently, the BPF-based SNAT uses IPV4_MASQUERADE addr for SNAT'ing. This works fine as long as there is a single global scope IP addr. However, if we add multiple IP addrs then only one will be selected.

To improve the selection we could do the bpf_fib_lookup() to determine src IP addr instead. This would also eliminate the IPV4_MASQUERADE. However, the kernel helper might need to be relaxed, as currently it errors out if no L2 neigh entry is found for a nexthop of the given dst IP addr.
@brb brb added sig/kernel Requires upstream work in the Linux kernel. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. kind/feature This introduces new functionality. labels Aug 13, 2021
@brb brb self-assigned this Aug 13, 2021
@brb brb mentioned this issue Aug 24, 2021
Merged
brb added a commit that referenced this issue Aug 24, 2021
@brb
daemon: Add --derive-masquerade-ip-addr-from-device opt
7cca3ec 
The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic and it has a dedicated device which IP addr should be used for
the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added a commit that referenced this issue Sep 6, 2021
@brb
daemon: Add --derive-masquerade-ip-addr-from-device opt
0ae690c 
The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic via multiple devices and it has a dedicated device which IP addr
should be used for the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added a commit that referenced this issue Sep 15, 2021
@brb
daemon: Add --derive-masquerade-ip-addr-from-device opt
dbeb2a6 
The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic via multiple devices and it has a dedicated device which IP addr
should be used for the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
christarazi pushed a commit that referenced this issue Sep 16, 2021
@brb @christarazi
daemon: Add --derive-masquerade-ip-addr-from-device opt
d204d78 
The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic via multiple devices and it has a dedicated device which IP addr
should be used for the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb brb added this to the 1.12 milestone Sep 28, 2021
jibi pushed a commit that referenced this issue Sep 29, 2021
@brb @jibi
daemon: Add --derive-masquerade-ip-addr-from-device opt
d65b08c 
[ upstream commit d204d78 ]

The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic via multiple devices and it has a dedicated device which IP addr
should be used for the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
aanm pushed a commit that referenced this issue Oct 2, 2021
@brb @aanm
daemon: Add --derive-masquerade-ip-addr-from-device opt
3b1034d 
[ upstream commit d204d78 ]

The new option is used to specify a device which globally scoped IP addr
should be used for BPF-based masquerading.

This is a workaround for an environment which uses ECMP for outgoing
traffic via multiple devices and it has a dedicated device which IP addr
should be used for the masquerading. The workaround is relevant until
#17158 has been resolved (thus,
we hide the flag).

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
@brb brb mentioned this issue Oct 21, 2021
Closed
@brb brb mentioned this issue Jan 4, 2022
Closed
2 tasks
@brb brb removed this from the 1.12 milestone Jan 21, 2022
@brb brb added this to the 1.12 milestone Feb 10, 2022
@brb brb modified the milestones: 1.12, 1.13 May 10, 2022
@brb brb mentioned this issue Jul 11, 2022
Closed
@akhilles akhilles mentioned this issue Nov 29, 2022
Closed
@julianwiedmann julianwiedmann added the feature/snat Relates to SNAT or Masquerading of traffic label Sep 7, 2023
@brb brb removed this from the 1.13 milestone Oct 16, 2023
@ti-mo ti-mo mentioned this issue Jan 30, 2024
Merged
@brb brb removed their assignment Mar 4, 2024
@brb
Copy link
Member Author

brb commented Mar 4, 2024

Related #17441 (the same required kernel patch is already in).

@github-actions GitHub Actions
Copy link

github-actions bot commented May 4, 2024

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label May 4, 2024
@github-actions GitHub Actions
Copy link

This issue has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 18, 2024
@brb brb reopened this Aug 8, 2024
@ti-mo ti-mo added pinned These issues are not marked stale by our issue bot. and removed stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. labels Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/snat Relates to SNAT or Masquerading of traffic kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/kernel Requires upstream work in the Linux kernel.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brb @ti-mo @julianwiedmann