New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context #19753
Conversation
a706022
to
36e6ce6
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Considering #20425, this PR might be not needed. Moving to draft for now. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
cc @YutaroHayakawa , as you recently introduced the same checks for |
/test |
The change is replacing DROP_NAT_UNSUPP_PROTO for rev-SNAT context. Any returns using DROP_NAT_UNSUPP_PROTO will be replaced with NAT_PUNT_TO_STACK. In case that rev-SNAT is not supporting a protocol we want the process to continue anyway processing the packet to the main path, considering that an other layer may use it. NOTE: This does not add any functional changes and keeps the current behavior that looks to be the less intrusive. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
The current behavior is re-circling back to the main path for all errors returned from the rev-SNAT process, eg. when the revSNAT code tries to rewrite the packet headers. In this commit we have determined errors from a rev-SNAT context to only accept those that are legitimate. This fix try to be conservative, for that is still accepts DROP_NAT_NO_MAPPING where in a normal situation should never happen. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
This has been suggested by @zacharysarah Co-authored-by: sarah@corleissen.com Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
FWIW, I have a feeling we might want to promote this to |
I've changed this to |
In the past we would just pass up packets with unknown protocols, and let the next layer (or the stack) deal with them. cilium#19753 recently added error handling for the revSNAT paths, so that we can catch errors while eg. rewriting the packet headers. But we want to preserve the old behaviour of tolerating unknown protocol types. So return NAT_PUNT_TO_STACK from a few additional ICMP paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
In the past we would just pass up packets with unknown protocols, and let the next layer (or the stack) deal with them. cilium#19753 recently added error handling for the revSNAT paths, so that we can catch errors while eg. rewriting the packet headers. But we want to preserve the old behaviour of tolerating unknown protocol types. So return NAT_PUNT_TO_STACK from a few additional ICMP paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
In the past we would just pass up packets with unknown protocols, and let the next layer (or the stack) deal with them. #19753 recently added error handling for the revSNAT paths, so that we can catch errors while eg. rewriting the packet headers. But we want to preserve the old behaviour of tolerating unknown protocol types. So return NAT_PUNT_TO_STACK from a few additional ICMP paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The PR is fixing current behavior of nodeport in context of a revSNAT that is silently ignoring errors to process them to the main path anyway.
point of view to only accept those that are legitimate.