-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NodePort BPF with L7 netpol is broken for N/S when request is sent to node running SVC backend #21955
Comments
Based on the traces in my environment, I'm not sure rev xlate is being done by bpf_lxc. We tail call into Here are the traces that confirm that rev xlate happens in
We are likely missing the same tail call for the reply traffic when proxy is involved. |
|
I think that would be a good thing in any case:
|
One more:
|
Replies by local service backends currently get their revDNAT processing in from-container. There's two problems with that: 1. we have cases where the packet doesn't reach this part of the from-container program (ie. redirect to host proxy), and 2. we're not handling replies by hostns backends at all. So add an additional check for RevDNAT in handle_nat_fwd() at to-netdev, before such an untranslated reply leaves the node. The same is needed for to-overlay, see 3a83623 ("bpf: add support for local NodePort via tunnel"). Fixes: cilium#22659 Fixes: cilium#22838 Fixes: cilium#21955 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 54a8631 ] Replies by local service backends currently get their revDNAT processing in from-container. There's two problems with that: 1. we have cases where the packet doesn't reach this part of the from-container program (ie. redirect to host proxy), and 2. we're not handling replies by hostns backends at all. So add an additional check for RevDNAT in handle_nat_fwd() at to-netdev, before such an untranslated reply leaves the node. The same is needed for to-overlay, see 3a83623 ("bpf: add support for local NodePort via tunnel"). Fixes: #22659 Fixes: #22838 Fixes: #21955 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 54a8631 ] Replies by local service backends currently get their revDNAT processing in from-container. There's two problems with that: 1. we have cases where the packet doesn't reach this part of the from-container program (ie. redirect to host proxy), and 2. we're not handling replies by hostns backends at all. So add an additional check for RevDNAT in handle_nat_fwd() at to-netdev, before such an untranslated reply leaves the node. The same is needed for to-overlay, see 3a83623 ("bpf: add support for local NodePort via tunnel"). Fixes: #22659 Fixes: #22838 Fixes: #21955 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: André Martins <andre@cilium.io>
First issue is #21954. The second issue is that the L7 proxy will do the TCP handshake on behalf of the pod meaning that all replies to an outside client won't be rev-DNAT-ed (bpf_lxc is doing rev-DNAT for NodePort BPF). To fix this we should move the rev-DNAT to
bpf_host @ eth0
, as it was suggested by #17504.The bonus issue is DSR when an intermediate LB node is hit first. In this case, the IP opt/ext is dropped by the proxy. The fix is to handle the opt / ext in bpf_host (same as rev-DNAT).
The text was updated successfully, but these errors were encountered: