New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipmasq: Add support for ip-masq-agent with IPv6 #23219
Conversation
/test |
a7faea8
to
6c0b6b5
Compare
6c0b6b5
to
0687cb5
Compare
This comment was marked as outdated.
This comment was marked as outdated.
0687cb5
to
fdcde3d
Compare
5bc0285
to
dc50547
Compare
Marking as a release blocker so we can discuss it during today's meeting, as it would be great to have it in 1.14 alongside #23165. Current status: blocked on #23165. Has not been into review yet. This PR currently contains the commits from #23165; only the last 7 commits are new here (most of which are small changes). |
c6ee164
to
ab5ec36
Compare
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/776/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits, otherwise LGTM. Approving to unblock with the understanding that changes are required prior to merge.
@@ -65,7 +65,7 @@ to determine which devices the program is running on: | |||
From the output above, the program is running on the ``eth0`` and ``eth1`` devices. | |||
|
|||
|
|||
The eBPF-based masquerading can masquerade packets of the following IPv4 L4 protocols: | |||
The eBPF-based masquerading can masquerade packets of the following L4 protocols: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of scope for this PR, but someday I'd love to see a clearer definition of masquerading in the page intro. We just sort of roll right into using it to mean a particular behavior without directly defining what it means when we use it. The current state isn't bad; I only think it could be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, one question regarding a part that I don't fully understand.
ab5ec36
to
1017c10
Compare
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/811/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Loader related changes lgtm.
1017c10
to
6a31e0e
Compare
/test |
6a31e0e
to
76318f3
Compare
/test |
The macro ENABLE_IP_MASQ_AGENT is used to guard the ip-masq-agent code for IPv4 only, rename it accordingly. This is in prevision for IPv6 support for the ip-masq-agent. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Currently, the ip-masq-agent only works with IPv4. In preparation for IPv6 support, rename some internal variables and functions by adding an "IPv4" suffix. The following are affected: - ipmasq.IPMasqAgent.masqLinkLocal - ipmasq.MapName - ipmasq.MaxEntries - ipmasq.config.MasqLinkLocal - ipmasq.ipMasqMapMock.cidrs - ipmasq.key - ipmasq.keyToIPNet - ipmasq.linkLocalCIDR - ipmasq.linkLocalCIDRStr - ipmasq.once No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Add support for ip-masq-agent with IPv6 to the BPF datapath. The required edits are small, and replicate what the datapath does for IPv4. This code, guarded by ENABLE_IP_MASQ_AGENT_IPV6, is not enabled by the Agent yet. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Add the relevant map definition and the corresponding handling in package ipmasq for supporting IPv6 with the ip-masq-agent. We get a new BPF map for storing entries that we do not want to masquerade. The maximum number of entries is the same as for the IPv4-related map, and will be made customisable in a future commit. Handling of the map is nearly identical to the one for IPv4. From the outside of the ipmasq package, the IPMasqBPFMap abstraction hides the fact that the maps are distinct, its methods take care of identifying the IP version in use for the CIDRs passed in arguments and to update the relevant map. Option "nonMasqueradeCIDRs" is supported transparently as well. Support for option "masqLinkLocalIPv6" is added. By default, the ip-masq-agent prevents masquerading to CIDR fe80::/10, as described in [0], based on RFC 4291. However, at this point, the Agent still refuses to accept configurations using IPv6 and ip-masq-agent, so this code is not used just yet. [0] https://github.com/kubernetes-sigs/ip-masq-agent#configuring-the-agent Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Enable ip-masq-agent support for IPv6 in the Cilium Agent: - Make the Agent accept IPv6 _and_ ip-masq-agent in its configuration. - Similarly, make the daemon accept IPv6 with the ip-masq-agent. - Create the IPv6-related BPF map on Agent startup. - When IPv6 and the ip-masq-agent are selected, pass the relevant macro to the datapath to process packets accordingly. Related updates: - Display the maximum number of entries for the IPv6-related map in the status command. - Update the documentation. - Add the (commented) Helm value. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Extend the existing tests for ip-masq-agent to test the IPv6 infrastructure. In addition of update and restore operations for IPv4, we add the equivalent for IPv6-only, and for when both IPv4 and IPv6 are enabled. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The ip-masq-agent for BPF masquerasing is now supported with IPv6. Extend the tests to make sure that it behaves as expected. We simply reuse the setup for the IPv4 test, and attempt to connect to the echo server using IPv6. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
76318f3
to
2c71115
Compare
/test |
Follow-up to #23165