ipmasq: Add support for ip-masq-agent with IPv6 #23219
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qmonnet
added
sig/datapath
|
/test |
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
2 times, most recently
from
a7faea8
to
6c0b6b5
Compare
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
6c0b6b5
to
0687cb5
Compare
This comment was marked as outdated.
This comment was marked as outdated.
github-actions
bot
added
the
stale
qmonnet
removed
the
stale
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
0687cb5
to
fdcde3d
Compare
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
2 times, most recently
from
5bc0285
to
dc50547
Compare
|
Marking as a release blocker so we can discuss it during today's meeting, as it would be great to have it in 1.14 alongside #23165. Current status: blocked on #23165. Has not been into review yet. This PR currently contains the commits from #23165; only the last 7 commits are new here (most of which are small changes). |
qmonnet
added
the
release-blocker/1.14
This was referenced Jun 8, 2023
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
3 times, most recently
from
c6ee164
to
ab5ec36
Compare
|
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/776/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
qmonnet
removed
the
dont-merge/blocked
zacharysarah
approved these changes
Jun 14, 2023
| @@ -65,7 +65,7 @@ to determine which devices the program is running on: | |||
| From the output above, the program is running on the ``eth0`` and ``eth1`` devices. | |||
|
|
|||
|
|
|||
| The eBPF-based masquerading can masquerade packets of the following IPv4 L4 protocols: | |||
| The eBPF-based masquerading can masquerade packets of the following L4 protocols: | |||
There was a problem hiding this comment.
Out of scope for this PR, but someday I'd love to see a clearer definition of masquerading in the page intro. We just sort of roll right into using it to mean a particular behavior without directly defining what it means when we use it. The current state isn't bad; I only think it could be better.
gentoo-root
approved these changes
Jun 14, 2023
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
ab5ec36
to
1017c10
Compare
|
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/811/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
rgo3
approved these changes
Jun 14, 2023
nebril
approved these changes
Jun 14, 2023
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
1017c10
to
6a31e0e
Compare
|
/test |
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
6a31e0e
to
76318f3
Compare
|
/test |
The macro ENABLE_IP_MASQ_AGENT is used to guard the ip-masq-agent code for IPv4 only, rename it accordingly. This is in prevision for IPv6 support for the ip-masq-agent. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Currently, the ip-masq-agent only works with IPv4. In preparation for IPv6 support, rename some internal variables and functions by adding an "IPv4" suffix. The following are affected: - ipmasq.IPMasqAgent.masqLinkLocal - ipmasq.MapName - ipmasq.MaxEntries - ipmasq.config.MasqLinkLocal - ipmasq.ipMasqMapMock.cidrs - ipmasq.key - ipmasq.keyToIPNet - ipmasq.linkLocalCIDR - ipmasq.linkLocalCIDRStr - ipmasq.once No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Add support for ip-masq-agent with IPv6 to the BPF datapath. The required edits are small, and replicate what the datapath does for IPv4. This code, guarded by ENABLE_IP_MASQ_AGENT_IPV6, is not enabled by the Agent yet. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Add the relevant map definition and the corresponding handling in package ipmasq for supporting IPv6 with the ip-masq-agent. We get a new BPF map for storing entries that we do not want to masquerade. The maximum number of entries is the same as for the IPv4-related map, and will be made customisable in a future commit. Handling of the map is nearly identical to the one for IPv4. From the outside of the ipmasq package, the IPMasqBPFMap abstraction hides the fact that the maps are distinct, its methods take care of identifying the IP version in use for the CIDRs passed in arguments and to update the relevant map. Option "nonMasqueradeCIDRs" is supported transparently as well. Support for option "masqLinkLocalIPv6" is added. By default, the ip-masq-agent prevents masquerading to CIDR fe80::/10, as described in [0], based on RFC 4291. However, at this point, the Agent still refuses to accept configurations using IPv6 and ip-masq-agent, so this code is not used just yet. [0] https://github.com/kubernetes-sigs/ip-masq-agent#configuring-the-agent Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Enable ip-masq-agent support for IPv6 in the Cilium Agent: - Make the Agent accept IPv6 _and_ ip-masq-agent in its configuration. - Similarly, make the daemon accept IPv6 with the ip-masq-agent. - Create the IPv6-related BPF map on Agent startup. - When IPv6 and the ip-masq-agent are selected, pass the relevant macro to the datapath to process packets accordingly. Related updates: - Display the maximum number of entries for the IPv6-related map in the status command. - Update the documentation. - Add the (commented) Helm value. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Extend the existing tests for ip-masq-agent to test the IPv6 infrastructure. In addition of update and restore operations for IPv4, we add the equivalent for IPv6-only, and for when both IPv4 and IPv6 are enabled. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The ip-masq-agent for BPF masquerasing is now supported with IPv6. Extend the tests to make sure that it behaves as expected. We simply reuse the setup for the IPv4 test, and attempt to connect to the echo server using IPv6. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
qmonnet
force-pushed
the
pr/ipv6-masq-agent
branch
from
76318f3
to
2c71115
Compare
|
/test |
This was referenced Jun 14, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow-up to #23165