New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
egressgw: add support for excludedCIDRs #23448
Conversation
d4f752e
to
19a750b
Compare
/test-only --focus="K8sDatapathEgressGatewayTest.*" --k8s_version=1.26 --kernel_version=net-next |
19a750b
to
6e77966
Compare
Really excited to see this, @jibi! 🎉 |
6e77966
to
d340566
Compare
Couple of TODO items:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice pull request (as usual 😃)!
My only concern is with the ip rules and routes as I'm not sure I understand the impact there.
Regarding downgrade, should we ensure we get the commit into v1.13 before we merge this? Or alternatively, create a release blocker issue to ensure this PR doesn't end up in v1.14 before v1.13 is ready (in case something comes up and we forget to backport that commit)?
On the same topic, is this something we want in v1.13? (In which case we'll have to backport the commit to v1.12.)
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumegressgatewaypolicies.yaml
Outdated
Show resolved
Hide resolved
2341c95
to
6610e66
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only minor comments from me, but the main commit (egressgw: add support for excludedCIDRs
) could use some work to make it easier to follow. It's actually fairly simple changes if you already understand the main idea, but it's currently still hard to follow as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks!
ab22fa1
to
e77dd83
Compare
ExcludedCIDRs can be used in a CiliumEgressGatewayPolicy to express a list of destination CIDRs which will be excluded from the redirection and SNAT logic. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Handle the case where an egress policy has a gateway IP set to 0: any packet matching such policy should not go through egress gateway redirection/SNAT. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
which returns the actual destination CIDRs space for a given policy, which is defined by the destination CIDRs minus the excluded ones. A practical example may be useful here. Let's say a policy specifies: * destination CIDRs: 1.1.1.0/24 * excluded CIDRs: 1.1.1.1/2 The effective CIDR space for such policy will be the difference between the two 1.1.1.0/24 and 1.1.1.1/24 CIDRs, so: 1.1.1.0/28 1.1.1.16/30 1.1.1.20/31 1.1.1.23/32 1.1.1.24/29 1.1.1.32/27 1.1.1.64/26 1.1.1.128/25 Signed-off-by: Gilberto Bertin <jibi@cilium.io>
This commit renames the forEachEndpointAndDestination method to forEachEndpointAndCIDR, to make it more clear that it iterates over all (destination and excluded) CIDRs of the receiver policy. Next, it introduces 2 new helpers that allow iterating and matching over all the endpoints and destination CIDRs minus the excluded ones: * forEachEndpointAndDestinations: works like forEachEndpointAndCIDR, but iterates over destinationCIDRs minus excludedCIDRs * matchesMinusExcludedCIDRs: works like matches but matches over destinationCIDRs minus excludedCIDRs Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Add support to the egress gateway manager for the new excludedCIDRs policy property. The implementation is based on the idea of adding, for each excluded CIDR, "zero" entries to the egress policy map (i.e. entries with the gateway IP set to 0.0.0.0). When traffic is then matched against these entries in the datapath, it will skip altogether all the egress gateway logic. Fixes: #23002 Signed-off-by: Gilberto Bertin <jibi@cilium.io>
In the callback we use in removeUnusedIpRulesAndRoutes() to match an IP rule to an egress gateway policy, separate the preconditions from the actual matching predicate. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
And rename existing test file to tc_egressgw_snat.c Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
to initialize the egress gateway policies' lpm keys. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
e77dd83
to
6cf9629
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀 🚀 🚀
/test-1.16-4.19 |
Add support to the egress gateway manager for the new excludedCIDRs
policy property.
The implementation is based on the idea of adding, for each excluded
CIDR, "zero" entries to the egress policy map (i.e. entries with the
gateway IP set to 0.0.0.0). When traffic is then matched against these
entries in the datapath, it will skip altogether all the egress gateway
logic.
Fixes: #23002