New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: Per endpoint routes broken for IPv6 traffic between (remote) node to pod when netpol is applied #23910
Comments
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium/cilium#23852 and cilium/cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium/cilium#23852 and cilium/cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium/cilium#23852 and cilium/cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium/cilium#23852 and cilium/cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium/cilium#23852 and cilium/cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb , do you think we can do the same for ICMP6 NS/ND as ARP? In Lines 1354 to 1360 in 62f72cd
In Lines 2163 to 2165 in 62f72cd
For both directions, our bpf program on lxc doesn't perform policy check for ARP, and I was wondering if it's reasonable to follow this rule and skip policy check for IPv6 NDP at all? If it's acceptable, we won't be bothered by these issues at all. |
I had a similar problem in #22006 Namely, it appeared that when endpoint routes are enabled, we send NS requests using link-local addresses of |
As we are already installing per-endpoint routes, this is simple to install IPv6 neighbour entries in sync. This fixes the neighbour discovery in case endpoint routes and host routing are enabled together (in the opposite case we drop ICMPv6 NA messages from pods as they are destined to link-local addresses, see also cilium#23910 for a similar problem).
As cilium/cilium#2385 and cilium/cilium#23910 has been resolved, we enable IPv6 test for per-endpoint routing. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: #25242 fixes: #23910 fixes: #16308 fixes: #20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
Once fixed, let's remove https://github.com/cilium/cilium-cli/blob/v0.14.1/connectivity/check/test.go#L563. |
This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: #25242 fixes: #23910 fixes: #16308 fixes: #20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: #25242 fixes: #23910 fixes: #16308 fixes: #20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>
[ upstream commit 05b6d82 ] This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: cilium#25242 fixes: cilium#23910 fixes: cilium#16308 fixes: cilium#20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
[ upstream commit 05b6d82 ] This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: #25242 fixes: #23910 fixes: #16308 fixes: #20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
The per-endpoint routes feature is broken with IPv6 when there are any netpols installed (tracked in cilium#23852 and cilium#23910). Once both issues are resolved, we can start testing IPv6 with netpols. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Previously, our policy check for IPv6 NDP traffic caused issues such as cilium#23852 and cilium#23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: cilium#23852 Fixes: cilium#23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Previously, our policy check for IPv6 NDP traffic caused issues such as #23852 and #23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: #23852 Fixes: #23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
As cilium/cilium#2385 and cilium/cilium#23910 has been resolved, we enable IPv6 test for per-endpoint routing. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Previously, our policy check for IPv6 NDP traffic caused issues such as cilium#23852 and cilium#23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: cilium#23852 Fixes: cilium#23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
As cilium/cilium#2385 and cilium/cilium#23910 has been resolved, we enable IPv6 test for per-endpoint routing. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
The ICMPv6 neighbor resolution is striking us again (#23852). When sending a request from a remote node / a local node to the
echo
pod, the ICMPv6 NS is using theecho
's pod veth iface in the host netns IPv6 addr:And of course, it's not recognized by the
to-container
@lxc75bc3f9009e7
:A few possible fixes:
HOST_ID
skb mark in theto-container
section.The text was updated successfully, but these errors were encountered: