Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf/wireguard: always lookup src identity #24903

Merged
merged 1 commit into from Apr 17, 2023
Merged

bpf/wireguard: always lookup src identity #24903

merged 1 commit into from Apr 17, 2023

Conversation

3u13r
Copy link
Contributor

@3u13r 3u13r commented Apr 14, 2023

When WireGuard node encryption is enabled, src is never set. Therefore, the unguarded check in line 97 always evaluates to true and no traffic is encrypted.

This commit fixes this bug by always looking up the src identity, independent of if WireGuard node encryption is enabled or not.

Fixes: 17419c9 ("bpf/wireguard: Skip encryption for cluster-external traffic")

When WireGuard node encryption is enabled, src is never set. Therefore, the unguarded check in line 97 always evaluates to true and no traffic is encrypted.

This commit fixes this bug by always looking up the src identity, independent of if WireGuard node encryption is enabled or not.

I didn't (re-) add any tests, since they only recently were moved from test/k8s into the ci. Note, that the deleted WireGuard Pod2pod ecryption tests (in test/k8s/datapath_configuration) successfully find the issue by additionally enabling node encryption in the helm values.

Note that this bug didn't make it into any release.

Fix bug that causes traffic not to be encrypted when WireGuard node encryption is enabled.

@3u13r
bpf/wireguard: always lookup src identity
9359f9e 
When WireGuard node encryption is enabled, src is never set. Therefore,
the unguarded check in line 97 always evaluates to true and no traffic
is encrypted.

This commit fixes this bug by always looking up the src identity,
independent of if WireGuard node encryption is enabled or not.

Fixes: 17419c9 ("bpf/wireguard: Skip encryption for cluster-external traffic")
Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
@3u13r 3u13r requested a review from a team as a code owner April 14, 2023 15:11
@3u13r 3u13r requested a review from ldelossa April 14, 2023 15:11
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 14, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Apr 14, 2023
@3u13r 3u13r mentioned this pull request Apr 14, 2023
Merged
7 tasks
@pchaigno pchaigno added kind/bug This is a bug in the Cilium logic. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. labels Apr 16, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 16, 2023
pchaigno
pchaigno approved these changes Apr 16, 2023
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😱

Thanks for fixing!

@pchaigno
Copy link
Member

pchaigno commented Apr 16, 2023
edited by maintainer-s-little-helper bot

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With VXLAN

Failure Output

FAIL: Failed to reach 10.0.0.133:80 from testclient-host-kj4cw

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1777/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Expected

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1846/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

@pchaigno
Copy link
Member

k8s-1.24-kernel-5.4 failed with known flake #16122; k8s-1.26-kernel-net-next hit known flake #24514. Marking ready to merge.

This regression should have been detected by the ConformanceDatapath workflow. I'm fixing that in #24918.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 17, 2023
@pchaigno pchaigno merged commit a225c8a into cilium:master Apr 17, 2023
56 of 58 checks passed
@burgerdev burgerdev deleted the fix/wireguard/n2n branch January 24, 2024 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@ldelossa ldelossa Awaiting requested review from ldelossa ldelossa was automatically assigned from cilium/sig-datapath

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. kind/bug This is a bug in the Cilium logic. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@3u13r @pchaigno