New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: pass IPv6 NDP traffic to stack without policy check #24919
Conversation
181f4bc
to
f8f26de
Compare
f8f26de
to
f45a61e
Compare
SGTM! Just for what packets the built-in responder would be still used? |
All the ICMPv6 NS packets from containers are handled by responder, and the NS in the opposite direction, from host to container, are on kernel. The bpf program will lookup the endpoints map by NS target IPv6, then send back the ICMPv6 ND after amending the packet payload in place. Because container's IPv6 routing gateway is set to host router IPv6, almost all NS packets from container are targeting host router IPv6, and responder composes ND with lxc L2 address. As mentioned in #23852 (comment), simply removing the NS responder doesn't make kernel capable of handling these NS packets. I managed to remove responder in a draft PR https://github.com/cilium/cilium/pull/24778/files by changing IPv6 gateway address inside each container during CNI runtime, it worked, in spite of breaking the Docker CNM plugin, but my main concern is, we must introduce a new option like |
/test |
Hold on, there are more places using ND responder, for example, ingress of eth0 when nodport / wireguard / host firewall is enabled. That causes #14509 due to our responder setting the NA packet's source ipv6 to router ip, and some users complained about this behavior because their firewall/anti-spoofing filter doesn't recognize router ip and drops these NA packets as a result. I think I still need to remove ND responder to address that issue. But this PR could be independent to that. This PR is adequate to address #23910 and #23852, I'll open a new PR to remove responder. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This pull request has been automatically marked as stale because it |
Previously, our policy check for IPv6 NDP traffic caused issues such as cilium#23852 and cilium#23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: cilium#23852 Fixes: cilium#23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
f45a61e
to
4f45052
Compare
/test |
/ci-ginkgo |
|
can this fix be backported to 1.13? PS: I tried to cherry-pick this PR and this one #24921 on top on |
@tamilmani1989 I'm not sure, because all those works are based on #23445, which is not likely to be backported to 1.13. |
Previously, our policy check for IPv6 NDP traffic caused issues such as #23852 and #23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing.
To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check.
This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable
ENABLE_ARP_PASSTHROUGH
orENABLE_ARP_RESPONDER
.Fixes: #23852
Fixes: #23910
Signed-off-by: Zhichuan Liang gray.liang@isovalent.com