New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf/nat: implement support of ICMP4 fragmentation needed at egress #25054
Conversation
Commit 554b8c509166cdc94e61a1a41015f93f80f63a2b does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
554b8c5
to
77df5cc
Compare
f954e1f
to
0937f33
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this work. Seems very nice overall, just a few small things.
I do have some doubts surrounding the complexity/use-case trade off though.
/test Job 'Cilium-PR-K8s-1.27-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.27-kernel-net-next/112/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
0937f33
to
758e3b1
Compare
I agree this is not a common use case. But I do think it's good to support ICMP packets in SNAT (e.g. Pods may have iptables rules rejecting traffic with ICMP). With this change, it's just a few lines more to support other ICMP codes |
758e3b1
to
99ce1df
Compare
The "Datapath BPF Complexity" test passed on the previous iteration with room to spare in the NAT related tail calls, so I think we are good. |
PR cilium#18414 added support for ingress ICMP "need to frag" support to hande those sent by remote routers. This commit mirrors it to support such ICMP sent from endpoints. The use case is that pod is redirecting traffic from the world into a tunnel, which has smaller MTU. It may return a ICMP "frag needed" to the remote server that requires SNAT to happen properly on both outer and inner headers. Signed-off-by: Yuan Liu <liuyuan@google.com>
99ce1df
to
18627d8
Compare
@dylandreimerink what's the next step for this PR? I don't see unresolved comments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/cilium/cilium/pull/25054/files#r1175491486 was not resolved and you had not re-requested a review, so I thought you might still have some amendments, hence the delay. Though this is such a minor thing that I think everything is good as it is.
Next step is the setting the correct labels which I will do and to run the full test suite once more on the latest changes
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1874/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
Sorry I didn't realize I need to re-request a review. I expect my reply addressed your comment and please mark it resolved if it's ok with you. or let me know if you have other concerns |
/mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 👍 created #25187 |
/test-1.24-5.4 |
PR #18414 added support for ingress ICMP "fragmentation needed" support to hande those sent by remote routers. This commit mirrors it to support such ICMP sent from endpoints.
The use case is that pod is redirecting traffic from the world into a tunnel, which has smaller MTU. It may return a ICMP "frag needed" to the remote server that requires SNAT to happen properly on both outer and inner headers.
Address IPv4 "fragmentation needed" part of : #23955