bpf/nat: implement support of ICMP4 fragmentation needed at egress #25054
Conversation
|
Commit 554b8c509166cdc94e61a1a41015f93f80f63a2b does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
dont-merge/needs-sign-off
github-actions
bot
added
the
kind/community-contribution
liuyuan10
force-pushed
the
icmp-nat-upstream
branch
from
554b8c5
to
77df5cc
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
liuyuan10
force-pushed
the
icmp-nat-upstream
branch
3 times, most recently
from
f954e1f
to
0937f33
Compare
|
/test Job 'Cilium-PR-K8s-1.27-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.27-kernel-net-next/112/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
liuyuan10
force-pushed
the
icmp-nat-upstream
branch
from
0937f33
to
758e3b1
Compare
I agree this is not a common use case. But I do think it's good to support ICMP packets in SNAT (e.g. Pods may have iptables rules rejecting traffic with ICMP). With this change, it's just a few lines more to support other ICMP codes |
liuyuan10
force-pushed
the
icmp-nat-upstream
branch
from
758e3b1
to
99ce1df
Compare
The "Datapath BPF Complexity" test passed on the previous iteration with room to spare in the NAT related tail calls, so I think we are good. |
PR cilium#18414 added support for ingress ICMP "need to frag" support to hande those sent by remote routers. This commit mirrors it to support such ICMP sent from endpoints. The use case is that pod is redirecting traffic from the world into a tunnel, which has smaller MTU. It may return a ICMP "frag needed" to the remote server that requires SNAT to happen properly on both outer and inner headers. Signed-off-by: Yuan Liu <liuyuan@google.com>
liuyuan10
force-pushed
the
icmp-nat-upstream
branch
from
99ce1df
to
18627d8
Compare
|
@dylandreimerink what's the next step for this PR? I don't see unresolved comments |
There was a problem hiding this comment.
https://github.com/cilium/cilium/pull/25054/files#r1175491486 was not resolved and you had not re-requested a review, so I thought you might still have some amendments, hence the delay. Though this is such a minor thing that I think everything is good as it is.
Next step is the setting the correct labels which I will do and to run the full test suite once more on the latest changes
dylandreimerink
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1874/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
Sorry I didn't realize I need to re-request a review. I expect my reply addressed your comment and please mark it resolved if it's ok with you. or let me know if you have other concerns |
|
/mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 👍 created #25187 |
|
/test-1.24-5.4 |
maintainer-s-little-helper
bot
added
the
ready-to-merge
PR #18414 added support for ingress ICMP "fragmentation needed" support to hande those sent by remote routers. This commit mirrors it to support such ICMP sent from endpoints.
The use case is that pod is redirecting traffic from the world into a tunnel, which has smaller MTU. It may return a ICMP "frag needed" to the remote server that requires SNAT to happen properly on both outer and inner headers.
Address IPv4 "fragmentation needed" part of : #23955