New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: nat: Make snat_v6_needed() get on par with snat_v4_prepare_state() #26236
Conversation
c4b5341
to
3d12ebe
Compare
/test |
Woops, I mixed up my lists! The bit about churn still holds, but for now there's still some room for wiggle room around including enhancements, particularly if you think it'll help the 1.14 maintenance cycle post-release. |
Thanks @joestringer for your comment and explanations! Yes, I'm aware of the feature freeze and lower churn phase. Our current labels don't allow us to make the distinction between “we absolutely need this for the release”, and “this is maybe not essential, but important enough that I would like some careful consideration on whether we should include this, and not let it slip unnoticed”. This PR would fall into the second category, I'd say. I do believe it's an enhancement worth having, as it would bring IPv4 and IPv6 paths closer and make it easier to maintain in the future. One additional consideration is that I'm not currently sure of whether the check on |
3d12ebe
to
87a6023
Compare
/test |
87a6023
to
372a90d
Compare
/test |
372a90d
to
9784475
Compare
/test |
5762574
to
9bb7f55
Compare
👋 thanks! Not sure I will manage to get in a proper review today, but some notes:
|
9bb7f55
to
7bcf569
Compare
Yes, I think you're right. Otherwise we won't have the gateway/router IP when leaving through the tunnel. I've added a commit to fix this.
It is. And yes you're right again, I think this is because the IPv6 masquerading PR didn't pick up the update in that function. I've also added a commit to fix this. Thanks a lot for the preliminary comments, I'm looking forward to the review 😄 |
Given the fixes mentioned above, I'll change the type for this PR to |
Looks like I messed up when reordering commits, and I've got one that doesn't compile. I'll try to fix this in the evening. |
We recently implemented snat_v6_needed() in the datapath to determine whether we need SNAT for IPv6 masquerading; but the function was written long before it was merged and was based on snat_v4_needed(), which has since been consolidated and renamed as snat_v4_prepare_state(), and changed again to prepare for Egress Gateway. The objective of this commit is to bring the two functions closer, to make the datapath more consistent and to make it simpler to support Egress Gateway with IPv6 in the future. Here we replicate the change done for IPv4 in commit cdfc30d ("bpf: egressgw: sync logic to determine if destination is outside cluster"): in the context of Egress Gateway, the check on the traffic leaving the cluster, relying on ipv6_addr_in_net() under IPV6_SNAT_EXCLUSION_DST_CIDR, may incorrectly exclude some trafic from Egress Gateway SNAT. So we move the test above the IPV6_SNAT_EXCLUSION_DST_CIDR block. See the IPv4 commit for more details. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
We recently implemented snat_v6_needed() in the datapath to determine whether we need SNAT for IPv6 masquerading; but the function was written long before it was merged and was based on snat_v4_needed(), which has since been consolidated and renamed as snat_v4_prepare_state(), and changed again to prepare for Egress Gateway. The objective here is to bring snat_v6_needed() slightly closer to snat_v4_prepare_state(), by passing "target" instead of "target.addr" from nodeport_snat_fwd_ipv6(), as done in IPv4 for 4532996 ("bpf: nat: always track egress gateway connections"). This should help track Egress Gateway connections in the future, although this is not supported at this time. No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
We're not setting or using target->from_local_endpoint in the IPv6 BPF masquerading, so that we may skip masquerading for packets from local endpoints. Let's fix and align on what we do for IPv4. Fixes: 87981ac ("bpf: Implement IPv6 BPF masquerading") Reported-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
We recently implemented snat_v6_needed() in the datapath to determine whether we need SNAT for IPv6 masquerading; but the function was written long before it was merged and was based on snat_v4_needed(), which has since been consolidated and renamed as snat_v4_prepare_state(), and changed again to prepare for Egress Gateway. Here we replicate the changes from commit 59ac84f ("bpf: nat: consolidate snat_v4_needed() state into ipv4_nat_target"), in order to bring the IPv4 and IPv6 functions closer to one another. No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Similarly to the IPv4 path, we need to use the "router IP" for IPv6 SNAT when processing packets that leave the node via a tunnel. Fixes: 87981ac ("bpf: Implement IPv6 BPF masquerading") Reported-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
7bcf569
to
3b76954
Compare
I'm a bit confused. This is a refactor to align code right? The release note and release note label don't indicate anything about a bug being fixed. At this point I'm willing to ship this PR in v1.14 if it lands before I branch (some time in the next few days), but I think we should remove the release-blocker label. It's not obvious to me that it's making sufficient ongoing progress to guarantee it lands in time, and it's about time we consider v1.14 development done and move on. If it turns out that this is still a bugfix and it doesn't land before branching, then we can make a call about whether to prepare+backport a more targeted fix or backport this PR when it's ready. |
The confusion probably comes from my poor messaging, apologies. These two quotes refer to different things.
I did forget to update the release note. This is fixed now. I'm not sure what expectations you have regarding the release note label. My understanding is that
Sorry to hear about the insufficient progress - You know I've been busy with patch releases, but then I know you're making sure everything is in order for 1.14 so I guess it's fair. But the proposed resolution sounds good, let's target completion before branching, or consider a backport otherwise. Thanks a lot for your feedback! |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm, both v4 and v6 variant are aligned logic-wise modulo the egress GW which is only for IPv4 at the moment.
The v4 code has this one:
# if defined(ENABLE_CLUSTER_AWARE_ADDRESSING) && defined(ENABLE_INTER_CLUSTER_SNAT)
if (target->cluster_id != 0 &&
target->cluster_id != CLUSTER_ID) {
target->addr = IPV4_INTER_CLUSTER_SNAT;
return true;
}
# endif
Is this again for v4-only? :/
I thought so, because I only found @YutaroHayakawa Could you please take a look and comment? Do we need the IPv6 equivalent to the IPv4 snippet quoted by Daniel now that we have IPv6 masquerading? [EDIT: It looks like the changes for inter-cluster NAT are not trivial, so if we need them now, this would likely be for a follow-up PR.] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm now, thank you Quentin! All good wrt inter-cluster-SNAT, that whole feature is currently IPv4-only.
We recently implemented snat_v6_needed() in the datapath to determine whether we need SNAT for IPv6 masquerading; but the function was written long before it was merged and was based on snat_v4_needed(), which has since been consolidated and renamed as snat_v4_prepare_state(), and changed again to prepare for Egress Gateway.
This PR aims at bringing snat_v6_needed() as close to snat_v4_prepare_state() as possible. In the process, we also fix a condition for SNAT-ing packets from local endpoints, and the IP address to use for masquerading packets leaving through a tunnel.
Commits: