New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic #26638
Merged
dylandreimerink
merged 1 commit into
cilium:main
from
julianwiedmann:1.14-nodeport-revdnat-fib-v3
Aug 1, 2023
Merged
bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic #26638
dylandreimerink
merged 1 commit into
cilium:main
from
julianwiedmann:1.14-nodeport-revdnat-fib-v3
Aug 1, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Jul 5, 2023
/test |
julianwiedmann
added
the
release-note/bug
This PR fixes an issue in a previous release of Cilium.
label
Jul 5, 2023
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Jul 5, 2023
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 5, 2023 10:24
8e4d6b6
to
67f1862
Compare
/test |
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 5, 2023 11:38
67f1862
to
67659fc
Compare
/test |
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 5, 2023 13:33
67659fc
to
5a74b80
Compare
/test |
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 5, 2023 13:40
5a74b80
to
44d365e
Compare
/test |
julianwiedmann
changed the title
1.14 nodeport revdnat fib v3
bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic
Jul 5, 2023
julianwiedmann
added
kind/bug
This is a bug in the Cilium logic.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
area/loadbalancing
Impacts load-balancing and Kubernetes service implementations
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
labels
Jul 5, 2023
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 17, 2023 14:09
44d365e
to
383e5ab
Compare
/test |
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 25, 2023 08:20
383e5ab
to
7c21344
Compare
/test |
julianwiedmann
force-pushed
the
1.14-nodeport-revdnat-fib-v3
branch
from
July 26, 2023 14:10
7c21344
to
89f6c71
Compare
/test |
michi-covalent
added
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
and removed
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
labels
Sep 9, 2023
michi-covalent
moved this from Backport pending to v1.14
to Backport done to v1.14
in 1.14.2
Sep 9, 2023
julianwiedmann
added
affects/v1.13
This issue affects v1.13 branch
and removed
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
labels
Apr 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
affects/v1.13
This issue affects v1.13 branch
area/loadbalancing
Impacts load-balancing and Kubernetes service implementations
backport/author
The backport will be carried out by the author of the PR.
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
kind/bug
This is a bug in the Cilium logic.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/bug
This PR fixes an issue in a previous release of Cilium.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When moving the RevDNAT for backend replies from
bpf_lxc
intobpf_host
, we lost the routing based on the post-RevDNAT layout of the packet. Depending on the installed routing rules, we then end up sending the (RevDNATed) packet from the wrong egress interface.So as part of the RevDNAT processing in
to-netdev
, do a FIB lookup that considers the desired source IP. And redirect the packet if it's currently on the wrong interface. We intentionally delay the actual RevDNAT rewrite until the packet has reached the correct interface, so that the packet looks as expected to components into-netdev
(in particular HostFW).Long-term we would want
FIB_DONE
mark on the packet (similar toSNAT_DONE
), to skip additional lookups.from-container
(for BPF Host Routing) to already consider service RevDNAT.The initial idea was to have this check at the very top of the to-netdev program (see #26635). But we're hitting program size limits in 4.19 there, and improving that is too much of a refactor for a fix PR.
Fixes: #26166