Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.14] bpf: nodeport: update TTL / hop-limit on redirect #27379

Merged
merged 4 commits into from Aug 16, 2023
Merged

[v1.14] bpf: nodeport: update TTL / hop-limit on redirect #27379

merged 4 commits into from Aug 16, 2023

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Aug 9, 2023
edited by jschwinger233

Manual backport of

Once this PR is merged, you can update the PR labels via:

for pr in 27299; do contrib/backporting/set-labels.py $pr done 1.14; done

or with

make add-labels BRANCH=v1.14 ISSUES=27299

@julianwiedmann
bpf: nodeport: fix TTL update for XDP in IPv4 NAT Egress path
70e22c7 
[ upstream commit 8fe8e93 ]

When forwarding from the XDP LB to a remote NAT backend,
tail_nodeport_nat_egress_ipv4() potentially adds outer tunnel headers to
the packet. The call to fib_redirect_v4() then decrements outer header's
TTL, not the inner IPv4 header.

Fix this by manually updating the TTL, and open-coding the redirect.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: nodeport: update hop-limit in IPv6 NAT Egress path
8634b77 
[ upstream commit 83a53d7 ]

When forwarding from the LB to a remote NAT backend,
tail_nodeport_nat_egress_ipv6() uses fib_redirect() to pick the egress
interface (we can't use fib_redirect_v6() as the packet might have been
converted to IPv4, or tunnel-encapsulated in XDP). Thus the hop-limit
currently doesn't get updated.

Do so manually, before potentially adding the tunnel encapsulation.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Aug 9, 2023
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann
bpf: nodeport: fix TTL update for XDP in IPv4 RevDNAT reply path
191ef0e 
[ upstream commit 09be401 ]

When forwarding replies from the LB (or EgressGW replies) back to the
client, rev_nodeport_lb4() potentially adds outer tunnel headers to the
packet. The call to fib_redirect_v4() then decrements outer header's TTL,
not the inner IPv4 header.

Fix this by manually updating the TTL, and open-coding the redirect.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: nodeport: update hop-limit in IPv6 RevDNAT reply path
30d27d1 
[ upstream commit 9e29ea6 ]

When forwarding replies from the LB back to the client, rev_nodeport_lb6()
uses fib_redirect() to pick the egress interface (we can't use
fib_redirect_v6() as the packet might have been converted to IPv4, or
tunnel-encapsulated in XDP). Thus the hop-limit currently doesn't get
updated.

Do so manually.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test-backport-1.14

@julianwiedmann julianwiedmann marked this pull request as ready for review August 10, 2023 10:02
@julianwiedmann julianwiedmann requested a review from a team as a code owner August 10, 2023 10:02
@julianwiedmann julianwiedmann added the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Aug 10, 2023
@julianwiedmann
Copy link
Member Author

Manual backport due to trivial contextual conflicts. No changes in behaviour that needed to be addressed.

@julianwiedmann julianwiedmann removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Aug 15, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 15, 2023
@lmb lmb merged commit fbd4e54 into cilium:v1.14 Aug 16, 2023
56 checks passed
@julianwiedmann julianwiedmann deleted the v1.14-nodeport-ttl branch August 16, 2023 09:50
@michi-covalent michi-covalent mentioned this pull request Sep 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmb lmb lmb approved these changes

@ldelossa ldelossa ldelossa approved these changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

Assignees
No one assigned
Labels
backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@julianwiedmann @lmb @ldelossa @jschwinger233