Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: l3: limit kube-proxy workaround in l3_local_delivery() to bpf_overlay #27908

Merged
merged 1 commit into from Sep 5, 2023
Merged

bpf: l3: limit kube-proxy workaround in l3_local_delivery() to bpf_overlay #27908

merged 1 commit into from Sep 5, 2023

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Sep 4, 2023
edited

#22333 fixed a bug for configs with tunnel-routing and per-EP routes. Here ingress policy was applied twice: first via tail-call, and then a second time by the to-container program as the packet traverses the veth pair.

The fix was to avoid the tail-call, and only apply policy with the to-container program. But the tail-call also contains a kube-proxy workaround (potential service replies need to pass through kube-proxy for RevDNAT, so the tail-call punts them to the stack instead of calling redirect_ep() to forward them straight to the endpoint). So we copied that workaround into the l3_local_delivery() path.

The tail-call is compiled as part of bpf_lxc, and thus couldn't easily tell if a packet was received from the tunnel. But as l3_local_delivery() is inlined into bpf_overlay, we can now limit the work-around to IS_BPF_OVERLAY. This ensures that the workaround is not applied to eg. plain pod-to-pod traffic, where bpf_lxc also calls l3_local_delivery().

Fixes: 3d2ceaf ("bpf: Preserve overlay->lxc path with kube-proxy")

Restore host-stack bypass for pod-to-pod traffic in a configuration with kube-proxy, tunnel routing and per-endpoint routes.

@julianwiedmann
bpf: l3: limit kube-proxy workaround in l3_local_delivery() to bpf_ov…
932d77c 
…erlay

cilium#22333 fixed a bug for configs with
tunnel-routing and per-EP routes. Here ingress policy was applied twice:
first via tail-call, and then a second time by the to-container program as
the packet traverses the veth pair.

The fix was to avoid the tail-call, and only apply policy with the
to-container program. But the tail-call also contains a kube-proxy
workaround (potential service replies need to pass through kube-proxy for
RevDNAT, so the tail-call punts them to the stack instead of calling
redirect_ep() to forward them straight to the endpoint). So we copied that
workaround into the l3_local_delivery() path.

The tail-call is compiled as part of bpf_lxc, and thus couldn't easily tell
if a packet was received from the tunnel. But as l3_local_delivery() is
inlined into bpf_overlay, we can now limit the work-around to
IS_BPF_OVERLAY. This ensures that the workaround is not applied to eg.
plain pod-to-pod traffic, where bpf_lxc also calls l3_local_delivery().

Fixes: 3d2ceaf ("bpf: Preserve overlay->lxc path with kube-proxy")
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/bug This PR fixes an issue in a previous release of Cilium. area/kube-proxy Issues related to kube-proxy (not the kube-proxy-free mode). needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 4, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.2 Sep 4, 2023
@julianwiedmann julianwiedmann changed the title bpf: l3: limit kube-proxy workaround in l3_local_delivery() to bpf_ov… bpf: l3: limit kube-proxy workaround in l3_local_delivery() to bpf_overlay Sep 4, 2023
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review September 4, 2023 07:36
@julianwiedmann julianwiedmann requested a review from a team as a code owner September 4, 2023 07:36
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 4, 2023
@youngnick youngnick merged commit 334f7f0 into cilium:main Sep 5, 2023
62 checks passed
@julianwiedmann julianwiedmann deleted the 1.15-bpf-local-delivery-overlay branch September 5, 2023 05:07
@michi-covalent michi-covalent added this to Needs backport from main in 1.14.3 Sep 9, 2023
@michi-covalent michi-covalent removed this from Needs backport from main in 1.14.2 Sep 9, 2023
@gandro gandro mentioned this pull request Sep 12, 2023
Merged
15 tasks
@gandro gandro added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 12, 2023
@gandro gandro added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Sep 25, 2023
@jrajahalme jrajahalme moved this from Needs backport from main to Backport done to v1.14 in 1.14.3 Oct 18, 2023
@jrajahalme jrajahalme mentioned this pull request Oct 18, 2023
Merged
@julianwiedmann julianwiedmann added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Jan 3, 2024
@jibi jibi mentioned this pull request Jan 10, 2024
Merged
4 tasks
@jibi jibi added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jan 10, 2024
@github-actions github-actions bot removed the backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. label Jan 15, 2024
@github-actions github-actions bot added the backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. label Jan 15, 2024
@gentoo-root gentoo-root mentioned this pull request Jan 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markpash markpash markpash approved these changes

Assignees
No one assigned
Labels
area/kube-proxy Issues related to kube-proxy (not the kube-proxy-free mode). backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.14.3
Backport done to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@julianwiedmann @markpash @gandro @jibi @youngnick