[v1.15] bpf: avoid SNAT tracking for overlay traffic #31785
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
backport/1.15
|
/test-backport-1.15 |
ldelossa
approved these changes
Apr 5, 2024
julianwiedmann
added
the
dont-merge/wait-until-release
[ upstream commit 3e32efc ] This is an internal macro that's selected by common.h (based on TUNNEL_MODE and a few other config options). There should be no need to explicitly set it. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 5b37dc9 ] When a packet gets SNATed in to-overlay, there is no point in setting the SNAT-done mark. Firstly the mark refers to the *inner* packet, but all subsequent users will only see the outer headers. Also our own netfilter rules installed by installHostTrafficMarkRule() currently clear the mark for overlay traffic. Free up the mark for future usage. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 2860ded ] To make smarter decisions at the native-device level (in to-netdev), mark traffic that is created by cilium's overlay interface. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 7c789e5 ] Creating SNAT entries for our own overlay traffic makes little sense. In particular as the replies will not be addressed to the egressing packet's source port, but to TUNNEL_PORT. Avoiding such SNAT tracking reduces the pressure on the CT and NAT maps. Fixes: cilium#26908 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit b523a92 ] Prior to 2860ded ("datapath: mark to-overlay traffic"), overlay traffic would reach the HostFW egress path in to-netdev with MARK_MAGIC_HOST set. Restore this behaviour by also assigning HOST_ID for traffic that has MARK_MAGIC_OVERLAY set. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 8984c20 ] As we now have a mark-derived src_sec_identity available, we might as well share this bit of information with the user. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
force-pushed
the
v1.15-tunnel-snat
branch
from
8a1e8c2
to
23e960c
Compare
|
/test-backport-1.15 |
julianwiedmann
added
ready-to-merge
maintainer-s-little-helper
bot
removed
the
ready-to-merge
julianwiedmann
added
the
ready-to-merge
lmb
approved these changes
Apr 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport of
v1.15)Once this PR is merged, a GitHub action will update the labels of these PRs: