Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NodePort BPF service cannot be reached when L7 policy is applied / L7 visibility is enabled #8971

Closed
brb opened this issue Aug 20, 2019 · 3 comments · Fixed by #12434 or #11899
Closed

NodePort BPF service cannot be reached when L7 policy is applied / L7 visibility is enabled #8971

brb opened this issue Aug 20, 2019 · 3 comments · Fixed by #12434 or #11899
Assignees
@brb @borkmann
Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Milestone
1.9

Comments

@brb
Copy link
Member

brb commented Aug 20, 2019
edited

A NodePort BPF service cannot be reached when:

  • and L7 allow all policy is applied,
  • and a request to the service is sent to a host which runs the service endpoint pod.

Sending the request to a host which SNATs the request and forwards it to the destination host works as expected.

The request (TCP SYN) enters the relevant TPROXY rule at the receiving host, and then disappears:

IN=cilium_net OUT= MAC=16:6a:8a:0b:7c:e0:36:d7:19:cb:ee:ec:08:00 SRC=192.168.34.11 DST=10.217.1.215 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=15285 DF PROTO=TCP SPT
=56576 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1927020
@brb brb added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. labels Aug 20, 2019
@brb brb added this to the 1.7 milestone Aug 20, 2019
@brb brb self-assigned this Aug 20, 2019
@brb
Copy link
Member Author

brb commented Oct 7, 2019

Just checked that it's still an issue. Might be related to #9284.

@borkmann borkmann moved this from Todo (1.7) to In progress (1.7) in 1.9 kube-proxy removal & general dp optimization Feb 7, 2020
@brb brb mentioned this issue Feb 7, 2020
Closed
@borkmann borkmann moved this from In progress (1.8) to 1.8/1.7 needed in 1.9 kube-proxy removal & general dp optimization Feb 17, 2020
@borkmann borkmann moved this from 1.8/1.7 needed to In progress (1.8) in 1.9 kube-proxy removal & general dp optimization Feb 17, 2020
@borkmann borkmann moved this from In progress (1.8) to CI related in 1.9 kube-proxy removal & general dp optimization Mar 19, 2020
@borkmann borkmann moved this from CI related to In progress (1.8) in 1.9 kube-proxy removal & general dp optimization Mar 19, 2020
@brb brb modified the milestones: 1.7, 1.9 Jun 11, 2020
@brb brb changed the title NodePort BPF service cannot be reached when running in direct routing mode and L7 policy is applied NodePort BPF service cannot be reached when L7 policy is applied / L7 visibility is enabled Jun 11, 2020
@brb brb mentioned this issue Jun 11, 2020
Closed
@jrajahalme
Copy link
Member

@brb Similar problem existed also with kube-proxy in non-tunneled modes, where SYN/ACK would be lost due to NodePort SNAT not being reversed due to overtly broad NOTRACK rule. This was fixed by #11899.

Have you traced how far in the datapath the SYN/ACK gets in this NodePort BPF case?

@borkmann borkmann moved this from In progress (1.8) to TODO (untriaged) in 1.9 kube-proxy removal & general dp optimization Jul 6, 2020
@brb brb mentioned this issue Jul 6, 2020
Merged
@brb
Copy link
Member Author

brb commented Jul 6, 2020

@jrajahalme According to #12434, it seems to be fixed! I'm going to close this issue once I've extended BPF NodePort tests to include L7 policy.

@aanm aanm closed this as completed Jul 6, 2020
@aanm aanm reopened this Jul 6, 2020
@jrajahalme jrajahalme mentioned this issue Jul 8, 2020
Merged
@borkmann borkmann removed this from TODO (untriaged & unsorted) in 1.9 kube-proxy removal & general dp optimization Jul 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brb brb

@borkmann borkmann

Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
1.9
4 participants
@brb @borkmann @aanm @jrajahalme