New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Preserve source identity for hairpin via stack #10926
Conversation
When Cilium is used in chaining mode with portmap, the hostPort is translated using iptables DNAT as inserted by the portmap plugin. When this happens all within a node, we can preserve the source identity for the reply traffic for correct visibility. The traffic will be allowed anyway based on the connection tracking state. Updates: #9784 Signed-off-by: Thomas Graf <thomas@cilium.io>
test-me-please The privileged tests seem to have been interrupted:
The k8s tests contain several errors which seem to indicate a setup failure
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Patch looks OK to me but looks like some tests failed. I scanned the logs and wasn't obvious to me off-hand what went wrong.
test-me-please Hit #10942 |
test-me-please |
Too late to the party, but this is breaking BPF masquerading and BPF NodePort, as the mark set in this PR clashes with |
When Cilium is used in chaining mode with portmap, the hostPort is
translated using iptables DNAT as inserted by the portmap plugin. When
this happens all within a node, we can preserve the source identity for
the reply traffic for correct visibility. The traffic will be allowed
anyway based on the connection tracking state.
Updates: #9784