New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium: fix encryption flow labels in ip6 case #12015
Conversation
Please set the appropriate release note label. |
test-focus K8sDatapathConfig.transparent |
…stack Avoid adding extra marks and labels to ip6 packets which can result in dropped packets in ip6 case. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
test-focus K8sDatapathConfig.transparent |
test-focus K8sDatapathConfig |
Doing a preliminary test on datapath configurations I have what I believe is an unrelated issue with my local cluster but above runs in gke cluster. The patch is good I believe and the local cluster issue seems to be related to iptables/route/mtu conflicts somehow. I get spurious TCP reset both with above patch and before. |
build error when encap is not enabled :( but on the plus side transparent encryption + vxlan passed. I'll push an update and rerun. |
test-me-please |
hit #10929 |
1 similar comment
hit #10929 |
We don't want to attach ip6 flow labels and set mark fields if the packet is only going to the stack to be encrypted. So short circuit the pass_to_stack logic after we decide the packet needs encryption and send directly to stack.
Also fix up DatapathConfiguration tests so they run on my local cluster and are in-sync with tests that do not use encryption.