Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cilium: fix encryption flow labels in ip6 case #12015

Merged
merged 1 commit into from Jun 12, 2020
Merged

cilium: fix encryption flow labels in ip6 case #12015

merged 1 commit into from Jun 12, 2020

Conversation

jrfastab
Copy link
Contributor

We don't want to attach ip6 flow labels and set mark fields if the packet is only going to the stack to be encrypted. So short circuit the pass_to_stack logic after we decide the packet needs encryption and send directly to stack.

Also fix up DatapathConfiguration tests so they run on my local cluster and are in-sync with tests that do not use encryption.

@jrfastab jrfastab requested a review from a team June 10, 2020 20:33
@jrfastab jrfastab requested a review from a team as a code owner June 10, 2020 20:33
@maintainer-s-little-helper
Copy link

Please set the appropriate release note label.

@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.8.0 Jun 10, 2020
@jrfastab
Copy link
Contributor Author

test-focus K8sDatapathConfig.transparent

@coveralls
Copy link

coveralls commented Jun 10, 2020
edited

Coverage Status

Coverage increased (+0.001%) to 37.012% when pulling 89a8907 on test-ipsec into 477c487 on master.

@jrfastab
cilium, encryption: for tunnel'ed packets push encryption packets to …
89a8907 
…stack

Avoid adding extra marks and labels to ip6 packets which can result in
dropped packets in ip6 case.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
@jrfastab
Copy link
Contributor Author

test-focus K8sDatapathConfig.transparent

@joestringer joestringer added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Jun 11, 2020
joestringer
joestringer reviewed Jun 11, 2020
View reviewed changes
bpf/bpf_lxc.c Outdated Show resolved Hide resolved
@jrfastab
Copy link
Contributor Author

test-focus K8sDatapathConfig

@jrfastab
Copy link
Contributor Author

Doing a preliminary test on datapath configurations I have what I believe is an unrelated issue with my local cluster but above runs in gke cluster. The patch is good I believe and the local cluster issue seems to be related to iptables/route/mtu conflicts somehow. I get spurious TCP reset both with above patch and before.

@jrfastab
Copy link
Contributor Author

build error when encap is not enabled :( but on the plus side transparent encryption + vxlan passed. I'll push an update and rerun.

@jrfastab
Copy link
Contributor Author

test-me-please

@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.8.0 Jun 12, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.7.5 Jun 12, 2020
@aanm
Copy link
Member

aanm commented Jun 12, 2020

hit #10929

1 similar comment
@aanm
Copy link
Member

aanm commented Jun 12, 2020

hit #10929

@aanm aanm merged commit 984ce49 into master Jun 12, 2020
1.8.0 automation moved this from In progress to Merged Jun 12, 2020
@aanm aanm deleted the test-ipsec branch June 12, 2020 08:36
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.8 in 1.8.0 Jun 12, 2020
@joestringer joestringer mentioned this pull request Jun 12, 2020
Merged
@aanm aanm removed this from Needs backport from master in 1.7.5 Jun 12, 2020
@aanm aanm added this to Needs backport from master in 1.7.6 Jun 12, 2020
@jrfastab jrfastab mentioned this pull request Jun 12, 2020
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Backport pending to v1.7 in 1.7.5 Jun 12, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.8 to Backport done to v1.8 in 1.8.0 Jun 16, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.8 to Backport done to v1.8 in 1.8.0 Jun 16, 2020
@aanm aanm removed this from Backport pending to v1.7 in 1.7.5 Jul 3, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Backport done to v1.7 in 1.7.5 Jul 3, 2020
@aanm aanm removed this from Needs backport from master in 1.7.6 Jul 3, 2020
@aanm aanm removed this from Backport done to v1.7 in 1.7.5 Jul 3, 2020
@aanm aanm added this to Backport done to v1.7 in 1.7.6 Jul 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

Assignees
No one assigned
Labels
release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.7.6
Backport done to v1.7
1.8.0
  
Merged
1.8.0
Backport done to v1.8
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jrfastab @coveralls @aanm @joestringer