-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: added --bpf-lb-bypass-fib-lookup flag #14978
Conversation
@skuffe Thanks. Could you squash both commits? |
This commit adds a boolean flag, which when enabled will cause the BPF nodeport reverse NAT handling to attempt to use a MAC address which was previously associated with the remote endpoint when sending its reply, instead of doing a FIB lookup. If the flag is toggled off, this optimization is disabled, and a FIB lookup is always done. This is useful if Cilium is to be used on nodes which default gateway is a FHRP VIP/MAC, such as with VRRP or Cisco's HSRP. Fixes: cilium#14911 Signed-off-by: Danni Skov Høglund <skuffe@pwnz.dk>
done |
test-me-please |
test-me-please |
Build finished. |
3 similar comments
Build finished. |
Build finished. |
Build finished. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Have you tested both SNAT and DSR mode?
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Yup,. tested both, as well as with Would there be any more settings that could be interesting to test this against? |
No need for more, as SNAT/DSR should be enough. |
@skuffe Could you close and then reopen the PR? GH actions got stuck, and need to be retriggered. |
This commit adds a section to the Getting Started -> Kubernetes Without kube-proxy, describing what this flag does and when to use it. Also added the required bits to the Helm template and values.yaml Signed-off-by: Danni Skov Høglund <skuffe@pwnz.dk>
test-me-please |
Hmm, that's odd that some of those tests failed. Functionally - in the default configuration, there should be no difference from whats otherwise on the master branch. |
test-runtime |
net-next hit the flake #12511. |
test-net-next |
test-gke |
@brb If I disable bpf-lb-bypass-fib-lookup, will there be problem when the l2 entry is not available so that fib_lookup returns BPF_FIB_LKUP_RET_NO_NEIGH? |
@liuyuan10 Yep, in that case the packet will be dropped. To avoid this, for the relevant actors, we do arping when cilium-agent is configured with either ipsec or kube-proxy replacement. |
This commit adds a boolean flag, which when enabled will cause the BPF nodeport reverse NAT handling to attempt to use a MAC address which was previously associated with the remote endpoint when sending its reply, instead of doing a FIB lookup.
If the flag is toggled off, this optimization is disabled, and a FIB lookup is always done.
This is useful if Cilium is to be used on nodes which default gateway is a FHRP VIP/MAC, such as with VRRP or Cisco's HSRP.
Fixes: #14911
Signed-off-by: Danni Skov Høglund skuffe@pwnz.dk