Perform reverse NAT at host interface #15354

krishgobinath · 2021-03-16T01:00:59Z

Perform egress Reverse NAT at host interface.
Fixes: #11914

Description: if ENABLE_EGRESS_REVNAT_AT_HOST flag is set, conntrack lookup happens for all outbound traffic at host interface and reverse NAT translation happens at host Interface.

Signed-off-by: Gobinath gobinathk@google.com

pchaigno

The pull request message describes what the code changes implement, but not why these changes are necessary. Could you extend on that and also include the same in the commit message itself?

Right now it's hard to review as it's unclear what you're trying to fix/improve.

pchaigno · 2021-03-25T10:48:45Z

You will also need to rebase and sign-off your commit.

krishgobinath · 2021-07-22T21:43:44Z

Thanks. I left a few non-blocking nit comments. Please address them in a separate PR. Also, could you update the KPR documentation in the follow-up PR?

I have updated the PR with requested changes. Regarding documentation, we can address once we un-hide the netfilter-compatible-mode flag, after fixing issues mentioned here. #16166

joestringer · 2021-07-22T22:17:07Z

test-me-please

joestringer · 2021-07-22T22:38:33Z

Searching for the "command ... failed" message from the output of the ci-gke job, it looks like known issue #16938.

krishgobinath · 2021-07-23T03:37:10Z

Regarding test-1.19-5.4 , test K8sDatapathConfig Host firewall With VXLAN failed.
It was recorded earlier here. The same error code [Operation Timeout] was seen by other people as well. Looks like this is known Issue.

krishgobinath · 2021-07-23T14:48:09Z

Created CI issue to tracktest-gke failures.

joestringer · 2021-07-23T18:58:24Z

Thanks for triaging the failures, this helps us track & understand flakes in the system and also understand whether this PR has any link to the failures.

At a high level, the PR looks good to me (ie in terms of testing, how risky it is, general structure). I didn't spend a lot of time looking at the details (comments, exact flows for traffic when the flag is enabled etc.). Assuming @brb @pchaigno are happy with the PR now I think it should be ready-to-merge.

joestringer · 2021-07-23T23:11:08Z

Github is reporting these conflicting files:
install/kubernetes/cilium/templates/cilium-configmap.yaml
pkg/option/config.go

If you rebase, we can retrigger the smoke tests and as long as those pass (ie no build breakage) then no further testing should be necessary.

Description: if NETFILTER_COMPAT_MODE flag is set, guarantees that traffic will pass-through kernel netfilter and that Iptables rules are enforced on traffic. Problem: if Nodeport traffic ingress on the same node as a backend pod's node, NAT and reverse NAT translations at 2 different interfaces. On ingress path, NAT happens at Node's host interface, pass through kernel stack. on egress path reverse NAT happen at Pod's Veth interface and bypasses kernel stack. This asymmetric behavior, reflects in kernel conntrack entries and having a IPTABLE rule to DROP any packets if conntrack state is INVALID which results in packet DROP. Fixes: cilium#11914 Signed-off-by: Gobinath Krishnamoorthy <gobinathk@google.com>

krishgobinath · 2021-07-27T02:43:57Z

Github is reporting these conflicting files:
install/kubernetes/cilium/templates/cilium-configmap.yaml
pkg/option/config.go

If you rebase, we can retrigger the smoke tests and as long as those pass (ie no build breakage) then no further testing should be necessary.

@brb @pchaigno I don't think any requested changes are pending here. Can one of you merge this PR ?

pchaigno · 2021-07-30T16:55:25Z

test-me-please

I'll try to have a look tomorrow morning or late this evening. Hopefully, we can triage all test failures to existing flakes and merge.

krishgobinath · 2021-07-30T22:53:59Z

runtime (test-runtime) failure noticed earlier and tracked here
gke-stable (test-gke) failure noticed earlier and tracked here

pchaigno · 2021-07-30T22:57:13Z

As noticed by @krishgobinath, the two failing required tests failed with known flakes. Other tests are passing and all team review requests are covered. Marking ready to merge.

This reverts commit dc4b06e. Rationale: - PR cilium#15354 introduced a new test that is frequently failing: `K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with vxlan Test NodePort with netfilterCompatMode=true` - This flake is tracked in issue cilium#17060. - We are reverting the original PR so as to remove the flake from the CI until we have a fix and are confident the new test is not flaky. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

This reverts commit dc4b06e. Rationale: - PR #15354 introduced a new test that is frequently failing: `K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with vxlan Test NodePort with netfilterCompatMode=true` - This flake is tracked in issue #17060. - We are reverting the original PR so as to remove the flake from the CI until we have a fix and are confident the new test is not flaky. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

krishgobinath requested review from a team March 16, 2021 01:00

krishgobinath requested a review from a team as a code owner March 16, 2021 01:00