-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perform reverse NAT at host interface #15354
Conversation
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request message describes what the code changes implement, but not why these changes are necessary. Could you extend on that and also include the same in the commit message itself?
Right now it's hard to review as it's unclear what you're trying to fix/improve.
You will also need to rebase and sign-off your commit. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I have updated the PR with requested changes. Regarding documentation, we can address once we un-hide the |
test-me-please |
Searching for the "command ... failed" message from the output of the |
Regarding |
Created CI issue to track |
Thanks for triaging the failures, this helps us track & understand flakes in the system and also understand whether this PR has any link to the failures. At a high level, the PR looks good to me (ie in terms of testing, how risky it is, general structure). I didn't spend a lot of time looking at the details (comments, exact flows for traffic when the flag is enabled etc.). Assuming @brb @pchaigno are happy with the PR now I think it should be ready-to-merge. |
Github is reporting these conflicting files: If you rebase, we can retrigger the smoke tests and as long as those pass (ie no build breakage) then no further testing should be necessary. |
Description: if NETFILTER_COMPAT_MODE flag is set, guarantees that traffic will pass-through kernel netfilter and that Iptables rules are enforced on traffic. Problem: if Nodeport traffic ingress on the same node as a backend pod's node, NAT and reverse NAT translations at 2 different interfaces. On ingress path, NAT happens at Node's host interface, pass through kernel stack. on egress path reverse NAT happen at Pod's Veth interface and bypasses kernel stack. This asymmetric behavior, reflects in kernel conntrack entries and having a IPTABLE rule to DROP any packets if conntrack state is INVALID which results in packet DROP. Fixes: cilium#11914 Signed-off-by: Gobinath Krishnamoorthy <gobinathk@google.com>
@brb @pchaigno I don't think any requested changes are pending here. Can one of you merge this PR ? |
test-me-please I'll try to have a look tomorrow morning or late this evening. Hopefully, we can triage all test failures to existing flakes and merge. |
As noticed by @krishgobinath, the two failing required tests failed with known flakes. Other tests are passing and all team review requests are covered. Marking ready to merge. |
This reverts commit dc4b06e. Rationale: - PR cilium#15354 introduced a new test that is frequently failing: `K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with vxlan Test NodePort with netfilterCompatMode=true` - This flake is tracked in issue cilium#17060. - We are reverting the original PR so as to remove the flake from the CI until we have a fix and are confident the new test is not flaky. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
This reverts commit dc4b06e. Rationale: - PR #15354 introduced a new test that is frequently failing: `K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with vxlan Test NodePort with netfilterCompatMode=true` - This flake is tracked in issue #17060. - We are reverting the original PR so as to remove the flake from the CI until we have a fix and are confident the new test is not flaky. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Perform egress Reverse NAT at host interface.
Fixes: #11914
Description: if ENABLE_EGRESS_REVNAT_AT_HOST flag is set, conntrack lookup happens for all outbound traffic at host interface and reverse NAT translation happens at host Interface.
Signed-off-by: Gobinath gobinathk@google.com