-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.9] bpf: Skip policy enforcements for service loopback case #15709
Conversation
|
4249b51
to
33eb488
Compare
33eb488
to
a0f2bca
Compare
a0f2bca
to
7ffb743
Compare
This comment has been minimized.
This comment has been minimized.
7ffb743
to
ab506af
Compare
This comment has been minimized.
This comment has been minimized.
9647f4a
to
1b0a3d7
Compare
1b0a3d7
to
5100ffb
Compare
5100ffb
to
ba909fa
Compare
[ upstream commit 52cd6da ] When an endpoint connects to itself via service clusterIP, we hairpin the flow using a loopback IP address (configured using ipv4-service-loopback-address). The destination clusterIP (on egress) and loopback IP (on ingress) map to unexpected identities. As a result, policy enforcement fails and the packet is dropped. This is visible in the cilium monitor output: <- endpoint 1844 flow 0x96c8d52 identity 55108->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.123:58242 -> 172.20.0.130:80 tcp SYN Policy verdict log: flow 0x96c8d52 local EP ID 1844, remote ID world, proto 6, egress, action deny, match none, 169.254.42.1:58242 -> 10.12.0.123:80 tcp SYN Since we don't want to enforce policies anyway for the loopback traffic, this commit skips policy enforcements in that case. Co-authored-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
76f2c38
to
a4b9c96
Compare
Upon code inspection, the remote endpoint lookup that retrieves the destination ID is useless because the destination ID is not used when `hairpin_flow` is true. We can skip over this code in hopes that it simplifies the code complexity. Signed-off-by: Chris Tarazi <chris@isovalent.com>
a4b9c96
to
ce442fb
Compare
test-backport-1.9 |
Updated the PR description to convert this PR into a backport PR, now that the complexity issue has been resolved on this branch. Opening for reviews. Edit: I can't request reviews from Paul as he opened the PR, but I've been pushing to it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! Thank you. 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I can't leave an approving review because I opened the PR, but that's my intent 🙂
Thanks @christarazi and @aditighag! 🙏
Once this PR is merged, you can update the PR labels via: