New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: optionally disable SIP verification #16134
Conversation
@oblazek The tests are failing because some generated files need to be regenerated. |
Oh, I accidentally modified autogenerated file, will try to fix. Thanks. |
Code should be ready now, but could not figure out how to keep naming in this format Details show this:
which I have fixed in the latest commit. |
That GitHub action ensures your commits don't break |
Ah, got it.. thought gh has a way of squashing commits with a simple checkbox like gitlab has (but is hidden by default). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch! Let's try to keep acronyms capitalized on non-autogenerated files wherever possible. Only the field in EndpointDatapathConfiguration
should contain Sip
, the rest should be capitalized. 👍
Enable an old datapath option for disabling source IP verification which prevents IP spoofing. In some cases it might be beneficial for users to have this option (for example something like DHCP discover which sends a packet with srcIP 0.0.0.0). Signed-off-by: Ondrej Blazek <ondra.blazkuj@gmail.com>
Smoke tests should already cover these changes and I don't think we need to run the full end-to-end tests given the option is never enabled in CI. All team reviews are covered. Marking as ready to merge. |
Hello, where can I set the parameter to disable sip verification? I can't find any reference in the documentation? Thanks. |
@michaelraskansky I don't believe it's currently possible to enable it unless you integrate directly with Cilium. I would be in favor of adding a flag to enable it globally for the agent. Though I'm wondering what's your use case to skip this check? |
Hi @pchaigno , thanks for the quick reply. Something like this. |
Add flag to disable sip veification. This will allow to configure the datapath so it dose'nt drop packets due to invalid source ip in the datapath. This is helpful when routing IP payload from external ip networks through kubernets via ip tunnels. See cilium#16134 for more infomations. Signed-off-by: Michael Raskansky <michaelraskansky@gmail.com>
Add flag to disable sip veification. This will allow to configure the datapath so it dose'nt drop packets due to invalid source ip in the datapath. This is helpful when routing IP payload from external ip networks through kubernets via ip tunnels. See cilium#16134 for more infomations. Signed-off-by: Michael Raskansky <michaelraskansky@gmail.com>
Add flag to disable sip veification. This will allow to configure the datapath so it dose'nt drop packets due to invalid source ip in the datapath. This is helpful when routing IP payload from external ip networks through kubernets via ip tunnels. See cilium#16134 for more infomations. Signed-off-by: Michael Raskansky <michaelraskansky@gmail.com> check epTemplate.DatapathConfiguration only once Signed-off-by: Michael Raskansky <michaelraskansky@gmail.com> check epTemplate.DatapathConfiguration only once
Enable an old datapath option for disabling source IP
verification which prevents IP spoofing. In some cases
it might be beneficial for users to have this option
(for example something like DHCP discover which sends
a packet with srcIP 0.0.0.0).
Signed-off-by: Ondrej Blazek ondra.blazkuj@gmail.com
The macro
DISABLE_SIP_VERIFICATION
has been unused,the new datapath option enables it.