bpf: fix iptables masquerading for node -> remote pod traffic #16136
Conversation
jibi
added
sig/datapath
jibi
force-pushed
the
pr/jibi/fix-dev-masq
branch
3 times, most recently
from
489c425
to
170258f
Compare
|
test-me-please |
Right, I forgot about that since in direct routing mode pods can only have v4 IPs assigned to (as |
In the IPv6 case the following used for the MASQ exclusion - https://github.com/cilium/cilium/blob/master/pkg/datapath/config.go#L141.
Nit: It can derive more than one devices. Anyway, it's getting more difficult to wrap my head around |
I think ideally we should move most of this conditional logic to userspace, and have |
jibi
force-pushed
the
pr/jibi/fix-dev-masq
branch
from
170258f
to
827fcaa
Compare
|
test-me-please |
@jibi 👍 👍 👍 |
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.9
maintainer-s-little-helper
bot
moved this from Backport pending to v1.9
to Needs backport from master
in 1.9.9
maintainer-s-little-helper
bot
moved this from Backport pending to v1.9
to Needs backport from master
in 1.9.9
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.9
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.9
in 1.9.9
This reverts commit be4e93e. Issue cilium#12205 has been fixed via cilium#16136, and the Host Firewall can be used again in the tests. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue cilium#12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via cilium#16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue #12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via #16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
This reverts commit be4e93e. Issue cilium#12205 has been fixed via cilium#16136, and the Host Firewall can be used again in the tests. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue cilium#12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via cilium#16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
When Cilium runs with KPR, host-firewall or bandwidth manager, it will
try to auto-derive one or more devices to which the bpf_host program is
attached.
This program will, among other things, redirect ingress traffic destined
to a pod to the pod's lxc device using
bpf_redirect().This causes the traffic to bypass the nf_conntrack table, leading to a
situation where traffic leaving the pod after the connection's been
established will be (incorrectly) masqueraded in case Iptables
masquerading is enabled, since the connection is not tracked by
netfilter.
This commit fixes this by skipping
bpf_redirect()when we detect thiscase (i.e. traffic is flowing through bpf_host attached to a physical
device and Cilium has installed Iptables rules which require conntrack).
Fixes: #14859.
Fixes: #12205.