New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: fix iptables masquerading for node -> remote pod traffic #16136
Conversation
489c425
to
170258f
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't the same fix required for the IPv6 path?
Right, I forgot about that since in direct routing mode pods can only have v4 IPs assigned to (as |
In the IPv6 case the following used for the MASQ exclusion - https://github.com/cilium/cilium/blob/master/pkg/datapath/config.go#L141.
Nit: It can derive more than one devices. Anyway, it's getting more difficult to wrap my head around |
I think ideally we should move most of this conditional logic to userspace, and have |
170258f
to
827fcaa
Compare
test-me-please |
@jibi 👍 👍 👍 |
This reverts commit be4e93e. Issue cilium#12205 has been fixed via cilium#16136, and the Host Firewall can be used again in the tests. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue cilium#12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via cilium#16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue #12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via #16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
This reverts commit be4e93e. Issue cilium#12205 has been fixed via cilium#16136, and the Host Firewall can be used again in the tests. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
The test was disabled because of issue cilium#12205: When bpf_host was loading on the native device, the source identity of packet on the destination node was resolved to WORLD and policy enforcement would fail. This has now been fixed via cilium#16136, and we can run the test again. Also adjust the conditions for the test, to reflect the changes to surrounding IPSec tests from f1209d0 ("test: Enable IPSec tests on 4.19"). Signed-off-by: Quentin Monnet <quentin@isovalent.com>
When Cilium runs with KPR, host-firewall or bandwidth manager, it will
try to auto-derive one or more devices to which the bpf_host program is
attached.
This program will, among other things, redirect ingress traffic destined
to a pod to the pod's lxc device using
bpf_redirect()
.This causes the traffic to bypass the nf_conntrack table, leading to a
situation where traffic leaving the pod after the connection's been
established will be (incorrectly) masqueraded in case Iptables
masquerading is enabled, since the connection is not tracked by
netfilter.
This commit fixes this by skipping
bpf_redirect()
when we detect thiscase (i.e. traffic is flowing through bpf_host attached to a physical
device and Cilium has installed Iptables rules which require conntrack).
Fixes: #14859.
Fixes: #12205.