Skip iptables masquerading for packets destined to remote nodes #16603
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
the
sig/datapath
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
pchaigno
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
f6d6135
to
f466b6b
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
f466b6b
to
9904711
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
9904711
to
10ad360
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
10ad360
to
4945a11
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
4945a11
to
d8bb856
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
d8bb856
to
dc63785
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
1a7534d
to
70f2fc8
Compare
borkmann
added
the
dont-merge/needs-rebase
|
@pchaigno have a chance to rebase? |
We will need the ipset binary in subsequent commits to implement an ipset containing all node IPs (we need to skip packet destined to such IPs when doing iptables masquerading). Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
c163507
to
f05288d
Compare
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
f05288d
to
43afb7a
Compare
Signed-off-by: Paul Chaignon <paul@cilium.io>
When using BPF masquerading, we don't masquerade traffic destined to cluster nodes in native routing mode. We detect those destination using the security identity. When using iptables masquerading, we cannot implement the exact same because we can't match on security identities. Instead, we need to maintain an ipset of IP addresses belonging to cluster nodes and skip the iptables masquerading rules when a packet is destined to an IP in the ipset. Signed-off-by: Paul Chaignon <paul@cilium.io>
We are now using ipsets when iptables masquerading is enabled, to skip masquerading for traffic to remote nodes. We should therefore collect ipsets in the bugtool reports, to enable debugging. Signed-off-by: Paul Chaignon <paul@cilium.io>
This temporary fix is needed until [1] is merged. 1 - cilium/packer-ci-build#278 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
skip-node-iptables-masquerading
branch
from
43afb7a
to
40f813c
Compare
pchaigno
removed
the
dont-merge/needs-rebase
|
/test |
|
The checkpatch failure can be ignored (one empty commit description) and the ConformanceAKS failure is expected, the workflow has been temporarily disabled. The ConformanceAKS workflow was also passing before I rebased. All team reviews are covered except for cilium/cli. That team's review is only required because of the trivial change to the bugtool so I think it's safe to ignore. Marking ready to merge. |
pchaigno
added
the
ready-to-merge
pchaigno
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Sep 29, 2021
The ipset binary is required in the VMs because of cilium/cilium#16603 when Cilium is running as a service (e.g., for development VMs and for Runtime tests). Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Oct 4, 2021
The ipset binary is required in the VMs because of cilium/cilium#16603 when Cilium is running as a service (e.g., for development VMs and for Runtime tests). Signed-off-by: Paul Chaignon <paul@cilium.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull requests updates the iptables rules installed by Cilium to skip masquerading for traffic destined to cluster nodes. As a summary of commits:
ipsetbinary to the Cilium agent image.ipsetbinary packer-ci-build#278 is merged.Fixes: #15403.