New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip iptables masquerading for packets destined to remote nodes #16603
Skip iptables masquerading for packets destined to remote nodes #16603
Conversation
f6d6135
to
f466b6b
Compare
f466b6b
to
9904711
Compare
9904711
to
10ad360
Compare
10ad360
to
4945a11
Compare
4945a11
to
d8bb856
Compare
d8bb856
to
dc63785
Compare
1a7534d
to
70f2fc8
Compare
@pchaigno have a chance to rebase? |
We will need the ipset binary in subsequent commits to implement an ipset containing all node IPs (we need to skip packet destined to such IPs when doing iptables masquerading). Signed-off-by: Paul Chaignon <paul@cilium.io>
c163507
to
f05288d
Compare
f05288d
to
43afb7a
Compare
Signed-off-by: Paul Chaignon <paul@cilium.io>
When using BPF masquerading, we don't masquerade traffic destined to cluster nodes in native routing mode. We detect those destination using the security identity. When using iptables masquerading, we cannot implement the exact same because we can't match on security identities. Instead, we need to maintain an ipset of IP addresses belonging to cluster nodes and skip the iptables masquerading rules when a packet is destined to an IP in the ipset. Signed-off-by: Paul Chaignon <paul@cilium.io>
We are now using ipsets when iptables masquerading is enabled, to skip masquerading for traffic to remote nodes. We should therefore collect ipsets in the bugtool reports, to enable debugging. Signed-off-by: Paul Chaignon <paul@cilium.io>
This temporary fix is needed until [1] is merged. 1 - cilium/packer-ci-build#278 Signed-off-by: Paul Chaignon <paul@cilium.io>
43afb7a
to
40f813c
Compare
/test |
The checkpatch failure can be ignored (one empty commit description) and the ConformanceAKS failure is expected, the workflow has been temporarily disabled. The ConformanceAKS workflow was also passing before I rebased. All team reviews are covered except for cilium/cli. That team's review is only required because of the trivial change to the bugtool so I think it's safe to ignore. Marking ready to merge. |
The ipset binary is required in the VMs because of cilium/cilium#16603 when Cilium is running as a service (e.g., for development VMs and for Runtime tests). Signed-off-by: Paul Chaignon <paul@cilium.io>
The ipset binary is required in the VMs because of cilium/cilium#16603 when Cilium is running as a service (e.g., for development VMs and for Runtime tests). Signed-off-by: Paul Chaignon <paul@cilium.io>
This pull requests updates the iptables rules installed by Cilium to skip masquerading for traffic destined to cluster nodes. As a summary of commits:
ipset
binary to the Cilium agent image.ipset
binary packer-ci-build#278 is merged.Fixes: #15403.