Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip iptables masquerading for packets destined to remote nodes #16603

Merged
merged 5 commits into from
Sep 29, 2021
Merged

Skip iptables masquerading for packets destined to remote nodes #16603

merged 5 commits into from
Sep 29, 2021

Commits on Sep 29, 2021

  1. images: Include ipset binary in cilium image 

    We will need the ipset binary in subsequent commits to implement an
ipset containing all node IPs (we need to skip packet destined to such
IPs when doing iptables masquerading).

Signed-off-by: Paul Chaignon <paul@cilium.io>
    @pchaigno
    pchaigno committed Sep 29, 2021
    Configuration menu
    Copy the full SHA
    c92ceb6 View commit details
    Browse the repository at this point in the history

  2. update cilium-{runtime,builder} 

    Signed-off-by: Paul Chaignon <paul@cilium.io>
    @pchaigno
    pchaigno committed Sep 29, 2021
    Configuration menu
    Copy the full SHA
    d7f30a2 View commit details
    Browse the repository at this point in the history

  3. iptables: Don't masquerade traffic to cluster nodes 

    When using BPF masquerading, we don't masquerade traffic destined to
cluster nodes in native routing mode. We detect those destination
using the security identity.

When using iptables masquerading, we cannot implement the exact same
because we can't match on security identities. Instead, we need to
maintain an ipset of IP addresses belonging to cluster nodes and skip
the iptables masquerading rules when a packet is destined to an IP in
the ipset.

Signed-off-by: Paul Chaignon <paul@cilium.io>
    @pchaigno
    pchaigno committed Sep 29, 2021
    Configuration menu
    Copy the full SHA
    3f04771 View commit details
    Browse the repository at this point in the history

  4. bugtool: Collect ipsets 

    We are now using ipsets when iptables masquerading is enabled, to skip
masquerading for traffic to remote nodes. We should therefore collect
ipsets in the bugtool reports, to enable debugging.

Signed-off-by: Paul Chaignon <paul@cilium.io>
    @pchaigno
    pchaigno committed Sep 29, 2021
    Configuration menu
    Copy the full SHA
    e1b0d1b View commit details
    Browse the repository at this point in the history

  5. vagrant: Install ipset 

    This temporary fix is needed until [1] is merged.

1 - cilium/packer-ci-build#278
Signed-off-by: Paul Chaignon <paul@cilium.io>
    @pchaigno
    pchaigno committed Sep 29, 2021
    Configuration menu
    Copy the full SHA
    40f813c View commit details
    Browse the repository at this point in the history