Better error reporting/catching in agent on nativeRoutingCIDR

Documentation/concepts/networking/masquerading.rst

@@ -30,7 +30,7 @@ Configuration
 Setting the routable CIDR
   The default behavior is to exclude any destination within the IP allocation
   CIDR of the local node. If the pod IPs are routable across a wider network,
-  that network can be specified with the option: ``native-routing-cidr:
+  that network can be specified with the option: ``ipv4-native-routing-cidr:
   10.0.0.0/8`` in which case all destinations within that CIDR will **not** be
   masqueraded.
 
@@ -75,10 +75,11 @@ The eBPF-based masquerading can masquerade packets of the following IPv4 L4 prot
 - ICMP (only Echo request and Echo reply)
 
 By default, any packet from a pod destined to an IP address outside of the
-``native-routing-cidr`` range is masqueraded. The exclusion CIDR is shown in the above
-output of ``cilium status`` (``10.0.0.0.16``).  To allow more fine-grained control,
-Cilium implements `ip-masq-agent <https://github.com/kubernetes-sigs/ip-masq-agent>`_
-in eBPF which can be enabled with the ``ipMasqAgent.enabled=true`` helm option.
+``ipv4-native-routing-cidr`` range is masqueraded. The exclusion CIDR is shown
+in the above output of ``cilium status`` (``10.0.0.0.16``).  To allow more
+fine-grained control, Cilium implements `ip-masq-agent
+<https://github.com/kubernetes-sigs/ip-masq-agent>`_ in eBPF which can be
+enabled with the ``ipMasqAgent.enabled=true`` helm option.
 
 The eBPF-based ip-masq-agent supports the ``nonMasqueradeCIDRs`` and
 ``masqLinkLocal`` options set in a configuration file. A packet sent from a pod to

Documentation/concepts/networking/routing.rst

@@ -131,7 +131,7 @@ The following configuration options must be set to run the datapath in native
 routing mode:
 
 * ``tunnel: disabled``: Enable native routing mode.
-* ``native-routing-cidr: x.x.x.x/y``: Set the CIDR in which native routing
+* ``ipv4-native-routing-cidr: x.x.x.x/y``: Set the CIDR in which native routing
   can be performed.
 
 
@@ -270,8 +270,8 @@ Addressing
    distribution.
 
 Masquerading
-   All traffic not staying with the ``native-routing-cidr`` (defaults to the
-   Cluster CIDR) will be masqueraded to the node's IP address to become
+   All traffic not staying with the ``ipv4-native-routing-cidr`` (defaults to
+   the Cluster CIDR) will be masqueraded to the node's IP address to become
    publicly routable.
 
 Load-balancing
@@ -296,7 +296,7 @@ The following configuration options must be set to run the datapath on GKE:
   * ``enable-endpoint-routes: true``: Enable per-endpoint routing on the node
   * ``enable-local-node-route: false``: Disable installation of the local node route
 
-* ``native-routing-cidr: x.x.x.x/y``: Set the CIDR in which native routing
+* ``ipv4-native-routing-cidr: x.x.x.x/y``: Set the CIDR in which native routing
   is supported.
 
 See the getting started guide :ref:`k8s_install_quick` to install Cilium on

Documentation/gettingstarted/encryption-ipsec.rst

@@ -95,7 +95,7 @@ Enable Encryption in Cilium
 
    When using Cilium in any direct routing configuration, ensure that the
    native routing CIDR is set properly. This is done using
-   ``--native-routing-cidr=CIDR`` with the CLI or ``--set
+   ``--ipv4-native-routing-cidr=CIDR`` with the CLI or ``--set
    nativeRoutingCIDR=CIDR`` with Helm.
 
 At this point the Cilium managed nodes will be using IPsec for all traffic. For further

Documentation/operations/upgrade.rst

@@ -323,6 +323,12 @@ Removed Options
 * ``hubble-flow-buffer-size``: This option was deprecated in 1.10 in favor
   of ``hubble-event-buffer-capacity``. It is now removed.
 
+Deprecated Options
+~~~~~~~~~~~~~~~~~~
+
+* ``native-routing-cidr``: This option has been deprecated in favor of
+  ``ipv4-native-routing-cidr`` and will be removed in 1.12.
+
 .. _1.10_upgrade_notes:
 
 1.10 Upgrade Notes
@@ -997,15 +1003,15 @@ IMPORTANT: Changes required before upgrading to 1.8.0
   Running the default configuration (``--tunnel=vxlan`` or ``--tunnel=geneve``)
     No action required. The behavior remains the same as before. All traffic
     leaving the node that is not encapsulated is automatically masqueraded. You
-    may use ``--native-routing-cidr`` to further restrict traffic subject to
-    masquerading.
+    may use ``--ipv4-native-routing-cidr`` to further restrict traffic subject
+    to masquerading.
 
-  Already using ``--native-routing-cidr`` and/or ``--egress-masquerade-interfaces``
-    No action required. Use of ``--native-routing-cidr`` is the preferred way of
-    configuring masquerading.
+  Already using ``--ipv4-native-routing-cidr`` and/or ``--egress-masquerade-interfaces``
+    No action required. Use of ``--ipv4-native-routing-cidr`` is the preferred
+    way of configuring masquerading.
 
   Running in AWS ENI mode (``--ipam=eni``)
-    No action required. The value for ``--native-routing-cidr`` is
+    No action required. The value for ``--ipv4-native-routing-cidr`` is
     automatically derived from the AWS API and set to the CIDR of the VPC. You
     may overwrite the value if needed.
 
@@ -1016,9 +1022,9 @@ IMPORTANT: Changes required before upgrading to 1.8.0
     The behavior has changed: Previously, the destination address range
     excluded from masquerading was defined by the options ``--ipv4-range`` and
     ``--ipv4-cluster-cidr-mask-size``. When unspecified, this was set to the
-    value ``10.0.0.0/8``. You **must** set the ``--native-routing-cidr`` option
-    and set it to the CIDR for which masquerading should be omitted. This is
-    typically the PodCIDR range of the cluster but can also be set to the IP
+    value ``10.0.0.0/8``. You **must** set the ``--ipv4-native-routing-cidr``
+    option and set it to the CIDR for which masquerading should be omitted. This
+    is typically the PodCIDR range of the cluster but can also be set to the IP
     range of the network the node is running on to avoid masquerading for
     directly reachable destinations outside of the cluster.
 

bpf/lib/nodeport.h

@@ -1156,7 +1156,7 @@ static __always_inline bool snat_v4_needed(struct __ctx_buff *ctx, __be32 *addr,
 # endif
 #ifdef IPV4_SNAT_EXCLUSION_DST_CIDR
 	/* Do not MASQ if a dst IP belongs to a pods CIDR
-	 * (native-routing-cidr if specified, otherwise local pod CIDR).
+	 * (ipv4-native-routing-cidr if specified, otherwise local pod CIDR).
 	 * The check is performed before we determine that a packet is
 	 * sent from a local pod, as this check is cheaper than
 	 * the map lookup done in the latter check.

daemon/cmd/daemon_main.go

@@ -624,7 +624,13 @@ func init() {
 	flags.Bool(option.EnableHostFirewall, false, "Enable host network policies (beta when using kube-proxy)")
 	option.BindEnv(option.EnableHostFirewall)
 
-	flags.String(option.IPv4NativeRoutingCIDR, "", "Allows to explicitly specify the CIDR for native routing. This value corresponds to the configured cluster-cidr.")
+	flags.String(option.NativeRoutingCIDR, "",
+		fmt.Sprintf("Allows to explicitly specify the IPv4 CIDR for native routing. This value corresponds to the configured cluster-cidr. Deprecated in favor of --%s", option.IPv4NativeRoutingCIDR))
+	option.BindEnv(option.NativeRoutingCIDR)
+	flags.MarkHidden(option.NativeRoutingCIDR)
+	flags.MarkDeprecated(option.NativeRoutingCIDR, "This option will be removed in v1.12")
+
+	flags.String(option.IPv4NativeRoutingCIDR, "", "Allows to explicitly specify the IPv4 CIDR for native routing. This value corresponds to the configured cluster-cidr.")
 	option.BindEnv(option.IPv4NativeRoutingCIDR)
 
 	flags.String(option.LibDir, defaults.LibraryPath, "Directory path to store runtime build environment")

install/kubernetes/cilium/README.md

@@ -257,7 +257,7 @@ contributors across the globe, there is almost always someone available to help.
 | localRedirectPolicy | bool | `false` | Enable Local Redirect Policy. |
 | logSystemLoad | bool | `false` | Enables periodic logging of system load |
 | maglev | object | `{}` | Configure maglev consistent hashing |
-| monitor | object | `{"enabled":false}` | Specify the CIDR for native routing (ie to avoid IP masquerade for). This value corresponds to the configured cluster-cidr. nativeRoutingCIDR: |
+| monitor | object | `{"enabled":false}` | Specify the IPv4 CIDR for native routing (ie to avoid IP masquerade for). This value corresponds to the configured cluster-cidr. ipv4NativeRoutingCIDR: |
 | monitor.enabled | bool | `false` | Enable the cilium-monitor sidecar. |
 | name | string | `"cilium"` | Agent container name. |
 | nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enabled":false}` | Configure N-S k8s service loadbalancing |

install/kubernetes/cilium/templates/cilium-configmap.yaml

@@ -481,7 +481,9 @@ data:
 {{- end }}
 
 {{- if hasKey .Values "nativeRoutingCIDR" }}
-  native-routing-cidr: {{ .Values.nativeRoutingCIDR }}
+  ipv4-native-routing-cidr: {{ .Values.nativeRoutingCIDR }}
+{{- else if hasKey .Values "ipv4NativeRoutingCIDR" }}
+  ipv4-native-routing-cidr: {{ .Values.ipv4NativeRoutingCIDR }}
 {{- end }}
 
 {{- if hasKey .Values "fragmentTracking" }}

install/kubernetes/cilium/values.yaml

@@ -949,10 +949,15 @@ enableIPv6Masquerade: true
 egressGateway:
   enabled: false
 
-# -- Specify the CIDR for native routing (ie to avoid IP masquerade for).
+# -- Specify the IPv4 CIDR for native routing (ie to avoid IP masquerade for).
 # This value corresponds to the configured cluster-cidr.
+# Deprecated in favor of ipv4NativeRoutingCIDR, will be removed in 1.12.
 # nativeRoutingCIDR:
 
+# -- Specify the IPv4 CIDR for native routing (ie to avoid IP masquerade for).
+# This value corresponds to the configured cluster-cidr.
+# ipv4NativeRoutingCIDR:
+
 monitor:
   # -- Enable the cilium-monitor sidecar.
   enabled: false

pkg/datapath/config.go

@@ -132,7 +132,7 @@ type ConfigWriter interface {
 // should not be SNAT'd.
 func RemoteSNATDstAddrExclusionCIDRv4() *cidr.CIDR {
 	if c := option.Config.IPv4NativeRoutingCIDR(); c != nil {
-		// native-routing-cidr is set, so use it
+		// ipv4-native-routing-cidr is set, so use it
 		return c
 	}
 

pkg/option/config.go

@@ -770,8 +770,11 @@ const (
 	// CiliumNode resource for the local node
 	AutoCreateCiliumNodeResource = "auto-create-cilium-node-resource"
 
-	// IPv4NativeRoutingCIDR describes a CIDR in which pod IPs are routable
-	IPv4NativeRoutingCIDR = "native-routing-cidr"
+	// NativeRoutingCIDR describes a v4 CIDR in which pod IPs are routable
+	NativeRoutingCIDR = "native-routing-cidr"
+
+	// IPv4NativeRoutingCIDR describes a v4 CIDR in which pod IPs are routable
+	IPv4NativeRoutingCIDR = "ipv4-native-routing-cidr"
 
 	// EgressMasqueradeInterfaces is the selector used to select interfaces
 	// subject to egress masquerading
@@ -2511,8 +2514,25 @@ func (c *DaemonConfig) Populate() {
 	c.populateDevices()
 	c.EgressMultiHomeIPRuleCompat = viper.GetBool(EgressMultiHomeIPRuleCompat)
 
-	if nativeCIDR := viper.GetString(IPv4NativeRoutingCIDR); nativeCIDR != "" {
-		c.ipv4NativeRoutingCIDR = cidr.MustParseCIDR(nativeCIDR)
+	nativeRoutingCIDR := viper.GetString(NativeRoutingCIDR)
+	ipv4NativeRoutingCIDR := viper.GetString(IPv4NativeRoutingCIDR)
+
+	if nativeRoutingCIDR != "" && ipv4NativeRoutingCIDR != "" {
+		log.Fatalf("Cannot specify both %s and %s", NativeRoutingCIDR, IPv4NativeRoutingCIDR)
+	}
+
+	if nativeRoutingCIDR != "" {
+		c.ipv4NativeRoutingCIDR = cidr.MustParseCIDR(nativeRoutingCIDR)
+
+		if len(c.ipv4NativeRoutingCIDR.IP) != net.IPv4len {
+			log.Fatalf("%s must be an IPv4 CIDR", NativeRoutingCIDR)
+		}
+	} else if ipv4NativeRoutingCIDR != "" {
+		c.ipv4NativeRoutingCIDR = cidr.MustParseCIDR(ipv4NativeRoutingCIDR)
+
+		if len(c.ipv4NativeRoutingCIDR.IP) != net.IPv4len {
+			log.Fatalf("%s must be an IPv4 CIDR", IPv4NativeRoutingCIDR)
+		}
 	}
 
 	if err := c.calculateBPFMapSizes(); err != nil {