New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds an ACCEPT
rule for untracked pkts in filter:CILIUM_OUTPUT
#17585
Conversation
Thanks for tracking this down. Any idea why we need these additional rules only for packets originating from hostns pods destined to node-local dns pod? Traffic from regular pods destined to port 53 should also hit the NO-TRACK rules, no? I was under the impression that only when endpoint routes are disabled, intra-node pod-pod traffic will be redirected by BPF code to the destination device, in which case we wouldn't hit the issue you described. OTOH, when endpoints are enabled (default on GKE) traffic is handed over to the network stack for routing. |
Exactly. For non-hostns pods, pkt never hits |
Why does it get dropped if conntrack is skipped? Is there a specific rule that drops it? The change is trivial but the explanation is a bit hard to follow right now. Any chance you could illustrate with iptables rules? |
The detailed analysis is in here: #16694 (comment) :) There I listed the iptable rules and why the pkt was dropped. |
I'm confused by this. The reason NO_TRACK rule was added for traffic going to node-local dns pods is because we wanted to skip tracking DNS traffic, no?
Am I missing something? |
There are 3 separate sets of NOTRACK rules:
Issue here is that for the first 2 rules, we added |
Friendly ping :) |
Thanks for the context.
I was confused by your earlier statement. From my reading of the code, traffic from regular pods do hit the NOTRACK rule, but we've also added an ACCEPT rule to allow such traffic. If that's the case, the fix looks good to me. |
Yes, sorry I wasn't being clear in my initial comment, when I said "it never hits the NOTRACK rule" I really meant pkts from regular pods do NOT hit the rule in the |
Friendly ping @pchaigno :) |
I might be missing something obvious, but what's the relation between skipping conntrack and not matching any rule in
Why wasn't the ACCEPT rule added before? Was it simply an oversight? |
Yes, if you look at the
rule 3 only allows for traffic that is conntracked, and rule 4 only allows for traffic to go through
When we added the rules, we followed the OSS node-local-dns implementation, where they do not require such rule because same traffic flow would hit |
Aah 🤦 Not sure how I missed that rule; that's exactly what I was looking for.
Ah, makes sense 👍 |
/test Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment |
This change should not affect any of the failed tests, they are most likely flakes. |
Can we ensure we have issues tracking those flakes? |
Currently, when `no-track-port` is specified for a pod (the only use case for now is nodelocaldns), we insert several iptable rules to skip conntrack for packet to and from the pod to achieve pararity with OSS node-local-dns. However, we need to add a specific accept rule int the CILIUM_OUTPUT chain to accept such packets. Otherwise, a dns query pkt originated from the hostns will skip conntrack and gets dropped in the filter OUTPUT chain. This rule is however NOT needed for standard OSS node-local-dns because it relies on the loopback rule installed by the OS to allowlist this traffic pattern. With Cilium, we DNAT such packet in a way that its dst is the pod IP of the local node-cache pod, so it will NOT hit the loopback dev, hence we need to punch a specific hole to allowlist it. Fixes: 16694 Signed-off-by: Weilong Cui <cuiwl@google.com>
/test |
Currently, when
no-track-port
is specified for a pod (the only usecase for now is nodelocaldns), we insert several iptable rules to skip
conntrack for packet to and from the pod to achieve pararity with OSS
node-local-dns.
However, we need to add a specific accept rule int the CILIUM_OUTPUT
chain to accept such packets. Otherwise, a dns query pkt originated from
the hostns will skip conntrack and gets dropped in the filter OUTPUT
chain. This rule is however NOT needed for standard OSS node-local-dns
because it relies on the loopback rule installed by the OS to allowlist
this traffic pattern. With Cilium, we DNAT such packet in a way that its
dst is the pod IP of the local node-cache pod, so it will NOT hit the
loopback dev, hence we need to punch a specific hole to allowlist it.
Fixes: #16694
Signed-off-by: Weilong Cui cuiwl@google.com