Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow install-no-conntrack-iptables-rules when masquerading is disabled #18482

Merged
merged 2 commits into from
Jan 19, 2022
Merged

Allow install-no-conntrack-iptables-rules when masquerading is disabled #18482

merged 2 commits into from
Jan 19, 2022

Conversation

pchaigno
Copy link
Member

The first commit introduces a helper function used by the second commit. The second commit allows install-no-conntrack-iptables-rules to be used if (1) BPF masquerading is used or if (2) all masquerading is disabled. Until now, it was only allowed for the first condition.

Allow using install-no-conntrack-iptables-rules when all masquerading is disabled.

@pchaigno pchaigno added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. needs-backport/1.11 labels Jan 14, 2022
@pchaigno pchaigno requested review from jibi and a team January 14, 2022 10:04
@pchaigno pchaigno requested a review from a team as a code owner January 14, 2022 10:04
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.1 Jan 14, 2022
@pchaigno pchaigno force-pushed the allow-noct-with-no-masquerading branch from 500672e to 3d454f1 Compare January 14, 2022 10:11
@maintainer-s-little-helper maintainer-s-little-helper bot mentioned this pull request Jan 14, 2022
Closed
jibi
jibi reviewed Jan 17, 2022
View reviewed changes
Copy link
Member

@jibi jibi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!
Could you also update the tuning guide please? At the moment it still mentions eBPF masquerading is required to enable install-no-conntrack-iptables-rules:

cilium/Documentation/operations/performance/tuning.rst

Lines 49 to 54 in 8bf4e22

**Requirements:**
* Kernel >= 4.19.57, >= 5.1.16, >= 5.2
* Direct-routing configuration
* eBPF-based kube-proxy replacement
* eBPF masquerading

@pchaigno
config: Introduce MasqueradingEnabled helper function
6b146ff 
MasqueradingEnabled returns true whenever IPv4 or IPv6 masquerading is
enabled.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno
daemon: Allow install-no-conntrack-iptables-rules when no masquerading
81ee108 
Until now the agent would fatal if install-no-conntrack-iptables-rules
was passed when BPF masquerading is disabled, regardless of whether any
masquerading is even enabled. What we want to avoid is for
iptables-based masquerading to be used at the same time as
install-no-conntrack-iptables-rules. Using
install-no-conntrack-iptables-rules when no masquerading is enabled
should be fine.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the allow-noct-with-no-masquerading branch from 3d454f1 to 81ee108 Compare January 17, 2022 14:09
@pchaigno pchaigno requested a review from a team as a code owner January 17, 2022 14:09
@pchaigno pchaigno requested a review from qmonnet January 17, 2022 14:09
@pchaigno pchaigno requested a review from jibi January 17, 2022 14:14
@pchaigno pchaigno closed this Jan 17, 2022
@pchaigno pchaigno reopened this Jan 17, 2022
@pchaigno
Copy link
Member Author

Several tests failed with known flakes:

Reviews are in, except for the CLI team, but I'm not sure why that team was requested in the first place (I didn't modify any of our CLIs). Marking ready to merge.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 18, 2022
@joestringer joestringer added this to Needs backport from master in 1.11.2 Jan 18, 2022
@joestringer joestringer removed this from Needs backport from master in 1.11.1 Jan 18, 2022
@aditighag aditighag merged commit 65d1eee into cilium:master Jan 19, 2022
@pchaigno pchaigno deleted the allow-noct-with-no-masquerading branch January 19, 2022 08:28
@kkourt kkourt mentioned this pull request Jan 21, 2022
Merged
@kkourt kkourt added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jan 25, 2022
@joestringer joestringer moved this from Needs backport from master to Backport done to v1.11 in 1.11.2 Feb 23, 2022
@joestringer joestringer mentioned this pull request Feb 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jibi jibi jibi approved these changes

@qmonnet qmonnet qmonnet approved these changes

@michi-covalent michi-covalent Awaiting requested review from michi-covalent michi-covalent was automatically assigned from cilium/cli

Assignees

@michi-covalent michi-covalent

Labels
backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
1.11.2
Backport done to v1.11
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@pchaigno @jibi @qmonnet @kkourt @aditighag @michi-covalent