-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: Generate from-stack trace for ipsec packets #18608
Conversation
/test |
When ipsec encrypted packets come to the from-host program (bpf_host), in case of the native routing mode, it will be handled by do_netdev_encrypt, then redirected to the network-facing device when the fib_lookup is available. Otherwise, it will be sent to stack for routing. There are three possible packet paths. 1. fib_lookup available + to-netdev program attached to the dest device In this case, to-netdev program may drop packet with host firewall. So, we shouldn't generate TRACE_TO_NETWORK trace before seeing the verdict. Thus, trace should be generated from to-netdev program. 2. fib_lookup available + to-netdev program is not attached In this case, packet will go to the network without involving BPF program. Thus, we should generate trace in the context of from-host program. 3. Packet goes to stack and route Unlike above two, packet goes to stack. In this case, TRACE_TO_STACK should be generated. However, we don't have to generate the trace from from-host program, because if we do CTX_ACT_OK from from-host program, the packet pass through veth and hooked into to-host program immediately. In to-host program, there is a TRACE_TO_STACK. Trace on source node before fix ``` <- endpoint ... EchoRequest -> stack ... EchoRequest <- host encrypted ... ``` Trace on the source node after fix ``` <- endpoint ... EchoRequest -> stack ... EchoRequest <- host encrypted ... -> network encryped ... ``` Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
6a43a8f
to
ae6868c
Compare
/test |
/ci-multicluster |
/ci-gke |
Oops, sorry I found the change in this PR causes the packet looping in tunnel mode. Let me put this PR back to draft. |
Current inherit_identity_from_host cannot inherit identity from encrypted packets (packets with MARK_MAGIC_ENCRYPT coming from host stack). Extend it to handle it. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Currently, return value of inherit_identity_from_host indicates the packet is coming from proxy or not. However, in some cases, we want to know whether the packet was encrypted or not (and it is impossible to know it after the call since inherit_identity_from_host wipes the mark). To cover both of the cases, we can just extend it to return magic value extracted from the mark. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
Currently, when packets passed from from-container (bpf_lxc) to host stack, src_id is not encoded to the mark. It is inconvenient for rest of the datapath especially when we generate the trace. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
a4e25cb
to
115a765
Compare
/test |
115a765
to
e9e2965
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good to me!
Fix the bug that ipsec packets bypass the <- stack trace in bpf_host (from-host)
Watch out for references to internals of Cilium in release notes. Users probably won't know what bpf_host
and from-host
refer to.
/test |
e9e2965
to
ea95843
Compare
When ipsec packets comes from the host (xfrm) stack to from-host program (bpf_host), it bypasses the send_trace_notify (<- stack). As a result, we only see the trace for inner packet (ICMPRequest/Reply with <- endpoint and -> stack). Fix bpf_host program not to bypass the trace. Note that since we moved do_netdev_encrypt after inherit_identity_from_host, we cannot extract identity from ctx->mark anymore, because inherit_identity_from_host wipes the mark. That's why we need to pass inherited identity to do_netdev_encrypt. Otherwise, in tunneling mode, get_identity doesn't work correctly. Trace on source node before fix ``` <- endpoint ... EchoRequest -> stack ... EchoRequest ``` Trace on the source node after fix ``` <- endpoint ... EchoRequest -> stack ... EchoRequest <- stack encrypted ... ``` Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
ea95843
to
a1734d6
Compare
Fixed too long line warning from |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks ok to me, but please double-check the use of ctx->mark
.
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
When ipsec packets comes from the host (xfrm) stack to from-host program
(bpf_host), it bypasses the send_trace_notify (<- stack). As a result, we
only see the trace for inner packet (ICMPRequest/Reply with <- endpoint
and -> stack). Fix bpf_host program not to bypass the trace.
Trace on source node before fix
Trace on the source node after fix
This PR also contains some minor fixes related needed to achieving the main goal. Please see commit messages for more details.
Related #14625