datapath: Don't enforce ingress policies at overlay if endpoint routes are enabled

[pchaigno]

This fixes bug #14657. See commits for details.

There's probably no point in backporting because to fully fix this issue we would also need to backport #22190.

Fixes: #13346.
Fixes: #14657.

Fix bug that caused ingress policies to be enforced twice when running with tunneling and endpoint routes.

[julianwiedmann]

Does this change the situation as described below?

cilium/bpf/bpf_lxc.c

Lines 1859 to 1876 in b9f7292

	#if !defined(ENABLE_ROUTING) && defined(TUNNEL_MODE) && !defined(ENABLE_NODEPORT)
	/* In tunneling mode, we execute this code to send the packet from
	* cilium_vxlan to lxc*. If we're using kube-proxy, we don't want to use
	* redirect() because that would bypass conntrack and the reverse DNAT.
	* Thus, we send packets to the stack, but since they have the wrong
	* Ethernet addresses, we need to mark them as PACKET_HOST or the kernel
	* will drop them.
	* See #14646 for details.
	*/
	ctx_change_type(ctx, PACKET_HOST);
	#else
	ifindex = ctx_load_meta(ctx, CB_IFINDEX);
	if (ifindex)
	return redirect_ep(ctx, ifindex, from_host);
	#endif /* !ENABLE_ROUTING && TUNNEL_MODE && !ENABLE_NODEPORT */
	return CTX_ACT_OK;
	}

Thinking if we can move some of that logic into

cilium/bpf/lib/common.h

Lines 1010 to 1030 in b9f7292

	static __always_inline int redirect_ep(struct __ctx_buff *ctx __maybe_unused,
	int ifindex __maybe_unused,
	bool needs_backlog __maybe_unused)
	{
	/* Going via CPU backlog queue (aka needs_backlog) is required
	* whenever we cannot do a fast ingress -> ingress switch but
	* instead need an ingress -> egress netns traversal or vice
	* versa.
	*/
	if (needs_backlog || !is_defined(ENABLE_HOST_ROUTING)) {
	return ctx_redirect(ctx, ifindex, 0);
	} else {
	# ifdef HAVE_ENCAP
	/* When coming from overlay, we need to set packet type
	* to HOST as otherwise we might get dropped in IP layer.
	*/
	ctx_change_type(ctx, PACKET_HOST);
	# endif /* HAVE_ENCAP */
	return ctx_redirect_peer(ctx, ifindex, 0);
	}
	}

now (and also do a s/HAVE_ENCAP/IS_BPF_OVERLAY ?).

[pchaigno]

Does this change the situation as described below?

I don't think it does. We still want to avoid bypassing the stack in case of kube-proxy and we still need to mark the packet as PACKET_HOST.

[julianwiedmann]

Does this change the situation as described below?

I don't think it does. We still want to avoid bypassing the stack in case of kube-proxy and we still need to mark the packet as PACKET_HOST.

If I understand the code/comment correctly, it's built for the case where from-overlay would tail-call into ipv4_policy() (with per-EP-routes enabled). And so we could return CTX_ACT_OK, and pass the packet to the host stack. With your fixes (and in default config) that's no longer the case, we redirect from from-overlay to the endpoint and run ipv4_policy() in the attached BPF program.

So I think we could skip that ctx_change_type(ctx, PACKET_HOST) in a few more scenarios. Or at least update the comment, to reflect that we typically don't hand over to the host stack afterwards.

[pchaigno]

If I understand the code/comment correctly, it's built for the case where from-overlay would tail-call into ipv4_policy() (with per-EP-routes enabled).

No, it's orthogonal to the tail-call. It's for the case where we would use a bpf_redirect to jump directly to the destination, regardless of whether we enforced policies are the source or the destination. This pull request doesn't change whether or not we do a bpf_redirect; it only changes whether or not we enforce ingress policies at the source for the overlay->pod path.

[nbusseneau]

Auto-acking for ci-structure, trivial changes.

[aditighag]

I haven't checked out the PR, and tested yet. But IIRC, service rev translation happens in the overlay program, so with this fix, won't we end up enforcing an ingress policy on the translated address? Did you manually test this fix for pod -> svc ip (selected backend on remote node) + policy case with the tunneling and ep routes combination? (I see that tests have passed, but I'm not sure about the test coverage for this case.)

[pchaigno]

But IIRC, service rev translation happens in the overlay program, so with this fix, won't we end up enforcing an ingress policy on the translated address?

No. The reverse translation happens before the local delivery. See handle_ipv4 in bpf_overlay.c.

[aditighag]

But IIRC, service rev translation happens in the overlay program, so with this fix, won't we end up enforcing an ingress policy on the translated address?

No. The reverse translation happens before the local delivery. See handle_ipv4 in bpf_overlay.c.

👍 You are right. Any chance we can combine this with the per endpoint check - https://github.com/cilium/cilium/blob/master/pkg/datapath/linux/config/config.go#L862-L862? This is needed in general whenever endpoint routes are enabled, no?

[pchaigno]

Any chance we can combine this with the per endpoint check - https://github.com/cilium/cilium/blob/master/pkg/datapath/linux/config/config.go#L862-L862? This is needed in general whenever endpoint routes are enabled, no?

I'm not sure I'm following what you're proposing here 😕

[aditighag]

Any chance we can combine this with the per endpoint check - https://github.com/cilium/cilium/blob/master/pkg/datapath/linux/config/config.go#L862-L862? This is needed in general whenever endpoint routes are enabled, no?

I'm not sure I'm following what you're proposing here 😕

Can we consolidate the per endpoint and netdev template configs at a single place -

if e.RequireEgressProg() {
		fmt.Fprintf(fw, "#define USE_BPF_PROG_FOR_INGRESS_POLICY 1\n")
}

You already mentioned that endpoint routes config is either enabled or disabled for all endpoints -

Note that we do not support the case where some endpoint have endpoint routes enabled and others don't. If we did, additional logic would be required.

[julianwiedmann]

If I understand the code/comment correctly, it's built for the case where from-overlay would tail-call into ipv4_policy() (with per-EP-routes enabled).

No, it's orthogonal to the tail-call. It's for the case where we would use a bpf_redirect to jump directly to the destination, regardless of whether we enforced policies are the source or the destination. This pull request doesn't change whether or not we do a bpf_redirect; it only changes whether or not we enforce ingress policies at the source for the overlay->pod path.

Just to summarize our offline conversation:

• Currently from-overlay tail-calls into bpf_lxc's policy code, which can then decide whether it passes the packet to the stack (return CTX_ACT_OK), or bpf_redirect() to the pod's interface.
• with this PR from-overlay redirects to the pod's interface, and the egress prog runs the same policy code. If the egress prog now returns CTX_ACT_OK, the packet will not go the stack.

[maintainer-s-little-helper]

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathConfig AutoDirectNodeRoutes Check direct connectivity with per endpoint routes

Failure Output

FAIL: Found 1 k8s-app=cilium logs matching list of errors that must be investigated:

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

[pchaigno]

ConformanceAKS failed with known flake #22162. k8s-1.26-kernel-net-next failed with known flake #22601.