-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
egressgw: add support for excludedCIDRs #23448
Commits on Feb 20, 2023
-
k8s: cegp: add excludedCIDRs field
ExcludedCIDRs can be used in a CiliumEgressGatewayPolicy to express a list of destination CIDRs which will be excluded from the redirection and SNAT logic. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 305337f - Browse repository at this point
Copy the full SHA 305337fView commit details -
bpf: egressgw: handle excluded CIDRs case
Handle the case where an egress policy has a gateway IP set to 0: any packet matching such policy should not go through egress gateway redirection/SNAT. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for cd377bb - Browse repository at this point
Copy the full SHA cd377bbView commit details -
ip: export PartitionCIDR function
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 64d55a5 - Browse repository at this point
Copy the full SHA 64d55a5View commit details -
egressgw: policy: parse excludedCIDRs from CEGP
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 49102a9 - Browse repository at this point
Copy the full SHA 49102a9View commit details -
egressgw: policy: add destinationMinusExcludedCIDRs helper
which returns the actual destination CIDRs space for a given policy, which is defined by the destination CIDRs minus the excluded ones. A practical example may be useful here. Let's say a policy specifies: * destination CIDRs: 1.1.1.0/24 * excluded CIDRs: 1.1.1.1/2 The effective CIDR space for such policy will be the difference between the two 1.1.1.0/24 and 1.1.1.1/24 CIDRs, so: 1.1.1.0/28 1.1.1.16/30 1.1.1.20/31 1.1.1.23/32 1.1.1.24/29 1.1.1.32/27 1.1.1.64/26 1.1.1.128/25 Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for c9accb0 - Browse repository at this point
Copy the full SHA c9accb0View commit details -
egressgw: policy: add excluded CIDRs iterating/matching helpers
This commit renames the forEachEndpointAndDestination method to forEachEndpointAndCIDR, to make it more clear that it iterates over all (destination and excluded) CIDRs of the receiver policy. Next, it introduces 2 new helpers that allow iterating and matching over all the endpoints and destination CIDRs minus the excluded ones: * forEachEndpointAndDestinations: works like forEachEndpointAndCIDR, but iterates over destinationCIDRs minus excludedCIDRs * matchesMinusExcludedCIDRs: works like matches but matches over destinationCIDRs minus excludedCIDRs Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 4d32c2d - Browse repository at this point
Copy the full SHA 4d32c2dView commit details -
egressgw: add support for excludedCIDRs
Add support to the egress gateway manager for the new excludedCIDRs policy property. The implementation is based on the idea of adding, for each excluded CIDR, "zero" entries to the egress policy map (i.e. entries with the gateway IP set to 0.0.0.0). When traffic is then matched against these entries in the datapath, it will skip altogether all the egress gateway logic. Fixes: #23002 Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 9403c76 - Browse repository at this point
Copy the full SHA 9403c76View commit details -
egressgw: manager: cosmetic cleanup
In the callback we use in removeUnusedIpRulesAndRoutes() to match an IP rule to an egress gateway policy, separate the preconditions from the actual matching predicate. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for c5ef07e - Browse repository at this point
Copy the full SHA c5ef07eView commit details -
bpf: tests: add unit test for egress gateway redirection
And rename existing test file to tc_egressgw_snat.c Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 110688b - Browse repository at this point
Copy the full SHA 110688bView commit details -
bpf: tests: add unit test for egress gateway excluded CIDRs
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 7ae8554 - Browse repository at this point
Copy the full SHA 7ae8554View commit details -
bpf: tests: use EGRESS_PREFIX_LEN macro
to initialize the egress gateway policies' lpm keys. Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for a51cc87 - Browse repository at this point
Copy the full SHA a51cc87View commit details -
docs: egressgw: add section for excludedCIDRs
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 6cf9629 - Browse repository at this point
Copy the full SHA 6cf9629View commit details