Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

egressgw: add support for excludedCIDRs #23448

Merged
merged 12 commits into from
Feb 20, 2023
Merged

egressgw: add support for excludedCIDRs #23448

merged 12 commits into from
Feb 20, 2023

Commits on Feb 20, 2023

  1. k8s: cegp: add excludedCIDRs field 

    ExcludedCIDRs can be used in a CiliumEgressGatewayPolicy to express a
list of destination CIDRs which will be excluded from the redirection
and SNAT logic.

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    305337f View commit details
    Browse the repository at this point in the history

  2. bpf: egressgw: handle excluded CIDRs case 

    Handle the case where an egress policy has a gateway IP set to 0:
any packet matching such policy should not go through egress gateway
redirection/SNAT.

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    cd377bb View commit details
    Browse the repository at this point in the history

  3. ip: export PartitionCIDR function 

    Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    64d55a5 View commit details
    Browse the repository at this point in the history

  4. egressgw: policy: parse excludedCIDRs from CEGP 

    Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    49102a9 View commit details
    Browse the repository at this point in the history

  5. egressgw: policy: add destinationMinusExcludedCIDRs helper 

    which returns the actual destination CIDRs space for a given policy,
which is defined by the destination CIDRs minus the excluded ones.

A practical example may be useful here. Let's say a policy specifies:

* destination CIDRs: 1.1.1.0/24
* excluded CIDRs: 1.1.1.1/2

The effective CIDR space for such policy will be the difference between
the two 1.1.1.0/24 and 1.1.1.1/24 CIDRs, so:

	1.1.1.0/28
	1.1.1.16/30
	1.1.1.20/31
	1.1.1.23/32
	1.1.1.24/29
	1.1.1.32/27
	1.1.1.64/26
	1.1.1.128/25

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    c9accb0 View commit details
    Browse the repository at this point in the history

  6. egressgw: policy: add excluded CIDRs iterating/matching helpers 

    This commit renames the forEachEndpointAndDestination method to
forEachEndpointAndCIDR, to make it more clear that it iterates over all
(destination and excluded) CIDRs of the receiver policy.

Next, it introduces 2 new helpers that allow iterating and matching over
all the endpoints and destination CIDRs minus the excluded ones:

* forEachEndpointAndDestinations: works like forEachEndpointAndCIDR, but
  iterates over destinationCIDRs minus excludedCIDRs
* matchesMinusExcludedCIDRs: works like matches but matches over
  destinationCIDRs minus excludedCIDRs

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    4d32c2d View commit details
    Browse the repository at this point in the history

  7. egressgw: add support for excludedCIDRs 

    Add support to the egress gateway manager for the new excludedCIDRs
policy property.

The implementation is based on the idea of adding, for each excluded
CIDR, "zero" entries to the egress policy map (i.e. entries with the
gateway IP set to 0.0.0.0). When traffic is then matched against these
entries in the datapath, it will skip altogether all the egress gateway
logic.

Fixes: #23002
Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    9403c76 View commit details
    Browse the repository at this point in the history

  8. egressgw: manager: cosmetic cleanup 

    In the callback we use in removeUnusedIpRulesAndRoutes() to match an IP
rule to an egress gateway policy, separate the preconditions from the
actual matching predicate.

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    c5ef07e View commit details
    Browse the repository at this point in the history

  9. bpf: tests: add unit test for egress gateway redirection 

    And rename existing test file to tc_egressgw_snat.c

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    110688b View commit details
    Browse the repository at this point in the history

  10. bpf: tests: add unit test for egress gateway excluded CIDRs 

    Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    7ae8554 View commit details
    Browse the repository at this point in the history

  11. bpf: tests: use EGRESS_PREFIX_LEN macro 

    to initialize the egress gateway policies' lpm keys.

Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    a51cc87 View commit details
    Browse the repository at this point in the history

  12. docs: egressgw: add section for excludedCIDRs 

    Signed-off-by: Gilberto Bertin <jibi@cilium.io>
    @jibi
    jibi committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    6cf9629 View commit details
    Browse the repository at this point in the history