pkg: add missing xfrm-no-track rules from ipv6 #24557

jschwinger233 · 2023-03-24T11:54:30Z

By right there should be a rule to let ipsec skb bypass conntrack:

-A CILIUM_PRE_raw -m mark --mark 0xd00/0xf00 -m comment --comment "cilium-xfrm-notrack:" -j CT --notrack

However ipv6 missed it and this commit adds the rule back.

Add missing xfrm-no-track rules for IPv6 IPSec. This fixes a connectivity issue for IPv6 IPSec with externalTrafficPolicy=local.

By right there should be a rule to let ipsec skb bypass conntrack: -A CILIUM_PRE_raw -m mark --mark 0xd00/0xf00 -m comment --comment "cilium-xfrm-notrack:" -j CT --notrack However ipv6 missed it and this commit adds the rule back. Fixes: cilium#23481 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

This reverts commit b1b9fbd and re-enables test for IPv6 externalTrafficPolicy=Local E/W for IPsec. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

julianwiedmann · 2023-03-24T16:55:04Z

/test

pchaigno

Nice! Thanks for tracking and fixing this!

I see it's labeled as release-note/minor, but it feels more like a release-note/bug, no? The release note should also describe the user impact. It currently describes the change itself.
Finally, I think we should figure out where we need to backport.

pkg/datapath/iptables/iptables.go

jschwinger233 · 2023-03-27T03:23:09Z

I think we should figure out where we need to backport.

I noticed there is no PR labelled with backport/1.10 and earlier versions, so I add needs-backport/1.11 for this, if it's not appropriate please let me know.

brb

🚀

julianwiedmann · 2023-03-27T10:35:13Z

[word-smith'ed the release-note. Also adding backport labels for 1.12 and 1.13]

jschwinger233 · 2023-03-27T10:42:41Z

Backport PR will be taken care of by renovate bot, right? Is there anything I should follow up?

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 24, 2023

jschwinger233 added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Mar 24, 2023

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 24, 2023

Revert "test: Do not test E/W eTP=Local with IPsec"

32f0493

This reverts commit b1b9fbd and re-enables test for IPv6 externalTrafficPolicy=Local E/W for IPsec. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

jschwinger233 marked this pull request as ready for review March 24, 2023 13:05

jschwinger233 requested review from a team as code owners March 24, 2023 13:05

jschwinger233 requested review from aspsk and tklauser March 24, 2023 13:05

pchaigno added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipv6 Relates to IPv6 protocol support labels Mar 24, 2023

pchaigno reviewed Mar 24, 2023

View reviewed changes

pkg/datapath/iptables/iptables.go Show resolved Hide resolved

jschwinger233 added release-note/bug This PR fixes an issue in a previous release of Cilium. and removed release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Mar 27, 2023

jschwinger233 added the needs-backport/1.11 label Mar 27, 2023

maintainer-s-little-helper bot added this to Needs backport from master in 1.11.16 Mar 27, 2023

brb approved these changes Mar 27, 2023

View reviewed changes

julianwiedmann added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. needs-backport/1.12 labels Mar 27, 2023

maintainer-s-little-helper bot added this to Needs backport from master in 1.13.2 Mar 27, 2023

maintainer-s-little-helper bot added this to Needs backport from master in 1.12.9 Mar 27, 2023

pchaigno approved these changes Mar 27, 2023

View reviewed changes

pchaigno merged commit dd0a8f5 into cilium:master Mar 27, 2023

jschwinger233 deleted the gray/fix-ipsec-eTP branch March 27, 2023 10:48

julianwiedmann mentioned this pull request Mar 28, 2023

CI: K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy) with IPSec and externalTrafficPolicy=Local #24602

Closed

mhofstetter mentioned this pull request Mar 28, 2023

endpoint: fix k8sNamespace log field when ep gets deleted #24575

Merged

tklauser mentioned this pull request Mar 28, 2023

v1.11 backports 2023-03-28 #24604

Merged

5 tasks

tklauser added backport-pending/1.11 and removed needs-backport/1.11 labels Mar 28, 2023

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.11 in 1.11.16 Mar 28, 2023

tklauser mentioned this pull request Mar 28, 2023

v1.12 backports 2023-03-28 #24605

Merged

6 tasks

tklauser added backport-pending/1.12 and removed needs-backport/1.12 labels Mar 28, 2023

tklauser mentioned this pull request Mar 28, 2023

v1.13 backports 2023-03-28 #24607

Merged

9 tasks

tklauser added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 labels Mar 28, 2023

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.2 Mar 28, 2023

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.9 Mar 28, 2023

tklauser added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Mar 29, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.9 Mar 29, 2023

YutaroHayakawa mentioned this pull request Mar 29, 2023

Implement GC for per-cluster CT/SNAT maps #24576

Merged

tklauser added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Mar 29, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.16 Mar 29, 2023

This was referenced Apr 14, 2023

Prepare for release v1.12.9 #24879

Merged

Prepare for release v1.11.16 #24880

Merged

julianwiedmann added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 14, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkg: add missing xfrm-no-track rules from ipv6 #24557

pkg: add missing xfrm-no-track rules from ipv6 #24557

jschwinger233 commented Mar 24, 2023 •

edited by julianwiedmann

Loading

julianwiedmann commented Mar 24, 2023

pchaigno left a comment

jschwinger233 commented Mar 27, 2023 •

edited

Loading

brb left a comment

julianwiedmann commented Mar 27, 2023

jschwinger233 commented Mar 27, 2023

pkg: add missing xfrm-no-track rules from ipv6 #24557

pkg: add missing xfrm-no-track rules from ipv6 #24557

Conversation

jschwinger233 commented Mar 24, 2023 • edited by julianwiedmann Loading

julianwiedmann commented Mar 24, 2023

pchaigno left a comment

Choose a reason for hiding this comment

jschwinger233 commented Mar 27, 2023 • edited Loading

brb left a comment

Choose a reason for hiding this comment

julianwiedmann commented Mar 27, 2023

jschwinger233 commented Mar 27, 2023

jschwinger233 commented Mar 24, 2023 •

edited by julianwiedmann

Loading

jschwinger233 commented Mar 27, 2023 •

edited

Loading