egressgw: steer traffic to the right interface using BPF #26215

jibi · 2023-06-14T09:32:19Z

see commits

EgressGW: interface selection is now done with BPF, using --install-egress-gateway-routes is no longer needed.

bpf/lib/nat.h

gandro · 2023-10-04T14:20:45Z

Sorry for the drive-by post-merge comment/review. I just noticed this change while I was investigating how the old feature worked (looking into auto-direct-node-routes improvements). Something that confused me for a bit: The documentation still mentions this flag. Since the flag is now a no-op, should the docs be removed too?

https://docs.cilium.io/en/latest/network/egress-gateway/#eks-s-eni-mode

julianwiedmann · 2023-10-04T14:38:26Z

Sorry for the drive-by post-merge comment/review. I just noticed this change while I was investigating how the old feature worked (looking into auto-direct-node-routes improvements). Something that confused me for a bit: The documentation still mentions this flag. Since the flag is now a no-op, should the docs be removed too?

https://docs.cilium.io/en/latest/network/egress-gateway/#eks-s-eni-mode

Yep, we'll still need to go through the whole doc update dance (also mention the deprecation etc) 👍.

cilium#26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. cilium#30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

#26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. #30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

[ upstream commit e777df1 ] #26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. #30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>

To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture, and also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

[ upstream commit cf6b203 ] To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

jibi added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/egress-gateway Impacts the egress IP gateway feature. labels Jun 14, 2023

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 4 times, most recently from 203cd6d to 1f1c132 Compare June 15, 2023 08:58

julianwiedmann reviewed Jun 15, 2023

View reviewed changes

bpf/lib/nat.h Outdated Show resolved Hide resolved

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 5 times, most recently from 992dc9d to d54a868 Compare June 20, 2023 12:10

jibi mentioned this pull request Jun 20, 2023

bpf: egressgw: refactor unit tests #26376

Merged

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch from d54a868 to a1b42a2 Compare June 20, 2023 12:24

jibi changed the base branch from main to pr/jibi/egressgw-bpf-tests June 20, 2023 12:25

Base automatically changed from pr/jibi/egressgw-bpf-tests to main June 20, 2023 15:31

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 2 times, most recently from e1050b6 to 2fb9cea Compare June 20, 2023 15:37

julianwiedmann added the kind/enhancement This would improve or streamline existing functionality. label Jul 13, 2023

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 5 times, most recently from 1410713 to 157fa1c Compare August 4, 2023 10:10

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 3 times, most recently from 1bef1e9 to eb762e1 Compare August 24, 2023 08:43

jibi force-pushed the pr/jibi/egressgw-fib-lookup branch 2 times, most recently from 47959bf to 93b6eec Compare September 13, 2023 10:23

jibi deleted the pr/jibi/egressgw-fib-lookup branch October 3, 2023 08:01

margamanterola added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels Oct 4, 2023

JackMyers001 mentioned this pull request Jan 9, 2024

Egress gateway not working on 1.15.0-rc.0 when using interface #30159

Open

2 tasks

julianwiedmann mentioned this pull request Jan 29, 2024

docs: egressgw: describe routing on Gateway node #30488

Merged

julianwiedmann mentioned this pull request Feb 1, 2024

egressgw: improvements for FIB-driven redirect path #30576

Merged

julianwiedmann mentioned this pull request May 14, 2024

bpf: egw: delay SNAT for local client to actual egress interface #32428

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

egressgw: steer traffic to the right interface using BPF #26215

egressgw: steer traffic to the right interface using BPF #26215

jibi commented Jun 14, 2023 •

edited by margamanterola

gandro commented Oct 4, 2023

julianwiedmann commented Oct 4, 2023

egressgw: steer traffic to the right interface using BPF #26215

egressgw: steer traffic to the right interface using BPF #26215

Conversation

jibi commented Jun 14, 2023 • edited by margamanterola

gandro commented Oct 4, 2023

julianwiedmann commented Oct 4, 2023

jibi commented Jun 14, 2023 •

edited by margamanterola