-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
egressgw: steer traffic to the right interface using BPF #26215
Conversation
203cd6d
to
1f1c132
Compare
992dc9d
to
d54a868
Compare
d54a868
to
a1b42a2
Compare
e1050b6
to
2fb9cea
Compare
1410713
to
157fa1c
Compare
1bef1e9
to
eb762e1
Compare
47959bf
to
93b6eec
Compare
Sorry for the drive-by post-merge comment/review. I just noticed this change while I was investigating how the old feature worked (looking into auto-direct-node-routes improvements). Something that confused me for a bit: The documentation still mentions this flag. Since the flag is now a no-op, should the docs be removed too? https://docs.cilium.io/en/latest/network/egress-gateway/#eks-s-eni-mode |
Yep, we'll still need to go through the whole doc update dance (also mention the deprecation etc) 👍. |
cilium#26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. cilium#30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium#26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. cilium#30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium#26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. cilium#30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit e777df1 ] #26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. #30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit e777df1 ] #26215 changed how we do egressGW-specific routing on the gateway node - instead of installing custom IP rules, we rely on the node's routing setup. #30286 then fixed up a corner-case on older kernels. Reflect both parts in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture, and also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture, and also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (cilium#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. cilium#29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit cf6b203 ] To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit cf6b203 ] To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit cf6b203 ] To let EGW traffic exit the gateway through the correct interface, we've introduced FIB lookup-driven redirects in the to-netdev path (#26215). This is needed for cases where the traffic first hits one interface via the default route, but then needs to bounce to some other interface that matches the actual egressIP. In this approach we masquerade the packet on its first pass through to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the second pass through to-netdev. #29379 then improved the situation for any EGW traffic that enters the gateway from the overlay network (== anything that's not by a pod on the gateway). We now redirect in from-overlay, straight to the actual egress interface and masquerade the packet there. Now also harmonize the approach for local pods, and defer the masquerade until the packet hits the actual egress interface. This simplifies the overall picture. But it also allows us to raise TO_NETWORK datapath trace events that are enriched with the packet's original source IP - this event is raised on the *second* pass through to-netdev, so we need the SNAT to happen at the same time. Also add a comment to clarify the check to skip HostFW for SNATed traffic. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
see commits
Fixes: #23504