-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes for ip-masq-agent #26435
Fixes for ip-masq-agent #26435
Commits on Jun 26, 2023
-
config: Do not define IPv6 ip-masq-agent macros under IPv4 config
Fix a bug introduced with the support for IPv6 ip-masq-agent. The macros for IPv6 are not at the right location, and they will be set if IPv4 masquerading is set, even if it is disabled for IPv6. Let's move the code to its right location. Fixes: 7fd9a0d ("ipmasq: Enable IPv6 support for ip-masq-agent") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 242abad - Browse repository at this point
Copy the full SHA 242abadView commit details -
maps: Fix conditions for disabling ip-masq-agent related maps
When adding support for IPv6 ip-masq-agent, the related maps were not handled correctly in RemoveDisabledMaps(), resulting in maps being kept, even if option.Config.EnableIPv(4|6)Masquerade is disabled. Let's fix the conditions to sweep these maps. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 21f20f8 - Browse repository at this point
Copy the full SHA 21f20f8View commit details -
datapath: Create ip-masq-agent maps only if masquerading is enabled
Before we introduced support for the IPv6 ip-masq-agent, only IPv4 would support it. Therefore, if the ip-masq-agent agent was enabled in the config, this meant that we had validated that IPv4 masquerading was set, and we could afford creating the related map on the combination of options (IPv4 + ip-masq-agent enabled). Now that we have IPv6 support, having IPv4 and the ip-masq-agent enabled no longer means we're using it for IPv4, given that we may chose to enable masquerading for IPv6 only. So we need to update the conditions in the datapath package, to create these maps only when necessary. Fixes: 7fd9a0d ("ipmasq: Enable IPv6 support for ip-masq-agent") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 0f1ffe1 - Browse repository at this point
Copy the full SHA 0f1ffe1View commit details -
maps/ipmasq: Tighten conditions to update, delete, dump map entries
If we don't pay attention to what IP protocols should get masqueraded, and try to interact with ip-masq-agent maps without precautions, we can end up in a situation where we try to open a map that does not exist. For example, if the cluster runs with IPv4 only, and we try to add the default prefixes (IPv4 and IPv6) to the ip-masq-agent, then we try to Update() an entry in the IPv6 map for the ip-masq-agent. But this map does not exist (we run with IPv4 only and never created it). So we get a warning in the logs, preventing Cilium to be healthy: loading pinned map /sys/fs/bpf/tc/globals/cilium_ipmasq_v6: no such file or directory Fix this by restricting the operations to the IP versions for which we have masquerading enabled. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Reported-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 3172001 - Browse repository at this point
Copy the full SHA 3172001View commit details -
cilium/ipmasq: Fix "cilium bpf ipmasq list" after IPv6 support
When adding support for IPv6 ip-masq-agent in Cilium, we made sure to Dump() the contents of the maps only for the map that had been defined (IPv4 and/or IPv6 versions). This works well in the agent, but not from the CLI, which also calls Dump() for "cilium bpf ipmasq list". In that case, the variable referencing the maps have never been set, and we end up exiting from the function without dumping any contents. To fix this, we need the CLI to be able to chose what maps should be needed. The ipmasq package does not expose the maps directly, so we want to pass it the values for option.Config.EnableIPv(4|6)Masquerade instead. These configuration options are not directly available from the CLI. Instead, we check whether the IPv4 and IPv6 ip-masq-agent maps are open, and let the ipmasq package know which maps to dump accordingly. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Reported-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 638b5dd - Browse repository at this point
Copy the full SHA 638b5ddView commit details -
examples: Fix YAML indentation in ip-masq-agent example
YAML indentation is not correct, and the example file cannot be applied in a straightforward fashion. Let's fix it. Fixes: 2dc829b ("docs: Simplify example how to config ipmasq via ConfigMap") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 37cac39 - Browse repository at this point
Copy the full SHA 37cac39View commit details -
test: Add e2e test for ip-masq-agent with IPv4 only
In order to detect issues occurring with ip-masq-agent when IPv4 only is enabled, add a new test to deploy the ip-masq-agent without IPv6. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 482819e - Browse repository at this point
Copy the full SHA 482819eView commit details