Fixes for ip-masq-agent #26435
Merged
Fixes for ip-masq-agent #26435
Commits on Jun 26, 2023
-
config: Do not define IPv6 ip-masq-agent macros under IPv4 config
Fix a bug introduced with the support for IPv6 ip-masq-agent. The macros for IPv6 are not at the right location, and they will be set if IPv4 masquerading is set, even if it is disabled for IPv6. Let's move the code to its right location. Fixes: 7fd9a0d ("ipmasq: Enable IPv6 support for ip-masq-agent") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
-
maps: Fix conditions for disabling ip-masq-agent related maps
When adding support for IPv6 ip-masq-agent, the related maps were not handled correctly in RemoveDisabledMaps(), resulting in maps being kept, even if option.Config.EnableIPv(4|6)Masquerade is disabled. Let's fix the conditions to sweep these maps. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
-
datapath: Create ip-masq-agent maps only if masquerading is enabled
Before we introduced support for the IPv6 ip-masq-agent, only IPv4 would support it. Therefore, if the ip-masq-agent agent was enabled in the config, this meant that we had validated that IPv4 masquerading was set, and we could afford creating the related map on the combination of options (IPv4 + ip-masq-agent enabled). Now that we have IPv6 support, having IPv4 and the ip-masq-agent enabled no longer means we're using it for IPv4, given that we may chose to enable masquerading for IPv6 only. So we need to update the conditions in the datapath package, to create these maps only when necessary. Fixes: 7fd9a0d ("ipmasq: Enable IPv6 support for ip-masq-agent") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
-
maps/ipmasq: Tighten conditions to update, delete, dump map entries
If we don't pay attention to what IP protocols should get masqueraded, and try to interact with ip-masq-agent maps without precautions, we can end up in a situation where we try to open a map that does not exist. For example, if the cluster runs with IPv4 only, and we try to add the default prefixes (IPv4 and IPv6) to the ip-masq-agent, then we try to Update() an entry in the IPv6 map for the ip-masq-agent. But this map does not exist (we run with IPv4 only and never created it). So we get a warning in the logs, preventing Cilium to be healthy: loading pinned map /sys/fs/bpf/tc/globals/cilium_ipmasq_v6: no such file or directory Fix this by restricting the operations to the IP versions for which we have masquerading enabled. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Reported-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> -
cilium/ipmasq: Fix "cilium bpf ipmasq list" after IPv6 support
When adding support for IPv6 ip-masq-agent in Cilium, we made sure to Dump() the contents of the maps only for the map that had been defined (IPv4 and/or IPv6 versions). This works well in the agent, but not from the CLI, which also calls Dump() for "cilium bpf ipmasq list". In that case, the variable referencing the maps have never been set, and we end up exiting from the function without dumping any contents. To fix this, we need the CLI to be able to chose what maps should be needed. The ipmasq package does not expose the maps directly, so we want to pass it the values for option.Config.EnableIPv(4|6)Masquerade instead. These configuration options are not directly available from the CLI. Instead, we check whether the IPv4 and IPv6 ip-masq-agent maps are open, and let the ipmasq package know which maps to dump accordingly. Fixes: c5348d2 ("ipmasq: Implement ip-masq-agent support for IPv6") Reported-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
-
examples: Fix YAML indentation in ip-masq-agent example
YAML indentation is not correct, and the example file cannot be applied in a straightforward fashion. Let's fix it. Fixes: 2dc829b ("docs: Simplify example how to config ipmasq via ConfigMap") Signed-off-by: Quentin Monnet <quentin@isovalent.com>
-
test: Add e2e test for ip-masq-agent with IPv4 only
In order to detect issues occurring with ip-masq-agent when IPv4 only is enabled, add a new test to deploy the ip-masq-agent without IPv6. Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.