-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: fix missing ipv6 ct entry for SNATed pod traffic #28813
bpf: fix missing ipv6 ct entry for SNATed pod traffic #28813
Conversation
0660eb3
to
5b609bb
Compare
5b609bb
to
f356d85
Compare
/test |
Hi @oblazek , ty for looking into this! Will have a closer look ASAP. But just to set some context for review, as the description doesn't capture my current understanding.
We differentiate between the two cases by comparing the mark-derived identity with the ipcache-derived identity. Host traffic will have Throwing Do you agree with that assessment, or is there still something missing from the picture? |
You are totally right, if iptables are not present, there is no mark and I believe the same should be done for ipv4 |
c4a487e
to
53fdf39
Compare
/test |
agree, but this needs to be a conditional change (only when |
updated, now the PR should only contain ipv6 whitelisting related changes.. will do the rest in the followup PR |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ty @oblazek ! There's one part where we need to check if the mark-based identity and ipcache-based identity match up (see below). But it's missing the ipcache-based identity ... could you have a look into passing that through, along what IPv4 does?
7d0bc0a
to
01e46ec
Compare
yeah I must have missed that when working on different branches :( |
/test |
the 2 pipeline fails are not related to this fix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made an initial look. The logic to set CB_IPCACHE_SRC_LABEL
is still missing, but otherwise, the logic looks correct to me. I found some small naming inconsistency and one potential bug.
When combining HostFW with kube-proxy based masquerading host traffic will have HOST_ID for both - packet mark based src_id and ip cache based src_id. While SNATed pod traffic will only have HOST_ID from the ipcache (as it doesn't pass through the iptables rules that set the mark). Therefore for SNATed traffic we get HOST_ID only from ipcache and not from packet mark it means we are handling SNATed traffic from pod that needs to have a conntrack entry so that return traffic doesn't go through host firewall and is skipped. This commit fixes the issue and adds a missing ct entry for SNATed traffic and it also unifies the code between ipv4 and ipv6 versions Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz>
01e46ec
to
7817a7e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now LGTM 👍
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ty!
When combining HostFW with kube-proxy based masquerading
host traffic will have HOST_ID for both - packet mark based
src_id and ip cache based src_id.
While SNATed pod traffic will only have HOST_ID from the
ipcache (as it doesn't pass through the iptables rules that
set the mark).
Therefore for SNATed traffic we get HOST_ID only from
ipcache and not from packet mark it means we are handling
SNATed traffic from pod that needs to have a conntrack entry
so that return traffic doesn't go through host firewall and
is skipped.
This commit fixes the issue and adds a missing ct entry for
SNATed traffic.
cc @julianwiedmann
Fixes: #26886
related discussion: https://cilium.slack.com/archives/CDKG8NNHK/p1698155364279479