Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipsec: Remove dead code for IPsec node encryption #28898

Merged
merged 1 commit into from
Nov 6, 2023
Merged

ipsec: Remove dead code for IPsec node encryption #28898

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
179 changes: 1 addition & 178 deletions pkg/datapath/linux/node.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -584,11 +584,6 @@ func (n *linuxNodeHandler) enableSubnetIPsec(v4CIDR, v6CIDR []*net.IPNet) error
if err := n.replaceNodeIPSecOutRoute(cidr); err != nil {
errs = errors.Join(errs, fmt.Errorf("failed to replace ipsec OUT (%q): %w", cidr.IP, err))
}
if n.nodeConfig.EncryptNode {
if err := n.replaceNodeExternalIPSecOutRoute(cidr); err != nil {
errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec OUT (%q): %w", cidr.IP, err))
}
}
}

for _, cidr := range v6CIDR {
Expand All @@ -599,86 +594,6 @@ func (n *linuxNodeHandler) enableSubnetIPsec(v4CIDR, v6CIDR []*net.IPNet) error
if err := n.replaceNodeIPSecOutRoute(cidr); err != nil {
errs = errors.Join(errs, fmt.Errorf("failed to replace ipsec OUT (%q): %w", cidr.IP, err))
}
if n.nodeConfig.EncryptNode {
if err := n.replaceNodeExternalIPSecOutRoute(cidr); err != nil {
errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec OUT (%q): %w", cidr.IP, err))
}
}
}
return errs
}

// encryptNode handles setting the IPsec state for node encryption (subnet
// encryption = disabled).
func (n *linuxNodeHandler) encryptNode(newNode *nodeTypes.Node) error {
var errs error
var spi uint8
var err error

if n.nodeConfig.EnableIPv4 {
internalIPv4 := n.nodeAddressing.IPv4().PrimaryExternal()
exactMask := net.IPv4Mask(255, 255, 255, 255)
ipsecLocal := &net.IPNet{IP: internalIPv4, Mask: exactMask}
if newNode.IsLocal() {
wildcardIP := net.ParseIP(wildcardIPv4)
ipsecIPv4Wildcard := &net.IPNet{IP: wildcardIP, Mask: net.IPv4Mask(0, 0, 0, 0)}
errs = errors.Join(errs, n.replaceNodeIPSecInRoute(ipsecLocal))
spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecIPv4Wildcard, internalIPv4, wildcardIP, 0, ipsec.IPSecDirIn, false)
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode local IPv4", ipsecLocal, ipsecIPv4Wildcard, spi, 0))
} else {
if remoteIPv4 := newNode.GetNodeIP(false); remoteIPv4 != nil {
ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: exactMask}
errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemote))
spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecRemote, internalIPv4, remoteIPv4, 0, ipsec.IPSecDirOutNode, false)
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode IPv4", ipsecLocal, ipsecRemote, spi, 0))
}
remoteIPv4 := newNode.GetCiliumInternalIP(false)
if remoteIPv4 != nil {
mask := newNode.IPv4AllocCIDR.Mask
ipsecRemoteRoute := &net.IPNet{IP: remoteIPv4.Mask(mask), Mask: mask}
ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: mask}
ipsecWildcard := &net.IPNet{IP: net.ParseIP(wildcardIPv4), Mask: net.IPv4Mask(0, 0, 0, 0)}

errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemoteRoute))
if remoteIPv4T := newNode.GetNodeIP(false); remoteIPv4T != nil {
err = ipsec.UpsertIPsecEndpointPolicy(ipsecWildcard, ipsecRemote, internalIPv4, remoteIPv4T, 0, ipsec.IPSecDirOutNode)
}
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode Cilium IPv4", ipsecWildcard, ipsecRemote, spi, 0))
}
}
}

if n.nodeConfig.EnableIPv6 {
internalIPv6 := n.nodeAddressing.IPv6().PrimaryExternal()
exactMask := net.CIDRMask(128, 128)
ipsecLocal := &net.IPNet{IP: internalIPv6, Mask: exactMask}
if newNode.IsLocal() {
wildcardIP := net.ParseIP(wildcardIPv6)
ipsecIPv6Wildcard := &net.IPNet{IP: wildcardIP, Mask: net.CIDRMask(0, 0)}
errs = errors.Join(errs, n.replaceNodeIPSecInRoute(ipsecLocal))
spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecIPv6Wildcard, internalIPv6, wildcardIP, 0, ipsec.IPSecDirIn, false)
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode local IPv6", ipsecLocal, ipsecIPv6Wildcard, spi, 0))
} else {
if remoteIPv6 := newNode.GetNodeIP(true); remoteIPv6 != nil {
ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: exactMask}
errs = errors.Join(errs, n.replaceNodeExternalIPSecOutRoute(ipsecRemote))
spi, err = ipsec.UpsertIPsecEndpoint(ipsecLocal, ipsecRemote, internalIPv6, remoteIPv6, 0, ipsec.IPSecDirOut, false)
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode IPv6", ipsecLocal, ipsecRemote, spi, 0))
}
remoteIPv6 := newNode.GetCiliumInternalIP(true)
if remoteIPv6 != nil {
mask := newNode.IPv6AllocCIDR.Mask
ipsecRemoteRoute := &net.IPNet{IP: remoteIPv6.Mask(mask), Mask: mask}
ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: mask}
ipsecWildcard := &net.IPNet{IP: net.ParseIP(wildcardIPv6), Mask: net.CIDRMask(0, 0)}

errs = errors.Join(n.replaceNodeExternalIPSecOutRoute(ipsecRemoteRoute))
if remoteIPv6T := newNode.GetNodeIP(true); remoteIPv6T != nil {
err = ipsec.UpsertIPsecEndpointPolicy(ipsecWildcard, ipsecRemote, internalIPv6, remoteIPv6T, 0, ipsec.IPSecDirOutNode)
}
errs = errors.Join(errs, upsertIPsecLog(err, "EncryptNode Cilium IPv6", ipsecWildcard, ipsecRemote, spi, 0))
}
}
}
return errs
}
Expand Down Expand Up @@ -1284,7 +1199,7 @@ func (n *linuxNodeHandler) nodeUpdate(oldNode, newNode *nodeTypes.Node, firstAdd
n.diffAndUnmapNodeIPs(oldNode.IPAddresses, newNode.IPAddresses)
}

if n.nodeConfig.EnableIPSec && !n.nodeConfig.EncryptNode {
if n.nodeConfig.EnableIPSec {
errs = errors.Join(errs, n.enableIPsec(newNode, remoteNodeID))
newKey = newNode.EncryptionKey
}
Expand All @@ -1305,12 +1220,6 @@ func (n *linuxNodeHandler) nodeUpdate(oldNode, newNode *nodeTypes.Node, firstAdd
go n.insertNeighbor(context.Background(), newNode, false)
}

if n.nodeConfig.EnableIPSec && n.nodeConfig.EncryptNode && !n.subnetEncryption() {
if err := n.encryptNode(newNode); err != nil {
errs = errors.Join(errs, fmt.Errorf("failed to enable node encryption: %w", err))
}
}

// Local node update
if newNode.IsLocal() {
isLocalNode = true
Expand Down Expand Up @@ -1595,27 +1504,6 @@ func (n *linuxNodeHandler) createNodeIPSecOutRoute(ip *net.IPNet) route.Route {
}
}

func (n *linuxNodeHandler) createNodeExternalIPSecOutRoute(ip *net.IPNet, dflt bool) route.Route {
var tbl int
var mtu int

if dflt {
mtu = n.nodeConfig.MtuConfig.GetRouteMTU()
} else {
tbl = linux_defaults.RouteTableIPSec
mtu = n.nodeConfig.MtuConfig.GetRoutePostEncryptMTU()
}

// The default routing table accounts for encryption overhead for encrypt-node traffic
return route.Route{
Device: n.datapathConfig.HostDevice,
Prefix: *ip,
Table: tbl,
Proto: route.EncryptRouteProtocol,
MTU: mtu,
}
}

// replaceNodeIPSecOutRoute replace the out IPSec route in the host routing
// table with the new route. If no route exists the route is installed on the
// host. The caller must ensure that the CIDR passed in must be non-nil.
Expand All @@ -1637,32 +1525,6 @@ func (n *linuxNodeHandler) replaceNodeIPSecOutRoute(ip *net.IPNet) error {
return nil
}

// replaceNodeExternalIPSecOutRoute replace the out IPSec route in the host
// routing table with the new route. If no route exists the route is installed
// on the host. The caller must ensure that the CIDR passed in must be non-nil.
func (n *linuxNodeHandler) replaceNodeExternalIPSecOutRoute(ip *net.IPNet) error {
var errs error
if ip.IP.To4() != nil {
if !n.nodeConfig.EnableIPv4 {
return nil
}
} else {
if !n.nodeConfig.EnableIPv6 {
return nil
}
}

if err := route.Upsert(n.createNodeExternalIPSecOutRoute(ip, true)); err != nil {
log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to replace the IPSec route OUT the default routing table")
errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec routes: ipsec default route OUT: %w", err))
}
if err := route.Upsert(n.createNodeExternalIPSecOutRoute(ip, false)); err != nil {
log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to replace the IPSec route OUT the host routing table")
errs = errors.Join(errs, fmt.Errorf("failed to replace external ipsec routes: replace ipsec host route OUT: %w", err))
}
return errs
}

// The caller must ensure that the CIDR passed in must be non-nil.
func (n *linuxNodeHandler) deleteNodeIPSecOutRoute(ip *net.IPNet) error {
if ip.IP.To4() != nil {
Expand All @@ -1682,31 +1544,6 @@ func (n *linuxNodeHandler) deleteNodeIPSecOutRoute(ip *net.IPNet) error {
return nil
}

// The caller must ensure that the CIDR passed in must be non-nil.
func (n *linuxNodeHandler) deleteNodeExternalIPSecOutRoute(ip *net.IPNet) error {
var errs error
if ip.IP.To4() != nil {
if !n.nodeConfig.EnableIPv4 {
return nil
}
} else {
if !n.nodeConfig.EnableIPv6 {
return nil
}
}

if err := route.Delete(n.createNodeExternalIPSecOutRoute(ip, true)); err != nil {
log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to delete the IPsec route External OUT from the ipsec routing table")
errs = errors.Join(errs, fmt.Errorf("failed to delete ipsec route out: %w", err))
}

if err := route.Delete(n.createNodeExternalIPSecOutRoute(ip, false)); err != nil {
log.WithError(err).WithField(logfields.CIDR, ip).Error("Unable to delete the IPsec route External OUT from the host routing table")
errs = errors.Join(errs, fmt.Errorf("failed to delete ipsec host route out: %w", err))
}
return errs
}

// replaceNodeIPSecoInRoute replace the in IPSec routes in the host routing
// table with the new route. If no route exists the route is installed on the
// host. The caller must ensure that the CIDR passed in must be non-nil.
Expand Down Expand Up @@ -1747,13 +1584,6 @@ func (n *linuxNodeHandler) deleteIPsec(oldNode *nodeTypes.Node) error {
if !n.subnetEncryption() {
errs = errors.Join(errs, n.deleteNodeIPSecOutRoute(old4RouteNet))
}
if n.nodeConfig.EncryptNode {
if remoteIPv4 := oldNode.GetNodeIP(false); remoteIPv4 != nil {
exactMask := net.IPv4Mask(255, 255, 255, 255)
ipsecRemote := &net.IPNet{IP: remoteIPv4, Mask: exactMask}
errs = errors.Join(errs, n.deleteNodeExternalIPSecOutRoute(ipsecRemote))
}
}
}

if n.nodeConfig.EnableIPv6 && oldNode.IPv6AllocCIDR != nil {
Expand All @@ -1762,13 +1592,6 @@ func (n *linuxNodeHandler) deleteIPsec(oldNode *nodeTypes.Node) error {
if !n.subnetEncryption() {
n.deleteNodeIPSecOutRoute(old6RouteNet)
}
if n.nodeConfig.EncryptNode {
if remoteIPv6 := oldNode.GetNodeIP(true); remoteIPv6 != nil {
exactMask := net.CIDRMask(128, 128)
ipsecRemote := &net.IPNet{IP: remoteIPv6, Mask: exactMask}
errs = errors.Join(errs, n.deleteNodeExternalIPSecOutRoute(ipsecRemote))
}
}
}
return errs
}
Expand Down