v1.13 Backports 2023-11-29 #29475
Merged
v1.13 Backports 2023-11-29 #29475
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joamaki
added
kind/backports
giorio94
approved these changes
Nov 29, 2023
[ upstream commit 2393707 ] With eff26cf ("datapath: Fix double SNAT") the outbound SNAT path now sets ctx_snat_done_set() after checking whether a packet requires SNAT. This was meant to avoid double-NATing when a packet passes through multiple network interfaces with a to-netdev program. But looking at the SNAT code in detail, some of its conditions only apply on specific interfaces (see nodeport_has_nat_conflict_ipv4(), which checks for `NATIVE_DEV_IFINDEX == DIRECT_ROUTING_DEV_IFINDEX`). So if a packet passes through multiple interfaces which all have `to-netdev` attached, the first `to-netdev` program might set SNAT_DONE even when some subsequent program (attached to DIRECT_ROUTING_DEV_IFINDEX) would still want to apply SNAT to the packet. Therefore we should apply the SNAT checks on *each* interface, until we have actually SNATed the packet. Only then set the SNAT_DONE marker. Note that this also fixes an EgressGW bug in nodeport_snat_fwd_ipv4(), where we would redirect the packet even if snat_v4_nat() reported an error. Fixes: eff26cf ("datapath: Fix double SNAT") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit f7a58af ] The SPI parsing logic is fairly complex so let's move it to its own function and write a unit test for that. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit ba3fa89 ] ipSecJoinState is never called without ipSecNewState and vice versa. So let's just merge both to have all XFRM state initialization in the same place. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit a587b88 ] Currently, we only wait for the images from the current PR/main to be available in the clustermesh upgrade tests. Yet, it can happen that the ones from the stable branch are not available (either because they are being built, or something went wrong), leading to confusing failures (as the installation eventually fails due to ImagePullBackOff errors). To prevent this, let's add an explicit step to additionally wait for downgrade images to be available before proceeding with the installation step, so that also the error message is clear. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
[ upstream commit a6e22ba ] To detect that the key rotation began or that it successfully ended, we rely on the number of keys in use reported by `cilium-dbg encrypt status`. When either of those steps times out, it would be good to have information on what the number of keys was. This commit adds that debug information to the test. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki
force-pushed
the
pr/v1.13-backport-2023-11-29
branch
from
1ea201b
to
9317627
Compare
pchaigno
approved these changes
Nov 30, 2023
julianwiedmann
approved these changes
Nov 30, 2023
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.19/279/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/test-1.16-4.19 |
|
/test-1.21-4.19 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PRs skipped due to conflicts:
Once this PR is merged, a GitHub action will update the labels of these PRs: