Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic #29721

Merged
merged 2 commits into from Dec 8, 2023
Merged

bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic #29721

merged 2 commits into from Dec 8, 2023

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Dec 8, 2023
edited

With #29530 in place, we now also
divert proxy traffic to cilium_host when per-EP routes are enabled. But we
potentially still need to deliver this traffic to a local endpoint - say
for a pod-to-pod connection on the same node, with L7 proxy inbetween.

In a configuration with per-EP routes but no BPF Host-Routing,
l3_local_delivery() transfers the source identity to the skb->mark and
redirects to bpf_lxc, where the to-container program handles the packet.

If we transfer the packet with MARK_MAGIC_IDENTITY, to-container will
look up the network policy and redirect to the L7 proxy again. Thus we
need to fully restore the proxy's actual mark, so that to-container's
inherit_identity_from_host() call finds the expected magic ID. It then
sets the TC_INDEX_F_FROM_INGRESS_PROXY flag, and skips the redirect to
L7 proxy.

@julianwiedmann
bpf: allow caller to specify magic for set_identity_mark()
a522811 
In addition to MARK_MAGIC_IDENTITY, an skb->mark with
MARK_MAGIC_PROXY_{INGRESS,EGRESS} can also carry a security identity value.

Currently only the proxy creates such marks. But in a subsequent patch we
need to restore the proxy's mark when forwarding a packet. Therefore enable
the caller to specify what kind of magic ID they want in the mark, along
with the security identity.

Just prep work, no functional change.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic
0d8785c 
With cilium#29530 in place, we now also
divert proxy traffic to cilium_host when per-EP routes are enabled. But we
potentially still need to deliver this traffic to a local endpoint - say
for a pod-to-pod connection on the same node, with L7 proxy inbetween.

In a configuration with per-EP routes but no BPF Host-Routing,
l3_local_delivery() transfers the source identity to the skb->mark and
redirects to bpf_lxc, where the to-container program handles the packet.

If we transfer the packet with MARK_MAGIC_IDENTITY, to-container will
look up the network policy and redirect to the L7 proxy *again*. Thus we
need to fully restore the proxy's actual mark, so that to-container's
inherit_identity_from_host() call finds the expected magic ID. It then
sets the TC_INDEX_F_FROM_INGRESS_PROXY flag, and skips the redirect to
L7 proxy.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 8, 2023
@julianwiedmann julianwiedmann added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature kind/bug This is a bug in the Cilium logic. release-note/misc This PR makes changes that have no direct user impact. labels Dec 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 8, 2023
@julianwiedmann julianwiedmann changed the title 1.15 bpf 2005 local delivery bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic Dec 8, 2023
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann added the dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. label Dec 8, 2023
@julianwiedmann julianwiedmann marked this pull request as ready for review December 8, 2023 09:21
@julianwiedmann julianwiedmann requested a review from a team as a code owner December 8, 2023 09:21
@julianwiedmann julianwiedmann requested review from markpash and jschwinger233 and removed request for markpash December 8, 2023 09:21
@jschwinger233
Copy link
Member

Not within scope of this PR, just want to say variable name magic is magic 🪄
However I can't think of any better idea either

@julianwiedmann julianwiedmann removed the dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. label Dec 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 8, 2023
@julianwiedmann julianwiedmann added this pull request to the merge queue Dec 8, 2023
@julianwiedmann julianwiedmann added needs-backport/1.12 backport/author The backport will be carried out by the author of the PR. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Dec 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.17 Dec 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.5 Dec 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.10 Dec 8, 2023
@nebril nebril removed this from Needs backport from main in 1.13.10 Dec 11, 2023
@nebril nebril added this to Needs backport from main in 1.12.18 Dec 11, 2023
@nebril nebril removed this from Needs backport from main in 1.12.17 Dec 11, 2023
@joestringer joestringer mentioned this pull request Dec 14, 2023
Merged
@gentoo-root gentoo-root added this to Needs backport from main in 1.12.19 Jan 17, 2024
@gentoo-root gentoo-root removed this from Needs backport from main in 1.12.18 Jan 17, 2024
@gentoo-root gentoo-root added this to Needs backport from main in 1.13.12 Jan 17, 2024
@gentoo-root gentoo-root removed this from Needs backport from main in 1.13.11 Jan 17, 2024
@gentoo-root gentoo-root added this to Needs backport from main in 1.14.7 Jan 17, 2024
@gentoo-root gentoo-root removed this from Needs backport from main in 1.14.6 Jan 17, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.12.20 Feb 12, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.12.19 Feb 12, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.14.8 Feb 13, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.14.7 Feb 13, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.13.13 Feb 13, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.13.12 Feb 13, 2024
@julianwiedmann julianwiedmann mentioned this pull request Mar 5, 2024
Merged
6 tasks
@julianwiedmann julianwiedmann added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Mar 5, 2024
@julianwiedmann julianwiedmann mentioned this pull request Mar 5, 2024
Merged
7 tasks
@julianwiedmann julianwiedmann added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.12 labels Mar 5, 2024
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Mar 7, 2024
This was referenced Mar 13, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschwinger233 jschwinger233 jschwinger233 approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
1.12.20
Needs backport from main
1.13.13
Needs backport from main
1.14.8
Needs backport from main
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@julianwiedmann @jschwinger233