New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic #29721
Merged
julianwiedmann
merged 2 commits into
cilium:main
from
julianwiedmann:1.15-bpf-2005-local-delivery
Dec 8, 2023
Merged
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic #29721
julianwiedmann
merged 2 commits into
cilium:main
from
julianwiedmann:1.15-bpf-2005-local-delivery
Dec 8, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
julianwiedmann
commented
Dec 8, 2023
•
edited
edited
In addition to MARK_MAGIC_IDENTITY, an skb->mark with MARK_MAGIC_PROXY_{INGRESS,EGRESS} can also carry a security identity value. Currently only the proxy creates such marks. But in a subsequent patch we need to restore the proxy's mark when forwarding a packet. Therefore enable the caller to specify what kind of magic ID they want in the mark, along with the security identity. Just prep work, no functional change. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
With cilium#29530 in place, we now also divert proxy traffic to cilium_host when per-EP routes are enabled. But we potentially still need to deliver this traffic to a local endpoint - say for a pod-to-pod connection on the same node, with L7 proxy inbetween. In a configuration with per-EP routes but no BPF Host-Routing, l3_local_delivery() transfers the source identity to the skb->mark and redirects to bpf_lxc, where the to-container program handles the packet. If we transfer the packet with MARK_MAGIC_IDENTITY, to-container will look up the network policy and redirect to the L7 proxy *again*. Thus we need to fully restore the proxy's actual mark, so that to-container's inherit_identity_from_host() call finds the expected magic ID. It then sets the TC_INDEX_F_FROM_INGRESS_PROXY flag, and skips the redirect to L7 proxy. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Dec 8, 2023
julianwiedmann
added
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
area/proxy
Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
feature/ipsec
Relates to Cilium's IPsec feature
kind/bug
This is a bug in the Cilium logic.
release-note/misc
This PR makes changes that have no direct user impact.
labels
Dec 8, 2023
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Dec 8, 2023
julianwiedmann
changed the title
1.15 bpf 2005 local delivery
bpf: l3: restore MARK_MAGIC_PROXY_INGRESS for from-proxy traffic
Dec 8, 2023
/test |
julianwiedmann
added
the
dont-merge/discussion
A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status.
label
Dec 8, 2023
julianwiedmann
requested review from
markpash and
jschwinger233
and removed request for
markpash
December 8, 2023 09:21
jschwinger233
approved these changes
Dec 8, 2023
Not within scope of this PR, just want to say variable name |
julianwiedmann
removed
the
dont-merge/discussion
A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status.
label
Dec 8, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
label
Dec 8, 2023
julianwiedmann
added
needs-backport/1.12
backport/author
The backport will be carried out by the author of the PR.
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
labels
Dec 8, 2023
6 tasks
julianwiedmann
added
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
and removed
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
labels
Mar 5, 2024
7 tasks
julianwiedmann
added
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
and removed
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
needs-backport/1.12
labels
Mar 5, 2024
github-actions
bot
added
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
and removed
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
labels
Mar 7, 2024
This was referenced Mar 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
area/proxy
Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.
backport/author
The backport will be carried out by the author of the PR.
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
feature/ipsec
Relates to Cilium's IPsec feature
kind/bug
This is a bug in the Cilium logic.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/misc
This PR makes changes that have no direct user impact.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.