Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: host: also handle from-egress proxy traffic #30095

Merged
merged 3 commits into from Jan 4, 2024
Merged

bpf: host: also handle from-egress proxy traffic #30095

merged 3 commits into from Jan 4, 2024

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Jan 4, 2024
edited

See commit messages for details.

Fixes proxy issues in egress direction

@jschwinger233
iptables: preserve encrypt mark for egress proxy forward traffic
5b7f193 
Once forward traffic for an egress proxy connection has traversed through
cilium_host / cilium_net, we expect IPsec-marked packets to get handled
by xfrm. But this currently conflicts with an iptables rule for the
proxy's transparent socket, which then over-writes the mark:

    -A CILIUM_PRE_mangle -m socket --transparent -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff

We can avoid this by adding an extra filter to this rule, so that it
doesn't match IPsec-marked packets.

Signed-off-by: Zhichuan Liang<gray.liang@isovalent.com>
@jschwinger233
datapath: disable net.ipv4.ip_early_demux for IPsec + L7 proxy
e66ed12 
After forward traffic for an egress proxy onnection has traversed through
cilium_host / cilium_net, we expect IPsec-marked packets to get handled
by xfrm.

This currently conflicts with early demux, which matches the connection's
transparent socket and assigns it to the packet:

```
// https://elixir.bootlin.com/linux/v6.2/source/net/ipv4/tcp_ipv4.c#L1770
int tcp_v4_early_demux(struct sk_buff *skb)
{
...
	sk = __inet_lookup_established(net, net->ipv4.tcp_death_row.hashinfo,
				       iph->saddr, th->source,
				       iph->daddr, ntohs(th->dest),
				       skb->skb_iif, inet_sdif(skb));
	if (sk) {
		skb->sk = sk;
...
}
```

It then gets dropped in ip_forward(), before reaching xfrm:

```
// https://elixir.bootlin.com/linux/v6.2/source/net/ipv4/ip_forward.c#L100
int ip_forward(struct sk_buff *skb)
{
...
    if (unlikely(skb->sk))
		goto drop;
...
}
```

To avoid this we disable early-demux in a L7 + IPsec config.

Note that the L7 proxy feature needs to deal with similar troubles, as the
comment for inboundProxyRedirectRule() describes. Ideally we would build
a similar solution for IPsec, diverting traffic with policy routing so that
it doesn't get intercepted by early-demux.

Signed-off-by: Zhichuan Liang<gray.liang@isovalent.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@jschwinger233
bpf: host: also handle from-egress proxy traffic
f79bb99 
The from-host path already knows how to handle traffic that comes from
the ingress proxy. Extend this logic to also cover traffic that originates
from the egress proxy.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 4, 2024
@jschwinger233
Copy link
Member Author

/test

@julianwiedmann julianwiedmann self-requested a review January 4, 2024 07:20
@jschwinger233 jschwinger233 marked this pull request as ready for review January 4, 2024 07:25
@jschwinger233 jschwinger233 requested a review from a team as a code owner January 4, 2024 07:25
@jschwinger233 jschwinger233 added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 4, 2024
@jschwinger233 jschwinger233 added backport/author The backport will be carried out by the author of the PR. needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in v1.15.0-rc.1 Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.6 Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.11 Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.18 Jan 4, 2024
@jschwinger233 jschwinger233 added the sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label Jan 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 4, 2024
@julianwiedmann julianwiedmann added this pull request to the merge queue Jan 4, 2024
Merged via the queue into cilium:main with commit e96e9cd Jan 4, 2024
63 checks passed
@gentoo-root gentoo-root added this to Needs backport from main in 1.12.19 Jan 17, 2024
@gentoo-root gentoo-root removed this from Needs backport from main in 1.12.18 Jan 17, 2024
@gentoo-root gentoo-root added this to Needs backport from main in 1.13.12 Jan 17, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.14.8 Feb 13, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.14.7 Feb 13, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.13.13 Feb 13, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.13.12 Feb 13, 2024
@michi-covalent michi-covalent added this to Needs backport from main in 1.15.2 Feb 14, 2024
@michi-covalent michi-covalent removed this from Needs backport from main in 1.15.1 Feb 14, 2024
@julianwiedmann julianwiedmann mentioned this pull request Mar 5, 2024
Merged
3 tasks
@julianwiedmann julianwiedmann added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Mar 5, 2024
@julianwiedmann julianwiedmann mentioned this pull request Mar 5, 2024
Merged
6 tasks
@julianwiedmann julianwiedmann added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Mar 5, 2024
@julianwiedmann julianwiedmann mentioned this pull request Mar 5, 2024
Merged
7 tasks
@julianwiedmann julianwiedmann added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.12 labels Mar 5, 2024
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Mar 6, 2024
@jrajahalme jrajahalme moved this from Needs backport from main to Backport done to v1.15 in 1.15.2 Mar 13, 2024
@jrajahalme jrajahalme mentioned this pull request Mar 13, 2024
Merged
@thorn3r thorn3r moved this from Needs backport from main to Backport done to v1.13 in 1.13.13 Mar 13, 2024
This was referenced Mar 13, 2024
Closed
Merged
@thorn3r thorn3r moved this from Needs backport from main to Backport done to v1.14 in 1.14.8 Mar 13, 2024
@thorn3r thorn3r mentioned this pull request Mar 13, 2024
Merged
@jschwinger233 jschwinger233 mentioned this pull request Apr 16, 2024
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees
No one assigned
Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
1.12.20
Needs backport from main
1.13.13
Backport done to v1.13
1.14.8
Backport done to v1.14
1.15.2
Backport done to v1.15
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jschwinger233 @julianwiedmann