[1.12] Author backport of #29239 "Dns proxy use original source address and port" #30217
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrajahalme
added
kind/backports
jrajahalme
force-pushed
the
dns-proxy-use-original-source-address-and-port-v1.12
branch
from
704e1ee
to
1fbdcfc
Compare
jrajahalme
force-pushed
the
dns-proxy-use-original-source-address-and-port-v1.12
branch
from
1fbdcfc
to
9eb9a26
Compare
|
/test-backport-1.12 Job 'Cilium-PR-K8s-1.19-kernel-4.9' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.9/343/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/test-1.19-4.9 |
[ upstream commit 94f6553 ] Set transparent, reuseaddr, and reuseport options and use the original source address on connections from DNS proxy to DNS servers to allow use of non-local source address as well as recreate sockets on the same 5-tuple without needing to wait for the TCP TIME_WAIT to finish. Use the MagicMarkEgress mark on connections to the dns servers instead the generic MagicMarkIdentity. Use original source address in connections to dns servers when the source address is not one of the host IPs. The original source address and port can not be reused if there is already socket with them to the same destination on the same networking namespace. Use new dns.SharedClients to reuse DNS clients between all requests that originate from the same source address and port. This allows multiple different requests to be pending at the same time on the same dns Client, which happens whenever the source pod sends multiple DNS requests from the same resolver invocation, e.g., for A and AAAA records. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 824e969 ] Do not use original source for server running in the local node, or when the destination is outside of the cluster, as there is a risk of missing masquarade on the upstream connection. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 35162d1 ] Add dnsproxy-enable-transparent-mode option to enable DNS Proxy transparent mode. If 'true', Cilium DNS proxy will use the original source address of the source pod in the forwarded DNS requests. Local host sources and destinations are excepted due to networking stack compatibility reasons, but the use of the original address is typically not significant for node local traffic. Defaults to 'false' for backwards compatibility for upgrades, or to 'true' for Cilium 1.12 onwards. Transparent mode is not compatible with CNI chaning modes, so if CNI chaining is used, transparent mode will not be set unless explicitly set with helm value 'dnsProxy.enableTransparentMode=true'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
force-pushed
the
dns-proxy-use-original-source-address-and-port-v1.12
branch
from
9eb9a26
to
c7f7739
Compare
|
Rebased to pick up Ci fixes. |
|
/test-backport-1.12 |
pippolo84
reviewed
Jan 15, 2024
| } | ||
|
|
||
| // Set IP_TRANSPARENT to be able to use a non-host address as the source address | ||
| if err := transparentSetsockopt(fd, ipv4, !ipv4); err != nil { |
There was a problem hiding this comment.
Same comment as for v1.13 backport: Differently from v1.14 onwards, here we are calling transparentSetsockopt and thus also setting IP_RECVORIGDSTADDR. I don't think this makes any actual difference, but maybe it is better to just set IP_TRANSPARENT or IPV6_TRANSPARENT according to the ipv4 flag.
dylandreimerink
approved these changes
Jan 15, 2024
|
/test-1.16-4.9 |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: