-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.12] Author backport of #29239 "Dns proxy use original source address and port" #30217
[1.12] Author backport of #29239 "Dns proxy use original source address and port" #30217
Conversation
704e1ee
to
1fbdcfc
Compare
1fbdcfc
to
9eb9a26
Compare
/test-backport-1.12 Job 'Cilium-PR-K8s-1.19-kernel-4.9' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.9/343/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/test-1.19-4.9 |
[ upstream commit 94f6553 ] Set transparent, reuseaddr, and reuseport options and use the original source address on connections from DNS proxy to DNS servers to allow use of non-local source address as well as recreate sockets on the same 5-tuple without needing to wait for the TCP TIME_WAIT to finish. Use the MagicMarkEgress mark on connections to the dns servers instead the generic MagicMarkIdentity. Use original source address in connections to dns servers when the source address is not one of the host IPs. The original source address and port can not be reused if there is already socket with them to the same destination on the same networking namespace. Use new dns.SharedClients to reuse DNS clients between all requests that originate from the same source address and port. This allows multiple different requests to be pending at the same time on the same dns Client, which happens whenever the source pod sends multiple DNS requests from the same resolver invocation, e.g., for A and AAAA records. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 824e969 ] Do not use original source for server running in the local node, or when the destination is outside of the cluster, as there is a risk of missing masquarade on the upstream connection. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 35162d1 ] Add dnsproxy-enable-transparent-mode option to enable DNS Proxy transparent mode. If 'true', Cilium DNS proxy will use the original source address of the source pod in the forwarded DNS requests. Local host sources and destinations are excepted due to networking stack compatibility reasons, but the use of the original address is typically not significant for node local traffic. Defaults to 'false' for backwards compatibility for upgrades, or to 'true' for Cilium 1.12 onwards. Transparent mode is not compatible with CNI chaning modes, so if CNI chaining is used, transparent mode will not be set unless explicitly set with helm value 'dnsProxy.enableTransparentMode=true'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
9eb9a26
to
c7f7739
Compare
Rebased to pick up Ci fixes. |
/test-backport-1.12 |
} | ||
|
||
// Set IP_TRANSPARENT to be able to use a non-host address as the source address | ||
if err := transparentSetsockopt(fd, ipv4, !ipv4); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as for v1.13 backport: Differently from v1.14 onwards, here we are calling transparentSetsockopt
and thus also setting IP_RECVORIGDSTADDR
. I don't think this makes any actual difference, but maybe it is better to just set IP_TRANSPARENT
or IPV6_TRANSPARENT
according to the ipv4
flag.
/test-1.16-4.9 |
Once this PR is merged, a GitHub action will update the labels of these PRs: