New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: avoid SNAT tracking for overlay traffic #31082
Conversation
/test |
03d6d19
to
477fb78
Compare
/test |
477fb78
to
3ee08cb
Compare
/test |
b4c2415
to
31024f6
Compare
/test |
31024f6
to
f60b76f
Compare
/test |
f60b76f
to
b758bb4
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes to the encrypted overlay bits check out to me.
I'm having a bit of trouble tracing out where TC runs in the egress vxlan driver path.
I'm going to assume we are setting the mark on the packet post-encap.
If we are not, the mark will get cleaned, and I assume this isn't occuring if the PR is tested.
Above comment is addressed here: |
To summarize some offline discussion - Louis' concern was that https://elixir.bootlin.com/linux/latest/source/net/ipv4/ip_tunnel_core.c#L60 would clear the mark. But that doesn't apply, as we don't switch net namespace ( |
In certain configs (basically when the node-to-node IPv4 address is also chosen as IPV4_MASQUERADE) the masquerade code in
to-netdev
decides that tunnel traffic is potentially conflicting with masqueraded traffic. We thus need to reserve the packet's source port ("track it"), and potentially even SNAT it.Creating SNAT entries for tunnel traffic makes little sense - in particular as the replies will not be addressed to the packet's source port, but to
TUNNEL_PORT
. Doing it anyway results in pressure on the CT and NAT maps.Improve this by marking such traffic in
to-overlay
, and then bypassing the masquerading logic into-netdev
accordingly. Also use the mark to detect overlay traffic for the recently introduced encrypted-overlay feature. For wireguard we're a bit more careful, to avoid missing unmarked traffic during an upgrade.Fixes: #26908