Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: avoid SNAT tracking for overlay traffic #31082

Merged
merged 5 commits into from
Apr 5, 2024
Merged

bpf: avoid SNAT tracking for overlay traffic #31082

merged 5 commits into from
Apr 5, 2024

Commits on Apr 4, 2024

  1. bpf: nodeport: avoid setting SNAT-done mark for to-overlay 

    When a packet gets SNATed in to-overlay, there is no point in setting the
SNAT-done mark. Firstly the mark refers to the *inner* packet, but all
subsequent users will only see the outer headers. Also our own netfilter
rules installed by installHostTrafficMarkRule() currently clear the mark
for overlay traffic.

Free up the mark for future usage.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
    @julianwiedmann
    julianwiedmann committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    2a5a262 View commit details
    Browse the repository at this point in the history

  2. datapath: mark to-overlay traffic 

    To make smarter decisions at the native-device level (in to-netdev), mark
traffic that is created by cilium's overlay interface.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
    @julianwiedmann
    julianwiedmann committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    409b508 View commit details
    Browse the repository at this point in the history

  3. bpf: nat: skip SNAT in to-netdev for overlay traffic 

    Creating SNAT entries for our own overlay traffic makes little sense. In
particular as the replies will not be addressed to the egressing packet's
source port, but to TUNNEL_PORT.

Avoiding such SNAT tracking reduces the pressure on the CT and NAT maps.

Fixes: cilium#26908
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
    @julianwiedmann
    julianwiedmann committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    a3c2262 View commit details
    Browse the repository at this point in the history

  4. bpf: wireguard: add a TODO to use ctx_is_overlay() 

    If we switch over straight away, there's potential for a short time period
where to-netdev is already recompiled (and relies on the packet mark), but
to-overlay is still producing traffic without the mark. Such traffic would
then not get encrypted.

Therefore wait until v1.17, when we can trust that the "new" to-overlay
code is in place.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
    @julianwiedmann
    julianwiedmann committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    52de5f4 View commit details
    Browse the repository at this point in the history

  5. bpf: use ctx_is_overlay() in encrypted-overlay path 

    This cleans up some raw packet parsing. And avoids false-positives when
non-Cilium endpoints send traffic to TUNNEL_PORT.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
    @julianwiedmann
    julianwiedmann committed Apr 4, 2024
    Configuration menu
    Copy the full SHA
    455a2c7 View commit details
    Browse the repository at this point in the history