Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall" #31511

Merged
merged 1 commit into from Mar 21, 2024
Merged

Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall" #31511

merged 1 commit into from Mar 21, 2024

Conversation

qmonnet
Copy link
Member

@qmonnet qmonnet commented Mar 19, 2024

This reverts commit 934e1f2.

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated traffic"), IPv6 BPF masquerading and the host firewall are compatible in the datapath. Let's allow them to be used together, and use the combination in tests.

CC: @oblazek
Supersedes: #26323

Allow the Host Firewall and IPv6 BPF masquerading to be used together.

@qmonnet
Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall"
5a2f5d0 
This reverts commit 934e1f2.

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated
traffic"), IPv6 BPF masquerading and the host firewall are compatible in
the datapath. Let's allow them to be used together, and use the
combination in tests.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet qmonnet added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/host-firewall Impacts the host firewall or the host endpoint. ci/host-firewall This label enables the host firewall by default in all CI tests. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic labels Mar 19, 2024
@qmonnet qmonnet requested review from a team as code owners March 19, 2024 17:49
@qmonnet
Copy link
Member Author

qmonnet commented Mar 19, 2024

/test

@julianwiedmann
Copy link
Member

julianwiedmann commented Mar 20, 2024
edited

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated traffic"), IPv6 BPF masquerading and the host firewall are compatible in the datapath. Let's allow them to be used together, and use the combination in tests.

From what I remember in #23165, we were concerned about HostFW and IPv6 BPF Masq interacting.

But turns out the problematic interaction was for HostFW and iptables Masquerading (ie. when BPF Masq is disabled). This is what #28813 fixed. So afaik there were no actual problems for HostFW and IPv6 BPF Masq, and 👍 on allowing this combo.

We could even backport, but at this point I don't see the need.

This was referenced Mar 20, 2024
Closed
Merged
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 21, 2024
@nathanjsweet nathanjsweet added this pull request to the merge queue Mar 21, 2024
Merged via the queue into main with commit cfed66e Mar 21, 2024
227 checks passed
@nathanjsweet nathanjsweet deleted the pr/qmonnet/masq6-hfw branch March 21, 2024 17:12
@julianwiedmann julianwiedmann mentioned this pull request Apr 2, 2024
Open
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@tklauser tklauser tklauser approved these changes

Assignees
No one assigned
Labels
area/host-firewall Impacts the host firewall or the host endpoint. ci/host-firewall This label enables the host firewall by default in all CI tests. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@qmonnet @julianwiedmann @nathanjsweet @tklauser