Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.15] route: Specify "proto kernel" for ip routes and rules #31777

Merged
merged 2 commits into from
Apr 9, 2024
Merged

[v1.15] route: Specify "proto kernel" for ip routes and rules #31777

merged 2 commits into from
Apr 9, 2024

Commits on Apr 9, 2024

  1. route: Specify "proto kernel" for ip routes and rules 

    [ upstream commit: 318a648 ]

v1.14 installs routes and rules with specific "proto kernel", v1.15
missed them. Without "proto kernel", it causes troubles when downgrade
from v1.15 to v1.14, as v1.14 is deleting routes with "proto kernel" but
there are no matching ones.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Apr 9, 2024
    Configuration menu
    Copy the full SHA
    2f3a8c8 View commit details
    Browse the repository at this point in the history

  2. route: Clean up ip rules with "proto unspec" 

    This commit adds "removeStaleProxyRulesIPvX()" which removes any ip
rules with "proto unspec" to ensure upgrade/downgrade goes smoothly.

Scenario 1: upgrade from v1.15-old to v1.15-tip
  v1.15-old cilium installs ip rules with "proto unspec", then
  v1.15-tip will install "duplicate" ip rules with "proto kernel".
  This is the moment when "removeStaleProxyRulesIPvX()" plays a role,
  it cleans those "proto unspec" stale rules without breaking
  connectivity.

Scenario 2: downgrade from v1.15-tip to v1.15-old
  v1.15-tip has rules with "proto kernel". When v1.15-old tries to
  "ReplaceRule()" with "proto unspec", thanks to
  [this](https://github.com/cilium/cilium/blob/v1.15.3/pkg/datapath/linux/route/route_linux.go#L402),
  "ReplaceRule()" won't replace the rules because they already exist
  (with a different proto). This ensures connectivity can survive
  the downgrade too.

Scenario 3: upgrade from v1.15-tip to v1.16
  Since v1.15-tip installs correct rules with "proto kernel", v1.16
  will do nothing after confirming existance by "lookupRule()". It
  should be painless as well.

This is a v1.15-only commit because:
1. v1.14 is still using bpf/init.sh which sets rules with "proto kernel"
   properly;
2. v1.16 has been fixed to set "proto kernel";
3. v1.15-tip -> v1.16 upgrade has been discussed above without any
   issue;

Also please note that we don't have to clean up leftover ip routes with
"proto unspec", because we replace them via "route.Upsert()" which
replaces the old ones unconditionally, leaving no stale routes.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
    @jschwinger233
    jschwinger233 committed Apr 9, 2024
    Configuration menu
    Copy the full SHA
    9796c77 View commit details
    Browse the repository at this point in the history