Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: host: restore HostFW for overlay traffic in to-netdev #31818

Merged
merged 2 commits into from Apr 9, 2024
Merged

bpf: host: restore HostFW for overlay traffic in to-netdev #31818

merged 2 commits into from Apr 9, 2024

Conversation

julianwiedmann
Copy link
Member

#31082 missed one detail in how the HostFW was relying on the packet mark. Restore the old behaviour.

@julianwiedmann julianwiedmann added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. area/host-firewall Impacts the host firewall or the host endpoint. backport/author The backport will be carried out by the author of the PR. needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.15.4 Apr 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.10 Apr 8, 2024
@julianwiedmann
Copy link
Member Author

Note that I'm not 100% sure whether we want this behaviour - there's an argument to be made that the HostFW should disregard pod-originating traffic, even if the traffic is encapsulated. We have that opportunity now. But if we want to make that change, let's do it intentionally and not just slip it in.

@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review April 8, 2024 02:13
@julianwiedmann julianwiedmann requested a review from a team as a code owner April 8, 2024 02:13
@julianwiedmann
bpf: host: restore HostFW for overlay traffic in to-netdev
5700076 
Prior to 2860ded ("datapath: mark to-overlay traffic"), overlay
traffic would reach the HostFW egress path in to-netdev with
MARK_MAGIC_HOST set. Restore this behaviour by also assigning HOST_ID for
traffic that has MARK_MAGIC_OVERLAY set.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: host: provide src_sec_identity in to-netdev's drop events
1ce886d 
As we now have a mark-derived src_sec_identity available, we might as well
share this bit of information with the user.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

brb
brb approved these changes Apr 9, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@julianwiedmann julianwiedmann added this pull request to the merge queue Apr 9, 2024
Merged via the queue into cilium:main with commit 8984c20 Apr 9, 2024
62 checks passed
@julianwiedmann julianwiedmann deleted the 1.16-bpf-overlay-hostfw branch April 9, 2024 09:38
This was referenced Apr 9, 2024
Merged
Merged
@julianwiedmann julianwiedmann added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 9, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in 1.15.4 Apr 9, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in 1.15.4 Apr 9, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.10 Apr 9, 2024
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels Apr 10, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.15 in 1.15.4 Apr 10, 2024
@asauber asauber mentioned this pull request Apr 11, 2024
Merged
@asauber asauber added this to Backport pending to v1.14 in 1.14.11 Apr 11, 2024
@asauber asauber removed this from Backport pending to v1.14 in 1.14.10 Apr 11, 2024
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels May 7, 2024
@nebril nebril moved this from Backport pending to v1.14 to Backport done to v1.14 in 1.14.11 May 10, 2024
@nebril nebril mentioned this pull request May 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@ldelossa ldelossa Awaiting requested review from ldelossa

Assignees
No one assigned
Labels
area/host-firewall Impacts the host firewall or the host endpoint. backport/author The backport will be carried out by the author of the PR. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. kind/bug This is a bug in the Cilium logic. release-note/misc This PR makes changes that have no direct user impact. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.14.11
Backport done to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@julianwiedmann @brb