Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.15-backport] Introduce fromEgressProxyRule #31922

Merged
merged 4 commits into from
Apr 26, 2024
Merged

[v1.15-backport] Introduce fromEgressProxyRule #31922

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2d93730
proxy/routes: Rename fromProxyRule to fromIngressProxyRule
jschwinger233 Apr 12, 2024
2c95b5e
proxy/routes: Rename RulePriorityFromProxyIngress
jschwinger233 Apr 19, 2024
4fbadee
proxy/routes: Introduce fromEgressProxyRule
jschwinger233 Apr 12, 2024
d549cdd
proxy/routes: Remove fromEgressProxyRule for cilium downgrade
jschwinger233 Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions pkg/datapath/linux/linux_defaults/linux_defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,9 @@ const (
// the proxy package for redirecting inbound packets to the proxy.
RulePriorityToProxyIngress = 9

// RulePriorityFromProxyIngress is the priority of the routing rule installed by
// the proxy package for redirecting inbound packets from the proxy.
RulePriorityFromProxyIngress = 10
// RulePriorityFromProxy is the priority of the routing rule installed by
// the proxy package for redirecting packets from the proxy.
RulePriorityFromProxy = 10

// RulePriorityIngress is the priority of the rule used for ingress routing
// of endpoints. This priority is after encryption and proxy rules, and
Expand Down
14 changes: 10 additions & 4 deletions pkg/proxy/proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -425,8 +425,11 @@ func (p *Proxy) ReinstallRoutingRules() error {
return err
}

if err := removeFromEgressProxyRoutesIPv4(); err != nil {
return err
}
if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
if err := removeFromProxyRoutesIPv4(); err != nil {
if err := removeFromIngressProxyRoutesIPv4(); err != nil {
return err
}
} else {
Expand All @@ -438,7 +441,7 @@ func (p *Proxy) ReinstallRoutingRules() error {
if err := removeToProxyRoutesIPv4(); err != nil {
return err
}
if err := removeFromProxyRoutesIPv4(); err != nil {
if err := removeFromIngressProxyRoutesIPv4(); err != nil {
return err
}
}
Expand All @@ -451,8 +454,11 @@ func (p *Proxy) ReinstallRoutingRules() error {
return err
}

if err := removeFromEgressProxyRoutesIPv6(); err != nil {
return err
}
if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
if err := removeFromProxyRoutesIPv6(); err != nil {
if err := removeFromIngressProxyRoutesIPv6(); err != nil {
return err
}
} else {
Expand All @@ -468,7 +474,7 @@ func (p *Proxy) ReinstallRoutingRules() error {
if err := removeToProxyRoutesIPv6(); err != nil {
return err
}
if err := removeFromProxyRoutesIPv6(); err != nil {
if err := removeFromIngressProxyRoutesIPv6(); err != nil {
return err
}
}
Expand Down
57 changes: 41 additions & 16 deletions pkg/proxy/routes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,19 @@ func removeToProxyRoutesIPv6() error {
}

var (
// Routing rule for traffic from proxy.
fromProxyRule = route.Rule{
Priority: linux_defaults.RulePriorityFromProxyIngress,
Mark: linux_defaults.MagicMarkIsProxy,
// Routing rule for traffic from ingress proxy.
fromIngressProxyRule = route.Rule{
Priority: linux_defaults.RulePriorityFromProxy,
Mark: linux_defaults.MagicMarkIngress,
Mask: linux_defaults.MagicMarkHostMask,
Table: linux_defaults.RouteTableFromProxy,
Protocol: linux_defaults.RTProto,
}

// Routing rule for traffic from egress proxy.
fromEgressProxyRule = route.Rule{
Priority: linux_defaults.RulePriorityFromProxy,
Mark: linux_defaults.MagicMarkEgress,
Mask: linux_defaults.MagicMarkHostMask,
Table: linux_defaults.RouteTableFromProxy,
Protocol: linux_defaults.RTProto,
Expand All @@ -132,8 +141,8 @@ func installFromProxyRoutesIPv4(ipv4 net.IP, device string) error {
Proto: linux_defaults.RTProto,
}

if err := route.ReplaceRule(fromProxyRule); err != nil {
return fmt.Errorf("inserting ipv4 from proxy routing rule %v: %w", fromProxyRule, err)
if err := route.ReplaceRule(fromIngressProxyRule); err != nil {
return fmt.Errorf("inserting ipv4 from ingress proxy routing rule %v: %w", fromIngressProxyRule, err)
}
if err := route.Upsert(fromProxyToCiliumHostRoute4); err != nil {
return fmt.Errorf("inserting ipv4 from proxy to cilium_host route %v: %w", fromProxyToCiliumHostRoute4, err)
Expand All @@ -145,10 +154,10 @@ func installFromProxyRoutesIPv4(ipv4 net.IP, device string) error {
return nil
}

// removeFromProxyRoutesIPv4 ensures routes and rules for traffic from the proxy are removed.
func removeFromProxyRoutesIPv4() error {
if err := route.DeleteRule(netlink.FAMILY_V4, fromProxyRule); err != nil && !errors.Is(err, syscall.ENOENT) {
return fmt.Errorf("removing ipv4 from proxy routing rule: %w", err)
// removeFromIngressProxyRoutesIPv4 ensures routes and rules for traffic from the proxy are removed.
func removeFromIngressProxyRoutesIPv4() error {
if err := route.DeleteRule(netlink.FAMILY_V4, fromIngressProxyRule); err != nil && !errors.Is(err, syscall.ENOENT) {
return fmt.Errorf("removing ipv4 from ingress proxy routing rule: %w", err)
}
if err := route.DeleteRouteTable(linux_defaults.RouteTableFromProxy, netlink.FAMILY_V4); err != nil {
return fmt.Errorf("removing ipv4 from proxy route table: %w", err)
Expand All @@ -162,6 +171,13 @@ func removeStaleProxyRulesIPv4() error {
return removeProtoUnspecRules(netlink.FAMILY_V4)
}

func removeFromEgressProxyRoutesIPv4() error {
if err := route.DeleteRule(netlink.FAMILY_V4, fromEgressProxyRule); err != nil && !errors.Is(err, syscall.ENOENT) {
return fmt.Errorf("removing ipv4 from egress proxy routing rule: %w", err)
}
return nil
}

// installFromProxyRoutesIPv6 configures routes and rules needed to redirect ingress
// packets from the proxy.
func installFromProxyRoutesIPv6(ipv6 net.IP, device string) error {
Expand All @@ -182,8 +198,8 @@ func installFromProxyRoutesIPv6(ipv6 net.IP, device string) error {
Proto: linux_defaults.RTProto,
}

if err := route.ReplaceRuleIPv6(fromProxyRule); err != nil {
return fmt.Errorf("inserting ipv6 from proxy routing rule %v: %w", fromProxyRule, err)
if err := route.ReplaceRuleIPv6(fromIngressProxyRule); err != nil {
return fmt.Errorf("inserting ipv6 from ingress proxy routing rule %v: %w", fromIngressProxyRule, err)
}
if err := route.Upsert(fromProxyToCiliumHostRoute6); err != nil {
return fmt.Errorf("inserting ipv6 from proxy to cilium_host route %v: %w", fromProxyToCiliumHostRoute6, err)
Expand All @@ -195,11 +211,11 @@ func installFromProxyRoutesIPv6(ipv6 net.IP, device string) error {
return nil
}

// removeFromProxyRoutesIPv6 ensures routes and rules for traffic from the proxy are removed.
func removeFromProxyRoutesIPv6() error {
if err := route.DeleteRule(netlink.FAMILY_V6, fromProxyRule); err != nil {
// removeFromIngressProxyRoutesIPv6 ensures routes and rules for traffic from the proxy are removed.
func removeFromIngressProxyRoutesIPv6() error {
if err := route.DeleteRule(netlink.FAMILY_V6, fromIngressProxyRule); err != nil {
if !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
return fmt.Errorf("removing ipv6 from proxy routing rule: %w", err)
return fmt.Errorf("removing ipv6 from ingress proxy routing rule: %w", err)
}
}
if err := route.DeleteRouteTable(linux_defaults.RouteTableFromProxy, netlink.FAMILY_V6); err != nil {
Expand Down Expand Up @@ -238,3 +254,12 @@ func removeProtoUnspecRules(family int) error {
}
return nil
}

func removeFromEgressProxyRoutesIPv6() error {
if err := route.DeleteRule(netlink.FAMILY_V6, fromEgressProxyRule); err != nil {
if !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
return fmt.Errorf("removing ipv6 from egress proxy routing rule: %w", err)
}
}
return nil
}
12 changes: 6 additions & 6 deletions pkg/proxy/routes_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func TestRoutes(t *testing.T) {
// Install routes and rules the first time.
assert.NoError(t, installFromProxyRoutesIPv4(testIPv4, ifName))

rules, err := route.ListRules(netlink.FAMILY_V4, &fromProxyRule)
rules, err := route.ListRules(netlink.FAMILY_V4, &fromIngressProxyRule)
assert.NoError(t, err)
assert.NotEmpty(t, rules)

Expand All @@ -102,9 +102,9 @@ func TestRoutes(t *testing.T) {
assert.NoError(t, installFromProxyRoutesIPv4(testIPv4, ifName))

// Remove routes installed before.
assert.NoError(t, removeFromProxyRoutesIPv4())
assert.NoError(t, removeFromIngressProxyRoutesIPv4())

rules, err = route.ListRules(netlink.FAMILY_V4, &fromProxyRule)
rules, err = route.ListRules(netlink.FAMILY_V4, &fromIngressProxyRule)
assert.NoError(t, err)
assert.Empty(t, rules)

Expand Down Expand Up @@ -187,7 +187,7 @@ func TestRoutes(t *testing.T) {
// Install routes and rules the first time.
assert.NoError(t, installFromProxyRoutesIPv6(testIPv6, ifName))

rules, err := route.ListRules(netlink.FAMILY_V6, &fromProxyRule)
rules, err := route.ListRules(netlink.FAMILY_V6, &fromIngressProxyRule)
assert.NoError(t, err)
assert.NotEmpty(t, rules)

Expand All @@ -201,9 +201,9 @@ func TestRoutes(t *testing.T) {
assert.NoError(t, installFromProxyRoutesIPv6(testIPv6, ifName))

// Remove routes installed before.
assert.NoError(t, removeFromProxyRoutesIPv6())
assert.NoError(t, removeFromIngressProxyRoutesIPv6())

rules, err = route.ListRules(netlink.FAMILY_V6, &fromProxyRule)
rules, err = route.ListRules(netlink.FAMILY_V6, &fromIngressProxyRule)
assert.NoError(t, err)
assert.Empty(t, rules)

Expand Down
Loading