Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce fromEgressProxyRule #31923

Merged
merged 4 commits into from
Apr 25, 2024
Merged

Introduce fromEgressProxyRule #31923

merged 4 commits into from
Apr 25, 2024

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Apr 12, 2024
edited
Loading

This simple PR introduces a new ip rule without installing it, mainly meant to take care of cilium downgrade for the new ip rule. Please see the commit messages for details.

This PR (along with its backport PRs) is the stage one of #31984 to address the remaining IPsec leak issues. Please see that issue for the the context.

Signed-off-by: Zhichuan Liang gray.liang@isovalent.com

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 12, 2024
@jschwinger233
proxy/routes: Rename fromProxyRule to fromIngressProxyRule
19f1d68 
Because we are introducing fromEgressProxyRule soon, it's better to make
clear that the fromProxyRule is for ingress proxy only.

This commit also changes its mark from MagicMarkIsProxy to
MagicMarkIngress. They hold the same value 0xA00 while have the
different semantics.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 mentioned this pull request Apr 12, 2024
Merged
1 task
@jschwinger233
Copy link
Member Author

/test

This was referenced Apr 12, 2024
Merged
Merged
Draft
Closed
@jschwinger233
Copy link
Member Author

/test

@jschwinger233 jschwinger233 added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Apr 16, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 16, 2024
@jschwinger233 jschwinger233 added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. sig/agent Cilium agent related. feature/ipsec Relates to Cilium's IPsec feature backport/author The backport will be carried out by the author of the PR. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 16, 2024
@jschwinger233 jschwinger233 marked this pull request as ready for review April 16, 2024 11:48
@jschwinger233 jschwinger233 requested a review from a team as a code owner April 16, 2024 11:48
rgo3
rgo3 reviewed Apr 18, 2024
View reviewed changes
pkg/proxy/routes.go Outdated Show resolved Hide resolved
@jschwinger233 jschwinger233 requested a review from a team as a code owner April 19, 2024 07:18
@jschwinger233
proxy/routes: Rename RulePriorityFromProxyIngress
4609255 
No logic changes, just rename it to "RulePriorityFromProxy" without
"Ingress" suffix, because egress rule is using the same priority.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
proxy/routes: Introduce fromEgressProxyRule
63f71c7 
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
Copy link
Member Author

/test

julianwiedmann
julianwiedmann reviewed Apr 22, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty! Sorry for taking so long - two inline comments, depends on your response whether they should be "request changes" 🙂

pkg/proxy/routes.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
@jschwinger233
proxy/routes: Remove fromEgressProxyRule for cilium downgrade
38645da 
Although we don't install fromEgressProxyRule for now, this commit
insists on removing it to make sure further downgrade can go smoothly.

Soon We'll have another PR to install fromEgressProxyRule, and cilium
downgrade from that PR to branch tip (patch downgrade, 1.X.Y ->
1.X.{Y-1}) will be broken if we don't handle the new ip rule carefullly.

Without this patch, downgrade from higher version will leave
fromEgressProxyRule on the lower version cilium, cluster will be in a
wrong status of "having stale ip rule + not having other necessary
settings (iptables)", breaking the connectivity.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
Copy link
Member Author

/test

@julianwiedmann julianwiedmann self-requested a review April 24, 2024 05:35
julianwiedmann
julianwiedmann approved these changes Apr 24, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thank you!

tommyp1ckles
tommyp1ckles approved these changes Apr 24, 2024
View reviewed changes
pkg/proxy/proxy.go Show resolved Hide resolved
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Apr 24, 2024
@ti-mo ti-mo added this pull request to the merge queue Apr 25, 2024
Merged via the queue into cilium:main with commit 53133ff Apr 25, 2024
64 checks passed
@jschwinger233 jschwinger233 added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

@rgo3 rgo3 rgo3 approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/agent Cilium agent related. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jschwinger233 @tommyp1ckles @rgo3 @julianwiedmann @ti-mo