Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: egw: delay SNAT for local client to actual egress interface #32428

Merged
merged 1 commit into from
May 23, 2024
Merged

bpf: egw: delay SNAT for local client to actual egress interface #32428

merged 1 commit into from
May 23, 2024

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented May 8, 2024
edited

To let EGW traffic exit the gateway through the correct interface,
we've introduced FIB lookup-driven redirects in the to-netdev path
(#26215). This is needed for cases
where the traffic first hits one interface via the default route, but then
needs to bounce to some other interface that matches the actual egressIP.
In this approach we masquerade the packet on its first pass through
to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress
interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the
second pass through to-netdev.

#29379 then improved the situation for
any EGW traffic that enters the gateway from the overlay network (==
anything that's not by a pod on the gateway). We now redirect in
from-overlay, straight to the actual egress interface and masquerade the
packet there.

Now also harmonize the approach for local pods, and defer the masquerade
until the packet hits the actual egress interface. This simplifies the
overall picture. But it also allows us to raise TO_NETWORK datapath trace
events that are enriched with the packet's original source IP - this event
is raised on the second pass through to-netdev, so we need the SNAT to
happen at the same time.

Also add a comment to clarify the check to skip HostFW for SNATed traffic.

@julianwiedmann julianwiedmann added kind/enhancement This would improve or streamline existing functionality. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/monitor Impacts monitoring, access logging, flow logging, visibility of datapath traffic. feature/egress-gateway Impacts the egress IP gateway feature. labels May 8, 2024
@julianwiedmann julianwiedmann requested review from jibi, ysksuzuki and a team May 8, 2024 16:41
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 8, 2024
@julianwiedmann julianwiedmann added the release-note/misc This PR makes changes that have no direct user impact. label May 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 8, 2024
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann force-pushed the 1.16-egressgw-snat branch 3 times, most recently from 1626523 to 258edda Compare May 14, 2024 15:40
@julianwiedmann julianwiedmann changed the title egressgw: harmonize outbound path on gateway node for local / remote clients bpf: egw: delay SNAT for local client to actual egress interface May 14, 2024
@julianwiedmann julianwiedmann marked this pull request as ready for review May 14, 2024 15:41
@julianwiedmann julianwiedmann requested a review from a team as a code owner May 14, 2024 15:41
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as draft May 14, 2024 15:50
@julianwiedmann julianwiedmann force-pushed the 1.16-egressgw-snat branch 5 times, most recently from d8a07f2 to 6ed7669 Compare May 14, 2024 16:48
@julianwiedmann
bpf: egw: delay SNAT for local client to actual egress interface
4ecf539 
To let EGW traffic exit the gateway through the correct interface,
we've introduced FIB lookup-driven redirects in the to-netdev path
(cilium#26215). This is needed for cases
where the traffic first hits one interface via the default route, but then
needs to bounce to some other interface that matches the actual egressIP.
In this approach we masquerade the packet on its first pass through
to-netdev, set the SNAT_DONE mark, and then redirect to the actual egress
interface. Due to the SNAT_DONE mark we then skip the SNAT logic in the
second pass through to-netdev.

cilium#29379 then improved the situation for
any EGW traffic that enters the gateway from the overlay network (==
anything that's not by a pod on the gateway). We now redirect in
from-overlay, straight to the actual egress interface and masquerade the
packet there.

Now also harmonize the approach for local pods, and defer the masquerade
until the packet hits the actual egress interface. This simplifies the
overall picture. But it also allows us to raise TO_NETWORK datapath trace
events that are enriched with the packet's original source IP - this event
is raised on the *second* pass through to-netdev, so we need the SNAT to
happen at the same time.

Also add a comment to clarify the check to skip HostFW for SNATed traffic.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review May 14, 2024 20:07
@kaworu kaworu self-requested a review May 15, 2024 06:41
@julianwiedmann julianwiedmann added this pull request to the merge queue May 23, 2024
Merged via the queue into cilium:main with commit cf6b203 May 23, 2024
63 of 64 checks passed
@julianwiedmann julianwiedmann deleted the 1.16-egressgw-snat branch May 23, 2024 14:31
@julianwiedmann julianwiedmann added the needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch label May 28, 2024
@joamaki joamaki mentioned this pull request May 30, 2024
Merged
6 tasks
@joamaki joamaki added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels May 30, 2024
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels May 31, 2024
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jibi jibi jibi approved these changes

@ysksuzuki ysksuzuki Awaiting requested review from ysksuzuki

@kaworu kaworu Awaiting requested review from kaworu

Assignees
No one assigned
Labels
area/monitor Impacts monitoring, access logging, flow logging, visibility of datapath traffic. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/egress-gateway Impacts the egress IP gateway feature. kind/enhancement This would improve or streamline existing functionality. release-note/misc This PR makes changes that have no direct user impact. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
cilium v1.15.6
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@julianwiedmann @jibi @joamaki