Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.15] egressgw: Let the EGW manager relax rp_filter on egress device #32778

Merged
merged 1 commit into from
May 30, 2024
Merged

[v1.15] egressgw: Let the EGW manager relax rp_filter on egress device #32778

merged 1 commit into from
May 30, 2024

Conversation

ysksuzuki
Copy link
Member

@ysksuzuki ysksuzuki commented May 30, 2024
edited by julianwiedmann
Loading

This is a manual backport of #32679

Once this PR is merged, a GitHub action will update the labels of these PRs:

 32679

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels May 30, 2024
@ysksuzuki ysksuzuki changed the title egressgw: Let the EGW manager relax rp_filter on egress device [v1.15] egressgw: Let the EGW manager relax rp_filter on egress device May 30, 2024
@ysksuzuki
Copy link
Member Author

/test-backport-1.15

@ysksuzuki
egressgw: Let the EGW manager relax rp_filter on egress device
2e65f6e 
[ upstream commit 43d65ed ]

[ backporter's note: The sysctl Reconciler has not been introduced in
      v1.15, so the legacy sysctl is used instead. ]

Pods running on the Egress GW node fail to communicate with an external
endpoint through the Egress GW due to the rp_filter in an environment
where egress IP is assigned to a different interface than the one with
the default route. The reply packets from the external endpoints are
dropped by the rp_filter

- A request from a local pod hits eth0 with the default route.
  It matches an IEGP, gets masqueraded & bpf-redirected to eth1 with Egress IP.
- Replies hit eth1, are revSNATed, and passed on to the stack.
  rp-filter complains that they are received on eth1, when the route doesn't point towards eth1.

This PR fixes this issue by relaxing rp_filter on interfaces with Egress IP.

Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
@ysksuzuki ysksuzuki force-pushed the backport-1.15-relax-ewg-rp-filter branch from 63ff99f to 2e65f6e Compare May 30, 2024 05:09
@ysksuzuki
Copy link
Member Author

/test-backport-1.15

@julianwiedmann
Copy link
Member

(added @dylandreimerink for the diff from missing #30439)

@julianwiedmann julianwiedmann mentioned this pull request May 30, 2024
Merged
6 tasks
dylandreimerink
dylandreimerink approved these changes May 30, 2024
View reviewed changes
Copy link
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We kept the same methods, just changed the implementation, for this reason.

@ysksuzuki ysksuzuki marked this pull request as ready for review May 30, 2024 10:15
@ysksuzuki ysksuzuki requested a review from a team as a code owner May 30, 2024 10:15
@julianwiedmann julianwiedmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 30, 2024
@joestringer
Copy link
Member

@julianwiedmann no need to set ready-to-merge. It was waiting on tophat review and I found this via the tophat-review-requested list. If tophat is the last to review, they can directly merge after anyways, and in normal cases the ready-to-merge label should only be set by the bot once all reviews and tests are passing.

@joestringer joestringer merged commit 56e5133 into cilium:v1.15 May 30, 2024
59 checks passed
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@dylandreimerink dylandreimerink dylandreimerink approved these changes

Assignees
No one assigned
Labels
backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
No open projects
cilium v1.15.6
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ysksuzuki @julianwiedmann @joestringer @dylandreimerink