-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
first batch for local/global ct #659
Conversation
- support both global 5 tuple / container local 4 tuple conntrack - cilium daemon can configure this support using #define CONNTRACK_LOCAL - defaults to global Signed-off-by: Madhu Challa <madhu@cilium.io> [ dbkm: squashed some follow-up fixes into it ]
Use a single huge global connection tracking table by default, and have also the option to switch to container local one instead as we have prior to this patch. The switch can even happen during runtime per reconfiguration via: cilium endpoint config <ep-ID> ConntrackLocal=false // global table cilium endpoint config <ep-ID> ConntrackLocal=true // local table Dumping the global table works as usual: cilium bpf ct list global // dump global table cilium bpf ct list <ep-ID> // dump local table It's also listed as a config option via cli, f.e.: # cilium config Conntrack Enabled ConntrackAccounting Enabled ConntrackLocal Enabled DropNotification Enabled NAT46 Enabled Policy Enabled PolicyTracing Disabled I changed the 01-ct tests to include local/global table tests and they were all passing. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Signed-off-by: Madhu Challa <madhu@cilium.io>
Never really worked well on IPv6. The ping tests also need to run with --privileged. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
In v4 (as opposed to v6), we call both __ct_lookup()'s with a ct_state buffer that will get updated once an entry is found, whereas we only want to store the nat index etc when in reverse direction, before we called ipv4_ct_tuple_reverse(tuple) to put it into forward direction. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
We don't need to get the tuple once again since unnecessary. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Updating to the service target will make the reverse lookup fail when we ping our own service. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Otherwise it's easy to miss when auditing the code. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
The offset for l3_csum_replace() is wrong, but it also never worked since as size we pass 1, which is invalid from kernel side. But also the skb_store_bytes() used the old ttl value. Fix the csum offset and use 2 as size, which is fine since it just zero extends. Then, store new_ttl into the packet. Signed-off-by: Madhu Challa <madhu@cilium.io> Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Use common helpers that will chose constant vs. runtime variants automatically. Reduces also #insns for runtime cases. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
The type is really just __u8, not int. We do skb_load_bytes() on this and write the first byte of it, and later read the full int. IPv6 is correct, and using __u8. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Add IPv6 test for pinging own service. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Update go-bindata due to prior changes under bpf/. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
@@ -170,6 +170,10 @@ func (bo *BoolOptions) IsEnabled(key string) bool { | |||
return exists && set | |||
} | |||
|
|||
func (bo *BoolOptions) IsDisabled(key string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method BoolOptions.IsDisabled should have comment or be unexported
flags uint8 | ||
} | ||
|
||
func (key CtKey4Global) Dump(buffer *bytes.Buffer) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method CtKey4Global.Dump should have comment or be unexported
return true | ||
} | ||
|
||
type CtKey4Global struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported type CtKey4Global should have comment or be unexported
flags uint8 | ||
} | ||
|
||
func (key CtKey6Global) Dump(buffer *bytes.Buffer) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported method CtKey6Global.Dump should have comment or be unexported
@@ -123,6 +130,78 @@ func (key CtKey4) Dump(buffer *bytes.Buffer) bool { | |||
return true | |||
} | |||
|
|||
type CtKey6Global struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported type CtKey6Global should have comment or be unexported
@@ -32,8 +32,13 @@ type CtMap struct { | |||
} | |||
|
|||
const ( | |||
MapName6 = "cilium_ct6_" | |||
MapName4 = "cilium_ct4_" | |||
MapName6 = "cilium_ct6_" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exported const MapName6 should have comment (or a comment on this block) or be unexported
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Can you add a commit add the end which updates the NEWS.rst
file?
Yeah, will do that later today. |
Mention the main change in this set also in news section. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Pushed above, I only described the high level change on the ct table. The rest might be too detailed for the news log (?), but if preferred I can also add further entries, just let me know. |
Remaining bit on todo is to hash out pining of own service via lb for the global CT, rest of the tests work fine already.