first batch for local/global ct #659
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- support both global 5 tuple / container local 4 tuple conntrack - cilium daemon can configure this support using #define CONNTRACK_LOCAL - defaults to global Signed-off-by: Madhu Challa <madhu@cilium.io> [ dbkm: squashed some follow-up fixes into it ]
Use a single huge global connection tracking table by default, and have also the option to switch to container local one instead as we have prior to this patch. The switch can even happen during runtime per reconfiguration via: cilium endpoint config <ep-ID> ConntrackLocal=false // global table cilium endpoint config <ep-ID> ConntrackLocal=true // local table Dumping the global table works as usual: cilium bpf ct list global // dump global table cilium bpf ct list <ep-ID> // dump local table It's also listed as a config option via cli, f.e.: # cilium config Conntrack Enabled ConntrackAccounting Enabled ConntrackLocal Enabled DropNotification Enabled NAT46 Enabled Policy Enabled PolicyTracing Disabled I changed the 01-ct tests to include local/global table tests and they were all passing. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Signed-off-by: Madhu Challa <madhu@cilium.io>
Never really worked well on IPv6. The ping tests also need to run with --privileged. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
In v4 (as opposed to v6), we call both __ct_lookup()'s with a ct_state buffer that will get updated once an entry is found, whereas we only want to store the nat index etc when in reverse direction, before we called ipv4_ct_tuple_reverse(tuple) to put it into forward direction. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
We don't need to get the tuple once again since unnecessary. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Updating to the service target will make the reverse lookup fail when we ping our own service. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Otherwise it's easy to miss when auditing the code. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
The offset for l3_csum_replace() is wrong, but it also never worked since as size we pass 1, which is invalid from kernel side. But also the skb_store_bytes() used the old ttl value. Fix the csum offset and use 2 as size, which is fine since it just zero extends. Then, store new_ttl into the packet. Signed-off-by: Madhu Challa <madhu@cilium.io> Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Use common helpers that will chose constant vs. runtime variants automatically. Reduces also #insns for runtime cases. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
The type is really just __u8, not int. We do skb_load_bytes() on this and write the first byte of it, and later read the full int. IPv6 is correct, and using __u8. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Add IPv6 test for pinging own service. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
Update go-bindata due to prior changes under bpf/. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
houndci-bot
reviewed
May 6, 2017
| @@ -170,6 +170,10 @@ func (bo *BoolOptions) IsEnabled(key string) bool { | |||
| return exists && set | |||
| } | |||
|
|
|||
| func (bo *BoolOptions) IsDisabled(key string) bool { | |||
There was a problem hiding this comment.
exported method BoolOptions.IsDisabled should have comment or be unexported
| flags uint8 | ||
| } | ||
|
|
||
| func (key CtKey4Global) Dump(buffer *bytes.Buffer) bool { |
There was a problem hiding this comment.
exported method CtKey4Global.Dump should have comment or be unexported
| return true | ||
| } | ||
|
|
||
| type CtKey4Global struct { |
There was a problem hiding this comment.
exported type CtKey4Global should have comment or be unexported
| flags uint8 | ||
| } | ||
|
|
||
| func (key CtKey6Global) Dump(buffer *bytes.Buffer) bool { |
There was a problem hiding this comment.
exported method CtKey6Global.Dump should have comment or be unexported
| @@ -123,6 +130,78 @@ func (key CtKey4) Dump(buffer *bytes.Buffer) bool { | |||
| return true | |||
| } | |||
|
|
|||
| type CtKey6Global struct { | |||
There was a problem hiding this comment.
exported type CtKey6Global should have comment or be unexported
| @@ -32,8 +32,13 @@ type CtMap struct { | |||
| } | |||
|
|
|||
| const ( | |||
| MapName6 = "cilium_ct6_" | |||
| MapName4 = "cilium_ct4_" | |||
| MapName6 = "cilium_ct6_" | |||
There was a problem hiding this comment.
exported const MapName6 should have comment (or a comment on this block) or be unexported
This was referenced May 6, 2017
tgraf
requested changes
May 6, 2017
|
Yeah, will do that later today. |
Mention the main change in this set also in news section. Signed-off-by: Daniel Borkmann <daniel@cilium.io>
|
Pushed above, I only described the high level change on the ct table. The rest might be too detailed for the news log (?), but if preferred I can also add further entries, just let me know. |
tgraf
approved these changes
May 6, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remaining bit on todo is to hash out pining of own service via lb for the global CT, rest of the tests work fine already.