-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix DNS egress L7 policy in ENI mode #8837
Conversation
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't ENI mode simply define ENABLE_HOST_REDIRECT
then?
L7 with ipvlan is not supported (https://cilium.readthedocs.io/en/stable/gettingstarted/ipvlan/) at this point.
@joestringer I remember that for the lyft-cni chaining, it was required to specifically route via cilium_host in order to get the redirect to work. It's interesting that this is no longer the case apparently. Could also be specific to kernel versions. I remember @jrfastab saw similar issues related to the encryption work. |
Enabling host redirect fixes DNS egress proxy iirc, but had other problems. Long and short is that right now if I just enable host redirect it causes ingress proxy at destination to receive SYN, reply with SYN/ACK, then fail to receive the ACK (and retransmit SYN/ACK ad infinitum). SYN/ACK reaches source node which responds with ACK, which arrives to eth1 of destination but I haven't been able to trace it further than that yet. EDIT: Here's a rough sense of the netfilter stack paths for this configuration:
|
Signed-off-by: Joe Stringer <joe@cilium.io>
d9dd383
to
dea7a69
Compare
I've updated the PR to simplify it, this is easier to justify and it fixes the specific case that was reported. Getting ingress policy to work in ENI mode across multiple nodes will require additional work. |
test-me-please |
ENI mode was disabling L7 proxy entirely previously due to an overeager check in the datapath to avoid redirecting to the proxy in cases where the endpoint devices are IPVLAN devices.
These fixes enable the following cases in ENI mode:
Fixes: #8813
Future work:
This change is