New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix L7 ingress proxy iptables redirects in direct routing mode #8864
Fix L7 ingress proxy iptables redirects in direct routing mode #8864
Conversation
test-me-please |
d1924c5
to
fd3fb65
Compare
test-me-please EDIT: The build never kicked off on Jenkins. Will retry. |
test-me-please EDIT: Jenkins ignored me again. Retrying again. |
test-me-please EDIT: Ran out of space on jenkins node: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/14302/execution/node/7/log/ |
test-me-please EDIT: Same problem, same node |
test-me-please EDIT: The only failure is in the mode that this PR is trying to fix..
However, it's not in the actual test, but in the bootstrapping / health endpoints setup:
I wonder if the per-endpoint routes are correctly configured for the health endpoints. |
test-me-please |
fd3fb65
to
0ae4ee9
Compare
New patch to fix cilium-health connectivity. |
test-me-please EDIT: Hit infra issue:
|
Refactor this into one place to make it easier and tidier to wrap creation of these rules. For more detail on why they are necessary, see cilium#8864. Signed-off-by: Joe Stringer <joe@cilium.io>
Refactor this into one place to make it easier and tidier to wrap creation of these rules. For more detail on why they are necessary, see #8864. Signed-off-by: Joe Stringer <joe@cilium.io>
'--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
'--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
'--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
'--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
[ upstream commit ca767ee ] '--no-wildcard' allows the socket match to find zero-bound (listening) sockets, which we do not want, as this may intercept (reply) traffic intended for other nodes when an ephemeral source port number allocated in one node happens to be the same as the allocated proxy port number in 'this' node (the node doing the iptables socket match changed here). Fixes: #12241 Related: #8864 Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Fix an issue where packets after the first inbound packet for a local pod with ingress proxy are dropped in the Linux forwarding logic:
Related: #8813
Follow-up: #8930
This change is