bpf, sock: support v4-in-v6 mapped addresses #9923
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
borkmann
added
pending-review
sig/datapath
|
Release note label not set, please set the appropriate release note. |
|
Release note label not set, please set the appropriate release note. |
borkmann
added
the
release-note/minor
|
test-me-please |
borkmann
force-pushed
the
pr/v4-in-v6-host-reachable
branch
from
a8de28f
to
87e2bd0
Compare
|
test-me-please |
2 tasks
borkmann
added this to In progress (1.7)
in 1.9 kube-proxy removal & general dp optimization
Implement support for v4-in-v6 mapped addresses in host reachable services
in order to connect v6-only type programs making use of the mapping, e.g.
as the case in Java applications.
# ./cilium/cilium service list
ID Frontend Service Type Backend
1 193.99.144.88:1000 ClusterIP 1 => 193.99.144.80:80
Implement support for TCP and UDP. Example for TCP socket via connect:
# strace -f ./a.out
[...]
socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET6, sin6_port=htons(1000), inet_pton(AF_INET6, "::ffff:193.99.144.88", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0
write(3, "a", 1) = 1
tcpdump trace from application showing that bpf_sock selects the right v4
based backend:
[...]
22:08:35.703384 IP 192.168.178.29.46374 > 193.99.144.80.80: Flags [S], seq 3832600274, win 29200, options [mss 1460,sackOK,TS val 712816014 ecr 0,nop,wscale 7], length 0
22:08:35.715239 IP 193.99.144.80.80 > 192.168.178.29.46374: Flags [S.], seq 2634692580, ack 3832600275, win 4200, options [mss 1400,nop,nop,TS val 3387918079 ecr 712816014,sackOK,eol], length 0
22:08:35.715255 IP 192.168.178.29.46374 > 193.99.144.80.80: Flags [.], ack 1, win 29200, options [nop,nop,TS val 712816026 ecr 3387918079], length 0
[...]
DNS / UDP example:
# ./cilium/cilium service list
ID Frontend Service Type Backend
3 193.99.144.90:53 ClusterIP 1 => 8.8.8.8:53
# dig ipv6.google.com @"::ffff:193.99.144.90"
; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> ipv6.google.com @::ffff:193.99.144.90
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26196
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ipv6.google.com. IN A
;; ANSWER SECTION:
ipv6.google.com. 21588 IN CNAME ipv6.l.google.com.
;; AUTHORITY SECTION:
l.google.com. 48 IN SOA ns1.google.com. dns-admin.google.com. 290586609 900 900 1800 60
;; Query time: 6 msec
;; SERVER: ::ffff:193.99.144.90#53(::ffff:193.99.144.90)
;; WHEN: Tue Jan 21 22:15:08 CET 2020
;; MSG SIZE rcvd: 115
# tcpdump -i any port 53 -n
[...]
22:15:08.506594 IP 192.168.178.29.55071 > 8.8.8.8.53: 26196+ [1au] A? ipv6.google.com. (56)
22:15:08.513540 IP 8.8.8.8.53 > 192.168.178.29.55071: 26196 1/1/1 CNAME ipv6.l.google.com. (115)
[...]
Reported-by: Osvald Ivarsson via Slack
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/v4-in-v6-host-reachable
branch
from
87e2bd0
to
f50adb2
Compare
|
test-me-please |
borkmann
moved this from In progress (1.7)
to Done
in 1.9 kube-proxy removal & general dp optimization
|
vm provision fail in ci, retrying... |
|
test-me-please |
|
VM provisioning failure again. |
|
Test-me-please |
|
test-me-please |
|
Hit #9903 |
|
test-me-please |
|
Same CI flake (code is not involved in the failure), retrying. |
|
test-me-please |
|
Hit same issue. |
|
test-me-please |
aanm
requested changes
Jan 22, 2020
gandro
approved these changes
Jan 22, 2020
This would depend on full IPv6 support in our CI. |
Just discussed offline that we should enable the v6 hook in bpf_sock when we have v4 enabled in order to avoid users having to enable v6 as a whole. Also this enables adding CI tests. Will add both changes in a follow-up. |
|
test-me-please |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msg. /cc @brb
This change is