Host firewall doesn't work with kube-proxy + externalTrafficPolicy=Local

[pchaigno]

Enabling the host firewall breaks externalTrafficPolicy=Local services when using kube-proxy. This limitation is related to the fact that we redirect traffic from pods to remote nodes through a tunnel when the host firewall is enabled.

To reproduce the bug, one can comment the following line in e2e tests:

cilium/test/k8sT/Services.go

Line 1175 in f55ec90

"global.hostFirewall": "false",

Related: #12345.

[brb]

Is this for LB translations happening in bpf_lxc, or bpf_sock is also affected?

[pchaigno]

@brb This bug only happens when using kube-proxy; I've updated the original post to clarify that. I haven't had time to investigate further.

[pchaigno]

The test fails when trying to send a request from hostns@node1 (192.168.36.11) to a NodePort service with externalTrafficPolicy=Local backed by pod@node2 (10.0.1.223).

On node2, we can see the SYN packet arrive, the SYN+ACK answer, then node1 answers with a RST:

-> endpoint 3853 flow 0x0 identity 6->56232 state new ifindex lxc48d10484807c orig-ip 192.168.36.11: 192.168.36.11:43686 -> 10.0.1.223:80 tcp SYN
-> overlay flow 0x3dce0b71 identity 56232->0 state new ifindex cilium_vxlan orig-ip 0.0.0.0: 10.0.1.223:80 -> 192.168.36.11:43686 tcp SYN, ACK
-> endpoint 3853 flow 0x0 identity 6->56232 state established ifindex lxc48d10484807c orig-ip 192.168.36.11: 192.168.36.11:43686 -> 10.0.1.223:80 tcp RST

On node1, with global.bpf.monitorAggregation=none, we see the RST packet:

<- network flow 0x0 identity 0->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 192.168.36.11:57816 -> 192.168.36.12:30829 tcp SYN
<- host flow 0x0 identity 2->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 192.168.36.11:57816 -> 10.0.1.223:80 tcp SYN
-> endpoint 993 flow 0x0 identity 6->1898 state new ifindex lxc6ff61d3239eb orig-ip 192.168.36.11: 192.168.36.11:57816 -> 10.0.1.13:80 tcp SYN
<- endpoint 993 flow 0xa2f78858 identity 1898->0 state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.223:80 -> 192.168.36.11:57816 tcp SYN, ACK
-> overlay flow 0xa2f78858 identity 1898->0 state new ifindex cilium_vxlan orig-ip 0.0.0.0: 10.0.1.223:80 -> 192.168.36.11:57816 tcp SYN, ACK
<- overlay flow 0x0 identity 0->0 state new ifindex cilium_vxlan orig-ip 0.0.0.0: 192.168.36.11:57816 -> 10.0.1.223:80 tcp RST
-> endpoint 993 flow 0x0 identity 6->1898 state established ifindex lxc6ff61d3239eb orig-ip 192.168.36.11: 192.168.36.11:57816 -> 10.0.1.223:80 tcp RST

One thing that is specific to the host firewall here is that packets pod@node2->hostns@node1 are routed through the tunnel (cf. 917afa2). That breaks masquerading and cause node1 to see a source IP for the SYN+ACK packet different from the destination IP for the SYN packet. I don't understand what role externalTrafficPolicy=Local plays here though.

---

Editing the NodePort service to remove externalTrafficPolicy=Local fixes the issue. On node2:

<- network flow 0x0 identity 0->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 192.168.36.11:40128 -> 192.168.36.12:31634 tcp SYN
<- host flow 0x0 identity 2->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 10.0.2.15:42264 -> 10.0.1.223:80 tcp SYN
-> endpoint 1694 flow 0x0 identity 2->17287 state new ifindex lxcf65bd31def3f orig-ip 10.0.2.15: 10.0.2.15:42264 -> 10.0.1.223:80 tcp SYN
<- endpoint 1694 flow 0x13ae3d85 identity 17287->0 state new ifindex 0 orig-ip 0.0.0.0: 10.0.1.223:80 -> 10.0.2.15:42264 tcp SYN, ACK
-> host from flow 0x13ae3d85 identity 17287->1 state reply ifindex cilium_net orig-ip 0.0.0.0: 10.0.1.223:80 -> 10.0.2.15:42264 tcp SYN, ACK
-> stack flow 0x13ae3d85 identity 0->0 state new ifindex cilium_host orig-ip 0.0.0.0: 10.0.1.223:80 -> 10.0.2.15:42264 tcp SYN, ACK
-> network flow 0x13ae3d85 identity 0->0 state new ifindex 0 orig-ip 0.0.0.0: 192.168.36.12:31634 -> 192.168.36.11:40128 tcp SYN, ACK
<- network flow 0x0 identity 0->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 192.168.36.11:40128 -> 192.168.36.12:31634 tcp ACK
<- host flow 0x0 identity 2->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 10.0.2.15:42264 -> 10.0.1.223:80 tcp ACK
-> endpoint 1694 flow 0x0 identity 2->17287 state established ifindex lxcf65bd31def3f orig-ip 10.0.2.15: 10.0.2.15:42264 -> 10.0.1.223:80 tcp ACK

On node1:

<- network flow 0x0 identity 0->0 state new ifindex enp0s8 orig-ip 0.0.0.0: 192.168.36.12:31634 -> 192.168.36.11:40128 tcp SYN, ACK
-> network flow 0xdd7488b4 identity 1->0 state new ifindex 0 orig-ip 0.0.0.0: 192.168.36.11:40128 -> 192.168.36.12:31634 tcp ACK

So for packets pod@node2->hostns@node1 we never go through the tunnel because, when the packet leaves bpf_lxc it is destined to the local host (before masquerading), not the remote node.

---

Ok, so we want packets from a pod to a node to go through the tunnel so that the ingress host policies on the destination node can apply. But for response packets from a pod to a node, we don't want the packets to go through the tunnel because they need to be masqueraded so that the node sees the same source IP as it sent the packets to.

[pchaigno]

We're considering packets leaving a pod for a remote node.
That may happen in two broad cases, refered below as:

1. node->pod: a packet is sent from pod to node1 in response to a connection node1 -> pod@node2.
2. pod->node: a packet is sent from pod@node2 to node1 directly.

+-------------------------+              +---------------------------+
| +----------+            |              |                           |
| |          |            |              |                           |
| | pod      |  node2     |              |         node1             |
| |          |            |              |                           |
| +-----+----+            |              |                           |
|       |                 +--------------+                           |
|       +---------------------------------------->                   |
|       |                 +--------------+                           |
|       |                 |              |                           |
+-------------------------+              +---------------^-----------+
        |                                                |
        |                                                |
        +------------------------------------------------+

Node IP is the routable IP used as the tunnel endpoint. Other HOST_ID IPs are e.g. the IP given to cilium_host.

Current behavior by default

Dir. of connection	node->pod	pod->node
Node IP	masq.	masq.
Other HOST_ID IPs	tunnel	tunnel

Not good enough for host firewall because we lose the identity of the pod when a connection is opened from pod->remote node. So we want to send traffic from a pod to a remote node through the tunnel to preserve the identity.

Broken behavior when host firewall is enabled

Dir. of connection	node->pod	pod->node
Node IP	tunnel	tunnel
Other HOST_ID IPs	tunnel	tunnel

When kube-proxy is enabled, traffic to a externalTrafficPolicy=Local service is not SNATed on node2 before entering the pod@node2. So response packets are sent to node1 via the tunnel and, since they are not masqueraded, they trigger a TCP RST (node1 sees pod's IP instead of node2's IP).

What I want

Dir. of connection	node->pod	pod->node
Node IP	masq.	tunnel
Other HOST_ID IPs	tunnel	tunnel

I don't know how to achieve this because:

• only the datapath can make the distinction on the direction of the connection
• but only userspace can currently tell the difference between Node IP and Other HOST_ID IPs; once in the ipcache, it all becomes REMOTE_NODE_ID.

[joestringer]

but only userspace can currently tell the difference between Node IP and Other HOST_ID IPs; once in the ipcache, it all becomes REMOTE_NODE_ID.

Is this true?

I agree that both the Node IP and other HOST_ID IPs have the same Identity. However the other HOST_ID IPs are inherently not routable on the network (given tunneling mode), so the ipcache should list a nonzero tunnel field:

$ k get nodes
NAME                                     STATUS   ROLES    AGE   VERSION
gke-joe-k-e-default-pool-cd45cbf6-qt5z   Ready    <none>   22d   v1.15.12-gke.2
gke-joe-k-e-default-pool-cd45cbf6-tqz9   Ready    <none>   22d   v1.15.12-gke.2
$ gcx gke-joe-k-e-default-pool-cd45cbf6-tqz9 ip a | grep cilium_host
8: cilium_net@cilium_host: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP group default qlen 1000
9: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP group default qlen 1000
    inet 10.4.0.235/32 scope link cilium_host
$ gcx gke-joe-k-e-default-pool-cd45cbf6-qt5z cilium bpf ipcache list | grep 10.4.0.235
10.4.0.235/32       6 0 10.168.0.47

^^^ 10.4.0.235 represents an "other HOST_ID IP", and 10.168.0.47 is the node IP it resides on.

EDIT: Oh, and FYI gcx is my convenience macro for "Get Cilium pod and eXec [on node]" so I'm demonstrating that the cilium_host IP on one node shows up in the ipcache of the other node with a tunnel IP associated.

[pchaigno]

I agree that both the Node IP and other HOST_ID IPs have the same Identity. However the other HOST_ID IPs are inherently not routable on the network (given tunneling mode), so the ipcache should list a nonzero tunnel field:

That is correct (and showed in the first table above), and is one idea I explored to differentiate the two types of IP/destinations. However, that distinction based on non-zero tunnel field disappears once all packets to remote nodes are sent through the tunnel (as currently done with the host firewall) because the tunnel field then becomes non-zero for all REMOTE_NODE_ID entries.

[joestringer]

The plot thickens ;-)

However, that distinction based on non-zero tunnel field disappears once all packets to remote nodes are sent through the network (as currently done with the host firewall) because the tunnel field then becomes non-zero for all REMOTE_NODE_ID entries.

The causality seems reversed here, remove the tunnel field from the ipcache entry to force the traffic to be sent through the network.

Is there a commit or PR that describes the rationale for not having the tunnel in the ipcache when in tunneling mode with host-firewall enabled?

Is the "force all traffic through the network" specifically aimed at the host ("host endpoint") traffic or should it apply to traffic from an endpoint as well? I'm wondering if we could keep the tunnel field in the ipcache, but for host endpoint you "ignore it", ie don't use it to tail-call the tunnel. Instead, pass to the stack and rely on routes to ensure the traffic goes back through the tunnel device (which is how I assume we guide traffic via the tunnel or not today).

[pchaigno]

Oops, sorry. I meant: "that distinction based on non-zero tunnel field disappears once all packets to remote nodes are sent through the tunnel (as currently done with the host firewall)" (fixed above).