Don't require host reachable service (socket-LB) for ebpf masquerading

[liuyuan10]

Proposal / RFE

Is your feature request related to a problem?
Yes

Describe the solution you'd like
Today cilium requires host reachable svc to enable bpf masquerading, the restriction is added in this commit.

The reason is that when hostns pods talking to clusterIP, kernel picks node IP as source IP but not cilium_host IP. The packets are still tunneled to remote backend. Due to #12544, the return packet is masqueraded on the remote node. The real fix should be letting kernel pick cilium_host IP for such traffic so that we have symmetric data path.

The feature is useful for kernel < 4.19 where people can enable bpf nodeport and masquerading while keep host-reachable-svc off in kubeproxy partial mode.

Proposal:
Passing a --cilium-host-route-cidr flag to cilium-agent and install a route based on that flag:

[cilium-host-route-cidr] via 192.168.4.111 dev cilium_host src 192.168.4.111 mtu 1450

To make the implementation simpler, maybe we could always install this route when --cilium-host-route-cidr is passed regardless of other flags. So for whoever want to enable bpf masquerading without host-reachable-svc, he needs to pass --cilium-host-route-cidr

[borkmann]

Seems reasonable. Given this can be configured (https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address), I presume there is no programmatic way to retrieve this otherwise?

To make the implementation simpler, maybe we could always install this route when --cilium-host-route-cidr is passed regardless of other flags.

Sounds ok to me as long as properly documented. @brb thoughts?

[liuyuan10]

@brb, please let me know what you think. thanks

[brb]

Requiring socket-LB for BPF masq hides two problems:

1. Unexpected SNAT of a reply packet to a pod in host netns when running in the tunneling mode. The culprit of this is that we don't do a CT lookup on egress to distinguish reply packets. However, even if we did the lookup, the reply would have run into the problem listed in the comment: https://github.com/cilium/cilium/blob/v1.9.5/bpf/lib/nodeport.h#L919-L926 [1]. Thus, the second problem below.
2. Routing asymmetry in the tunneling mode. Pod2pod and host2pod traffic goes via a tunnel, while pod2host is sent over a native device after the traffic has been masqueraded (otherwise, we would run into the [1] problem). This problem was mentioned in this PR cilium: Send pod->node traffic through tunnel in IPSec+vxlan case #14611 (comment) too.

I'd be in favor of fixing both problems (they need to be resolved anyway) instead of introducing a new configuration option to install a custom route, as otherwise we would add more complexity into the datapath.

[liuyuan10]

@brb For host->clusterIP, I think it should go through tunnels in both ways so I don't think (1) matters here. For (2), yes, I think if we fix it, the FR should be also fixed where host->clusterIP goes through tunnel in both ways and source IP is node IP. Could you help to evaluate how hard it is to fix it? I haven't dig it deep enough but from the commit you referred, it seems to be a small change at this line to install the tunnel IP for node external IP. If it's a small scale change, I can take a stub.

[pchaigno]

I haven't dig it deep enough but from the commit you referred, it seems to be a small change at this line to install the tunnel IP for node external IP.

The first part is a small change, but you'll also need something like #14756 to fix the issue introduced by sending all through the tunnel (cf. #14674).

[liuyuan10]

Thanks for the pointers. I think both changes are fairly small and I'll give it a try if that's all needed.

[liuyuan10]

One question, if all pod->node traffic goes through tunnel, how can a pod talk to nodeport? Especially when bpf nodeport is enabled, they are not run if packets are tunnelled to remote node.

[brb]

One question, if all pod->node traffic goes through tunnel, how can a pod talk to nodeport?

Grep for nodeport_lb in bpf_overlay.c (NodePort BPF should be enabled on a tunnel device).

[brb]

For host->clusterIP, I think it should go through tunnels in both ways so I don't think (1) matters here.

Yes, just you will need to remove the following ifndef: https://github.com/cilium/cilium/blob/v1.9.5/bpf/lib/nodeport.h#L918.

[liuyuan10]

@pchaigno @brb I tried to include similar fix as #14756 but that immediately breaks host -> pod flow. Say traffic comes from remote node cilium_host IP to local pod, it's redirected to lxc from overlay device bypassing kernel. But for return traffic, due to that change, it's pushed to kernel because the destination is cilium_host IP, which is present in the IP cache. Because the traffic passes through kernel only in return path, it's dropped due to iptables rules programmed by kube-proxy.

It seems #14756 is introducing more issues when nodeport is disabled.

[pchaigno]

@liuyuan10 I think we just need to avoid the redirect() from cilium_vxlan to lxc device on forward path, no? If per-endpoint routes are enabled, that should already be the case:

cilium/bpf/bpf_lxc.c

Lines 1437 to 1451 in 0218d37

	#if !defined(ENABLE_ROUTING) && defined(ENCAP_IFINDEX) && !defined(ENABLE_NODEPORT)
	/* In tunneling mode, we execute this code to send the packet from
	* cilium_vxlan to lxc*. If we're using kube-proxy, we don't want to use
	* redirect() because that would bypass conntrack and the reverse DNAT.
	* Thus, we send packets to the stack, but since they have the wrong
	* Ethernet addresses, we need to mark them as PACKET_HOST or the kernel
	* will drop them.
	* See #14646 for details.
	*/
	ctx_change_type(ctx, PACKET_HOST);
	#else
	ifindex = ctx_load_meta(ctx, CB_IFINDEX);
	if (ifindex)
	return redirect_ep(ctx, ifindex, from_host);
	#endif /* ENABLE_ROUTING && ENCAP_IFINDEX && !ENABLE_NODEPORT */

[borkmann]

@liuyuan10 I think we just need to avoid the redirect() from cilium_vxlan to lxc device on forward path, no?

If we go that route, ideally just in a constraint setting (e.g. old kernels only) given this will likely introduce a performance regression (it's also incompatible with BPF host routing, but that's latest kernels only).

[pchaigno]

@liuyuan10 I think we just need to avoid the redirect() from cilium_vxlan to lxc device on forward path, no?

If we go that route, ideally just in a constraint setting (e.g. old kernels only) given this will likely introduce a performance regression (it's also incompatible with BPF host routing, but that's latest kernels only).

I think we only need to do that for !defined(ENABLE_NODEPORT) which is in phase with what we discussed a couple SIG-Datapath meetings ago: removing all path asymmetries when using kube-proxy.