Skip to content

Support egress CIDR-dependent L4 policies #1684

Closed
Closed
Support egress CIDR-dependent L4 policies#1684
Assignees
joestringer
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/enhancementThis would improve or streamline existing functionality.priority/highThis is considered vital to an upcoming release.roadmapThis functionality is planned for a future release of Cilium.
@joestringer

Description

@joestringer
joestringer
opened on Oct 4, 2017

We don't currently support specifying policies that have both "ToCIDR" and "ToPorts" on egress. This should allow only traffic that matches both of these conditions.

Alternatively (and less importantly), on ingress we should be able to filter on "FromCIDR" + "ToPorts" (See #4129).

Related: #1599

Design

  • Map CIDRs into labels
  • Allocate identities for sets of CIDR labels
  • Extend datapath ipcache to accept CIDRs (LPM)
  • Push CIDR->identity mappings into the datapath
  • Allow L3-dependent L4 policies to match on CIDR labels

Daemon

  • Each time a CIDR policy is imported, convert CIDR to a (set of) label(s).
  • Allocate identities for sets of cidr labels in KVstore
    • Simple case: Disjoint CIDRs
      • AllocateIdentity("cidr:10.0.0.0/8")
    • Advanced case: Overlapping CIDRs, eg 10/8 + 10.1/16 Becomes two identities:
      • 10.1/16 is associated with all cidr labels that cover the prefix: []string{"cidr:10.1.0.0/16", "cidr:10.0.0.0/15","cidr:10.0.0.0/14", ...}
      • 10/8 would need CIDR labels for all prefixes that cover it: []string{"cidr:10.0.0.0/8", "cidr:10.0.0.0/7", ... "cidr:0.0.0.0/0"}
    • Evaluate radix implementations to update labels on insert/remove
      • Radix unnecessary; we can just generate all labels for CIDRs that cover the current CIDR.
    • Prevent Cilium from allocating /32 addresses for which there is already a CIDR identity
      • Otherwise, the CIDR => identity mapping would conflict with a CiliumEndpoint => identity mapping
      • This will be handled in the ipcache watcher logic, to prioritize "192.0.2.3" over "192.0.2.3/32"
    • Special handling for CIDRS of special identities?
      • 0/0 - "world" (Want to use reserved:world identity, not a random allocated identity)
      • host
        • Not a CIDR
      • cluster?
  • Push CIDR->identity mappings into KVstore ipcache
    • CIDR->KVstore sync controller?
    • Always insert the cluster prefix
  • For each configured CIDR, push CIDR->identity mapping down to BPF layer
    • Perhaps, calculate/insert this into the CIDRPolicyMap?
  • In CreateL4Filter():
    • Convert CIDRs into labels
    • Set the up Endpoints wildcard selectors properly depending on CIDR/fromEndpoints wildcards
      • Only CiliumEndpoints
      • Only non-CiliumEndpoints ("Entities"?)
      • All Endpoints
  • Rename/Document to ensure that L4Filter.Endpoints is documented to imply that it represents any network endpoint, not just Cilium endpoints.
  • Improve policy trace to hide irrelevant CIDRs
    • Sort, take the most specific one

Datapath

  • Support LPM via hashmaps
  • Support LPM map type for ipcache (Linux >= 4.11)

Egress

  • Expand ipcache to become LPM (or LPM-like)
  • Remove existing egress CIDR lookups

Ingress

Metadata

Metadata

Assignees

Labels

area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/enhancementThis would improve or streamline existing functionality.priority/highThis is considered vital to an upcoming release.roadmapThis functionality is planned for a future release of Cilium.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions