BPF masquerading does not masquerade traffic to remote node's ExternalIP

[jochenseeber]

Bug report

We have a Cilium cluster with native routing (no encapsulation). When starting a pod on any node, the node it runs on is reachable (e.g. ping). However, other nodes external IP is not reachable. So if pod1 runs on node1, ping external_ip_of_node1 works, ping external_ip_of_node2 does not.

Each node has an internal interface (dummy0) and an external interface (external). All nodes are connected internally using a WireGuard interface (wg0) at the OS level (not managed by Cilium) so that all cluster traffic is encrypted. All external interfaces are reachable from each node.

General Information

• Cilium version (run cilium version)

Defaulted container "cilium-agent" out of: cilium-agent, mount-cgroup (init), wait-for-node-init (init), clean-cilium-state (init)
Client: 1.10.3 4145278 2021-07-15T16:11:03+02:00 go version go1.16.6 linux/amd64
Daemon: 1.10.3 4145278 2021-07-15T16:11:03+02:00 go version go1.16.6 linux/amd64

• Kernel version (run uname -a)

Linux dev-0001 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• Orchestration system version in use (e.g. kubectl version, ...)

Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3+k3s1", GitCommit:"1d1f220fbee9cdeb5416b76b707dde8c231121f2", GitTreeState:"clean", BuildDate:"2021-07-22T20:52:14Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3+k3s1", GitCommit:"1d1f220fbee9cdeb5416b76b707dde8c231121f2", GitTreeState:"clean", BuildDate:"2021-07-22T20:52:14Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}

• Generate and upload a system zip:

curl -sLO https://git.io/cilium-sysdump-latest.zip && python cilium-sysdump-latest.zip

How to reproduce the issue

1. Start a network multitool pod on any node (https://github.com/Praqma/Network-MultiTool)
2. Exec into a shell of the pod
3. Ping external address: ping 1.1.1.1 works
4. Ping own node's external address: works
5. Ping other node's external address: does not work

pinging external system

tcpdump

17:42:40.538395 IP 10.100.2.123 > 1.1.1.1: ICMP echo request, id 51, seq 1, length 64
17:42:40.538453 IP NODE1 > 1.1.1.1: ICMP echo request, id 61439, seq 1, length 64
17:42:40.543845 IP 1.1.1.1 > NODE1: ICMP echo reply, id 61439, seq 1, length 64
17:42:40.543892 IP 1.1.1.1 > 10.100.2.123: ICMP echo reply, id 51, seq 1, length 64

cilium monitor

Policy verdict log: flow 0x0 local EP ID 333, remote ID world, proto 1, egress, action allow, match all, 10.100.2.123 -> 1.1.1.1 EchoRequest
-> stack flow 0x0 identity 237465->world state new ifindex 0 orig-ip 0.0.0.0: 10.100.2.123 -> 1.1.1.1 EchoRequest

Some NAT seems to be happening here

pinging own node

tcpdump

17:38:29.191152 IP 10.100.2.123 > NODE1: ICMP echo request, id 47, seq 1, length 64
17:38:29.191219 IP NODE1 > 10.100.2.123: ICMP echo reply, id 47, seq 1, length 64

cilium monitor

-> stack flow 0x0 identity 237465->host state new ifindex 0 orig-ip 0.0.0.0: 10.100.2.123 -> NODE1 EchoRequest
-> endpoint 333 flow 0x0 identity host->237465 state reply ifindex 0 orig-ip NODE1: NODE1 -> 10.100.2.123 EchoReply

works

pinging other node

tcpdump

17:39:02.437350 IP 10.100.2.123 > $NODE2: ICMP echo request, id 48, seq 1, length 64

cilium monitor

Policy verdict log: flow 0x0 local EP ID 333, remote ID remote-node, proto 1, egress, action allow, match all, 10.100.2.123 -> NODE2 EchoRequest
-> stack flow 0x0 identity 237465->remote-node state new ifindex 0 orig-ip 0.0.0.0: 10.100.2.123 -> NODE2 EchoRequest

no response (and no NAT!)

[jochenseeber]

Slack discussion about this: https://cilium.slack.com/archives/C1MATJ5U5/p1629215650387500

[pchaigno]

Summarizing discussion from Slack:

Root Cause

The cluster is using BPF-based masquerading:

# kubectl -n kube-system exec cilium-jf7bc -- cilium status --verbose
[...]
Masquerading:           BPF       [dummy0, external]   10.96.0.0/12 [IPv4: Enabled, IPv6: Disabled]

In BPF-based masquerading, we rely on the destination security identity to skip masquerading for cluster nodes. In particular, we filter on the remote-node identity:

cilium/bpf/lib/nodeport.h

Lines 1203 to 1204 in 83edea8

	if (info->sec_label == REMOTE_NODE_ID)
	return false;

However, all IP addresses of remote nodes are associated with this remote-node identity, regardless of internal vs. external.

Workaround

A simple workaround is to disable BPF masquerading to rely on our iptables-based masquerading instead. A more complex workaround would be to handle masquerading yourself.

Long-term Solution

It looks like we shouldn't be masquerading traffic to external IP addresses. Differentiating between external IP addresses and internal IP addresses in the BPF logic will be a bit more involved than a simple if condition. We may need to have a map with all internal IP addresses. /cc @brb

I have a PR opened to extend this logic to the iptables-based masquerading: #16603. In the current version of the PR, we skip masquerading for external IP addresses as well. If we decide not to, it's easy to change.

[aditighag]

Just to add to @pchaigno's comment -

BPF-based masquerading currently skips SNAT for both internal and external IPs (Paul has linked the code).
iptables-based masquerading currently SNATs traffic destined to both internal and external IPs. However, this will change with Paul's PR. We need the ability to differentiate between traffic destined to internal and external IPs in both the cases.

[brb]

Re BPF masq, #17168 should fix the issue.

[pchaigno]

@brb But regardless of #17168, should we skip masquerading for external IPs of remote nodes?

[jochenseeber]

We encountered this while trying to set up cert-manager. In order to authenticate for LetsEncrypt certs, it needs to answer an external http request to each alias/host that is part of the certificate. In order to validate its setup, the cert-manager pod tries to do these requests before obtaining the certificate, thus making HTTP requests to other nodes. Here the pod -> other node traffic does not work "out of the box".

If you route to an external IP, IMO the source address should also be an external IP that can be reached over the cluster's external network. The packet basically leaves the host through the external interface without getting masqueraded/snatted, while the documentation states: "--enable-ipv4-masquerade : Masquerade IPv4 traffic from endpoints leaving the host" (cilium-agent docs). My first expectation would be when handing over packets to the external network that Cilium makes sure the addresses are "correct" from the view of the external network, and then let the external network do its job routing those packets.

[aditighag]

should we skip masquerading for external IPs of remote nodes?

I think we should only skip masquerading for internal IPs. What would be the reasons for not masquerading external IPs?

Edit : Specifically for the BPF masquerading case, probably complexity is the reason based on Paul's comment -

Differentiating between external IP addresses and internal IP addresses in the BPF logic will be a bit more involved than a simple if condition.

[pchaigno]

should we skip masquerading for external IPs of remote nodes?

I think we should only skip masquerading for internal IPs. What would be the reasons for not masquerading external IPs?

Yes, that's what I meant to write 🤦

Should we skip masquerading only for internal IPs of remote nodes?

[brb]

Should we skip masquerading only for internal IPs of remote nodes?

I assume we are talking about k8s Node's ExternalIP and InternalIP, right? What's the exact meaning of the ExternalIP in the context of k8s?

[pchaigno]

The documentation only seems to state:

ExternalIP: Typically the IP address of the node that is externally routable (available from outside the cluster).
InternalIP: Typically the IP address of the node that is routable only within the cluster.

[brb]

We could make BPF masq aware of the ExternalIPs, but at the cost of losing a security identity of a sender. I'm still trying to understand all implications.