ipsec: IPv6 externalTrafficPolicy=Local E/W is broken when accessed from non-backend node

[brb]

The test case is broken for IPv6 when running with IPsec with vxlan and KPR=disabled. However, it works for IPv4 service.

The tcpdump on a node (fc00:f853:ccd:e793::4) which issued request:

09:08:18.623453 cilium_vxlan P   IP6 fc00:f853:ccd:e793::4.50304 > fd02::11a.80: Flags [S], seq 4061851243, win 65476, options [mss 65476,sackOK,TS val 3818350863 ecr 0,nop,wscale 7], length 0
09:08:18.623588 lxc9aafe1894701 Out IP6 fc00:f853:ccd:e793::4.50304 > fd02::11a.80: Flags [S], seq 4061851243, win 65476, options [mss 65476,sackOK,TS val 3818350863 ecr 0,nop,wscale 7], length 0
09:08:18.624153 lxc9aafe1894701 In  IP6 fd02::11a.80 > fc00:f853:ccd:e793::4.50304: Flags [S.], seq 108698648, ack 4061851244, win 65050, options [mss 1313,sackOK,TS val 2604710198 ecr 3818350863,nop,wscale 7], length 0
09:08:18.624845 eth0  Out IP6 fd02::11a.80 > fc00:f853:ccd:e793::4.50304: Flags [S.], seq 108698648, ack 4061851244, win 65050, options [mss 1313,sackOK,TS val 2604710198 ecr 3818350863,nop,wscale 7], length 0
09:08:18.627947 cilium_vxlan In  IP6 fc00:f853:ccd:e793::4.50304 > fd02::11a.80: Flags [R], seq 4061851244, win 0, length 0

The service was accessed via curl 'http://[fc00:f853:ccd:e793::4]:31088, and the backend is running on a fc00:f853:ccd:e793::5 node.

Spot that the reply is coming via eth0, so it might be another instance of #23461.

The relevant pwru output:

0xffff8ad95a6c1b00      4    [ksoftirqd/4]         ip6_input_finish sec-arg=0 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=80 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] ip6_protocol_deliver_rcu sec-arg=18446615264862411520 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=80 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]       raw6_local_deliver sec-arg=6 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]               tcp_v6_rcv sec-arg=96 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]    inet6_lookup_listener sec-arg=18446744071712769600 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]      inet6_lhash2_lookup sec-arg=18446615260171014720 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]      inet6_lhash2_lookup sec-arg=18446615260171015856 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]      __xfrm_policy_check sec-arg=0 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]          decode_session6 sec-arg=18446633258186882072 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] security_xfrm_decode_session sec-arg=18446633258186882092 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] bpf_lsm_xfrm_decode_session sec-arg=18446633258186882092 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] __nf_nat_decode_session      [nf_nat] sec-arg=18446633258186882072 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]           tcp_v6_fill_cb sec-arg=18446615264978099440 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]        tcp_v6_send_reset sec-arg=18446615264862411520 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]     tcp_v6_send_response sec-arg=18446615264862411520 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] security_skb_classify_flow sec-arg=18446633258186881904 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4] bpf_lsm_xfrm_decode_session sec-arg=18446633258186881924 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)
0xffff8ad95a6c1b00      4    [ksoftirqd/4]         kfree_skb_reason sec-arg=2 netns=4026534705 mark=0x0 ifindex=32 proto=dd86 mtu=1500 len=40 [fd02::11a]:80->[fc00:f853:ccd:e793::4]:41453(tcp)

[jschwinger233]

This issue is caused by missing ip6tables rules cilium-xfrm-notrack:

[80:13720] -A CILIUM_PRE_raw -m comment --comment "cilium-xfrm-notrack:" -j CT --notrack
[98:8112] -A CILIUM_PRE_raw -m comment --comment "cilium-xfrm-notrack:" -j CT --notrack

Shall I fix this issue in this PR, or make it a separate one?

[brb]

Feel free to do in a separate PR, so that the former PR could get merged sooner.

[jschwinger233]

Feel free to do in a separate PR, so that the former PR could get merged sooner.

And we don't have any test to cover this issue, do we? Shall we add a test case for it? How do we prefer to do it? Connectivity test or e2e, or something else?

Sorry, we do have e2e test for it - - Why would I ask this silly question as I just ran the e2e test to reproduce it several hours ago.