Difference in cilium bpf masq compared to upstream ip-masq-agent

[tamilmani1989]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.16.0 and lower than v1.17.0

What happened?

Cilium ebpf based masquerading does not perform SNAT on packets destined for a remote node, even if the node CIDR is not listed in the non-masquerade list. This behavior differs from the upstream ip-masq-agent, which SNATs all packets except those with IP CIDRs specified in the non-masquerade CIDR list in the ip-masq-agent configmap. If the node CIDR is omitted from the ip-masq-agent configmap, the upstream ip-masq-agent will SNAT packets destined for remote node IPs, as expected.

I tried to look cilium bpf snat code and found this code checking for remote identity and ignoring snat. I could be wrong.

cilium/bpf/lib/nat.h

Line 669 in db39851

if (identity_is_remote_node(remote_ep->sec_identity))

where bpf program smartly ignores snat remote node ips.

How can we reproduce the issue?

1. enable bpf masquerading in cilium agent.
2. Deploy this config map: (192.168.0.0/16 is pod cidr and node cidr is 10.10.0.0/16)

apiVersion: v1
kind: ConfigMap
metadata:
  name: ip-masq-agent
  namespace: kube-system
data:
  config: |
    nonMasqueradeCIDRs:
    - 192.168.0.0/16 
    masqLinkLocal: true

3. ping to remote node ip from any of the pods
   traffic won't get snat which is not expected.

k exec -it -n kube-system         cilium-zg2mz -- cilium bpf ipmasq list
Defaulted container "cilium-agent" out of: cilium-agent, install-cni-binaries (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), systemd-networkd-overrides (init), block-wireserver (init)
IP PREFIX/ADDRESS
192.168.0.0/16

00:01:46.635718 00:0d:3a:fa:50:9b > 12:34:56:78:9a:bc, ethertype IPv4 (0x0800), length 98: 192.168.1.101 > 10.10.0.5: ICMP echo request, id 37444, seq 39, length 64

In case of upstream ip-masq-agent:

root@aks-nodepool1-30074333-vmss000000:/# iptables -t nat -L  IP-MASQ-AGENT
Chain IP-MASQ-AGENT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             192.168.0.0/16       /* ip-masq-agent: local traffic is not subject to MASQUERADE */
MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent: outbound traffic is su

00:22:36.014827 00:0d:3a:fa:50:9b > 12:34:56:78:9a:bc, ethertype IPv4 (0x0800), length 98: 10.10.0.4 > 10.10.0.5: ICMP echo request, id 40417, seq 9, length 64

where 10.10.0.4 is source node ip and pod traffic get snat with node ip.

Cilium Version

1.16

Kernel Version

5.15

Kubernetes Version

1.28

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[joestringer]

Can you also share whether you have configured tunneling or native routing mode and any native routing CIDRs?

Broadly if the Pod range is routable on the network as you transmit traffic towards another node, I would expect the traffic not to be masqueraded because masquerading is unnecessary. For that I would expect native routing CIDR + native routing mode to override ip-masq-agent configuration. On the other hand if pod ranges are not routable on the fabric then I can see the motivation to masquerade the traffic.

[julianwiedmann]

I slightly changed the issue title, as the behavior you noticed is caused by the core BPF MASQ logic, not Cilium's version of the ip-masq agent.

[tamilmani1989]

Can you also share whether you have configured tunneling or native routing mode and any native routing CIDRs?

Native routing mode

Broadly if the Pod range is routable on the network as you transmit traffic towards another node, I would expect the traffic not to be masqueraded because masquerading is unnecessary. For that I would expect native routing CIDR + native routing mode to override ip-masq-agent configuration. On the other hand if pod ranges are not routable on the fabric then I can see the motivation to masquerade the traffic.

In Azure CNI overlay mode link , pod and node cidr are in different address space and we made this conscious decision (considering few cases) to snat all packets except for pod cidr . Today Azure cni powered by cilium in overlay mode (legacy host routing) uses ip-masq-agent to snat packets which are not destined to pod cidr and when we move to ebpf host routing in future, like to have same behavior

[viktor-kurchenko]

Hey folks, is it related to the following note in the documentation:

When eBPF-masquerading is enabled, traffic from pods to the External IP of cluster nodes
will also not be masqueraded. The eBPF implementation differs from the iptables-based
masquerading on that aspect. This limitation is tracked at GitHub issue 17177.

?

I was trying to reproduce the issue but I don't understand how to disable AKS ip-masq-agent.
@tamilmani1989 could you please elaborate? Thanks!

[tamilmani1989]

@viktor-kurchenko I tested on AKS BYO CNI cluster which does not run AKS ip-masq-agent. One other option is to use AKS Podsubnet cluster which doesn't run AKS ip-masq-agent. https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation#configure-networking-with-dynamic-allocation-of-ips-and-enhanced-subnet-support---azure-cli

[amitmavgupta]

@tamilmani1989 would it help to clarify the PR heading as "Azure CNI powered by Cilium in Overlay Mode to not use ip-masq-agent"?

The link you have pasted talks about Dynamic IP in VNET mode, but we are talking of Overlay mode in the PR. Could you help clarify that part?

[behzad-mir]

@amitmavgupta You can either use PodSubnet or BYOCNI cluster. However, the packets to external IPs are not getting SNATed.

[viktor-kurchenko]

I was able to reproduce the issue using the following steps:

1. Create KPR file kube-proxy.json:

{
  "enabled": false,
  "mode": "IPVS",
  "ipvsConfig": {
    "scheduler": "LeastConnection",
    "TCPTimeoutSeconds": 900,
    "TCPFINTimeoutSeconds": 120,
    "UDPTimeoutSeconds": 300
  }
}

2. Create BYOCNI cluster:

RESOURCE_GROUP="vk-test"
CLUSTER_NAME="vk-byocni"
NODE_SUBNET_ID="<subnet-id>"
az aks create --kubernetes-version 1.28.0 \
              --resource-group "${RESOURCE_GROUP}" \
              --name "${CLUSTER_NAME}" \
              --network-plugin none \
              --pod-cidr "192.168.0.0/16" \
              --service-cidr "10.11.0.0/16" \
              --dns-service-ip "10.11.0.10" \
              --vnet-subnet-id "${NODE_SUBNET_ID}" \
              --kube-proxy-config kube-proxy.json

3. Connect to the cluster:

az aks get-credentials --resource-group ${RESOURCE_GROUP} --name ${CLUSTER_NAME} --overwrite-existing

4. Add IP masquerade config map ipmasq.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ip-masq-agent
  namespace: kube-system
data:
  config: |
    nonMasqueradeCIDRs:
    - 192.168.0.0/16 
    masqLinkLocal: true

Run: kubectl apply -f ipmasq.yaml

5. Install Cilium:

cilium install --version 1.16.5 \
               --set azure.resourceGroup="${RESOURCE_GROUP}" \
               --set ipam.operator.clusterPoolIPv4PodCIDRList='{192.168.0.0/16}' \
               --set ipMasqAgent.enabled=true \
               --set kubeProxyReplacement=true \
               --set bpf.masquerade=true \
               --set routingMode=native

6. Verify Cilium agent status:

kubectl -n kube-system exec ds/cilium -- cilium status

Output example:

KubeProxyReplacement:    True   [eth0   10.10.0.4 fe80::6245:bdff:fed5:bfda (Direct Routing)]
Routing:                 Network: Native   Host: BPF
Masquerading:            BPF (ip-masq-agent)   [eth0]   192.168.1.0/24 [IPv4: Enabled, IPv6: Disabled]

7. Verify ipmasq BPF map:

kubectl -n kube-system exec ds/cilium -- cilium bpf ipmasq list

It should contain one entry:

IP PREFIX/ADDRESS   
192.168.0.0/16

8. Run pod in host network namespace with tcpdump:

kubectl run node --rm -i --tty --overrides='{"spec": {"hostNetwork": true}}' --image nicolaka/netshoot
tcpdump icmp -n

9. Run test pod:

kubectl run client --rm -i --tty --image nicolaka/netshoot

10. Verify that test pods are on different nodes:

kubectl get pod -o wide

11. Ping node IP from pod and check tcpdump logs:

17:27:20.365194 IP 192.168.1.56 > 10.10.0.4: ICMP echo request, id 66, seq 1, length 64
17:27:20.365306 IP 10.10.0.4 > 192.168.1.56: ICMP echo reply, id 66, seq 1, length 64
17:27:21.393459 IP 192.168.1.56 > 10.10.0.4: ICMP echo request, id 66, seq 2, length 64
17:27:21.393549 IP 10.10.0.4 > 192.168.1.56: ICMP echo reply, id 66, seq 2, length 64
17:27:22.417309 IP 192.168.1.56 > 10.10.0.4: ICMP echo request, id 66, seq 3, length 64

@tamilmani1989 and @behzad-mir could you please confirm?

CC: @amitmavgupta JFYI