datapath: Do not SNAT replies to outside by brb · Pull Request #17168 · cilium/cilium

brb · 2021-08-16T10:29:16Z

See commit msgs.

Fix: #12544

brb · 2021-08-16T12:08:40Z

test-net-next

brb · 2021-08-16T14:16:23Z

test-me-please

brb · 2021-08-16T15:13:50Z

test-1.19-5.4

brb · 2021-08-16T16:14:51Z

test-1.20-4.19

brb · 2021-08-16T18:32:21Z

test-1.20-4.19

brb · 2021-08-17T15:36:36Z

4.19 is hitting the complexity issue 👀

brb · 2021-08-18T16:36:09Z

test-1.20-4.19

brb · 2021-08-18T20:01:11Z

test-me-please

brb · 2021-08-23T17:20:45Z

test-me-please

brb · 2021-09-07T07:54:34Z

test-me-please

Previously, the BPF-based masquerading (--enable-bpf-masquerade=true) was wrongly masquerading replies from a pod to an outside when the outside had initiated a connection. This was possible when e.g., the outside had a route to the pod cidr. To fix this, we introduce a lightweight CT lookup function ct_is_reply4() which checks whether a given flow is a reply. The lookup function is called in snat_v4_needed(). As a side note, I've tried to move the port extraction to a separate function, but unfortunately it hits complexity issues on the 4.19 kernel in the "K8sDatapathConfig AutoDirectNodeRoutes Check direct connectivity with per endpoint routes" suite: BPF program is too large. Processed 131073 insn libbpf: failed to load program 'handle_to_container' libbpf: failed to load object '624_next/bpf_lxc.o' Signed-off-by: Martynas Pumputis <m@lambda.lt>

Signed-off-by: Martynas Pumputis <m@lambda.lt>

Previously, they were failing due to our datapath masquerading replies from pod to outside. As it got fixed in the previous commit, we can enable BPF-based masquerading. This will also gives us some coverage for the fix. Signed-off-by: Martynas Pumputis <m@lambda.lt>

brb · 2021-09-07T08:36:03Z

test-me-please

Job 'Cilium-PR-K8s-1.16-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDemosTest Tests Star Wars Demo

Failure Output

FAIL: DNS entry is not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-net-next so I can create a new GitHub issue to track it.

brb · 2021-09-08T15:41:01Z

test-net-next

christarazi · 2021-09-08T21:01:58Z

CI has passed and we have reviewer approval, marking ready to merge.

Previously, we required socketLB to be enabled in order for BPF masquerade to properly function. The reasoning was outlined in [1] and [2]. As pointed by Julian Wiedmann, [3] resolved the following NAT reply issue: On the remote node, the reply (dst=the client node IP) gets masqueraded by the BPF-masq feature, because we masquerade pod -> remote host IP in the tunnel mode (see comment in the "snat_v4_needed()" for the reason), and currently we don't consult the CT map to see whether a packet is reply. Thus, we can remove the check. [1]: #15437 [2]: 50e59c3 [3]: #17168 Signed-off-by: Martynas Pumputis <m@lambda.lt>

[ upstream commit 3de8537 ] Previously, we required socketLB to be enabled in order for BPF masquerade to properly function. The reasoning was outlined in [1] and [2]. As pointed by Julian Wiedmann, [3] resolved the following NAT reply issue: On the remote node, the reply (dst=the client node IP) gets masqueraded by the BPF-masq feature, because we masquerade pod -> remote host IP in the tunnel mode (see comment in the "snat_v4_needed()" for the reason), and currently we don't consult the CT map to see whether a packet is reply. Thus, we can remove the check. [1]: #15437 [2]: 50e59c3 [3]: #17168 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tam Mach <tam.mach@cilium.io>

brb added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Aug 16, 2021

brb force-pushed the pr/brb/ct-snat-bpf branch 2 times, most recently from 49b6f6b to 6107b87 Compare August 16, 2021 12:03

brb force-pushed the pr/brb/ct-snat-bpf branch 3 times, most recently from 76ad256 to b9a4d2d Compare August 16, 2021 13:42

brb added needs-backport/1.10 area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. labels Aug 16, 2021

brb changed the title ~~datapath: Do not SNAT replies~~ datapath: Do not SNAT replies to outside Aug 16, 2021

brb force-pushed the pr/brb/ct-snat-bpf branch from 12656d7 to c6764f1 Compare August 23, 2021 17:20

brb marked this pull request as ready for review August 23, 2021 17:20

brb requested a review from a team August 23, 2021 17:20

brb requested a review from a team as a code owner August 23, 2021 17:20

brb requested review from a team, kkourt and nebril August 23, 2021 17:20

maintainer-s-little-helper Bot assigned kkourt and nebril Aug 23, 2021

brb requested a review from borkmann August 23, 2021 17:26

maintainer-s-little-helper Bot assigned borkmann Aug 23, 2021

pchaigno added the dont-merge/bad-bot To prevent MLH from marking ready-to-merge. label Sep 6, 2021

brb force-pushed the pr/brb/ct-snat-bpf branch from c6764f1 to b24f05b Compare September 7, 2021 07:46

brb force-pushed the pr/brb/ct-snat-bpf branch from b24f05b to d567075 Compare September 7, 2021 08:11

brb added 3 commits September 7, 2021 10:14

datapath: Improve snat_v4_needed() comment

8bc4eb9

Signed-off-by: Martynas Pumputis <m@lambda.lt>

christarazi removed dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. dont-merge/bad-bot To prevent MLH from marking ready-to-merge. labels Sep 8, 2021

christarazi added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 8, 2021

brb mentioned this pull request Sep 9, 2021

CI: K8sDemosTest Tests Star Wars Demo: DNS entry is not ready after timeout #17350

Closed

kaworu merged commit 4b92d2d into master Sep 10, 2021

kaworu deleted the pr/brb/ct-snat-bpf branch September 10, 2021 15:17

kaworu mentioned this pull request Sep 14, 2021

v1.10 backports 2021-09-14 #17392

Merged

kaworu added backport-pending/1.10 and removed needs-backport/1.10 labels Sep 14, 2021

christarazi mentioned this pull request Sep 29, 2021

WIP: v1.10 kpr + istio + snat bpf #17293

Closed

christarazi added backport-done/1.10 and removed backport-pending/1.10 labels Oct 5, 2021

joestringer mentioned this pull request Oct 13, 2021

Prepare for release v1.10.5 #17606

Merged

benesch mentioned this pull request Jul 17, 2022

Masquerading does not correctly handle external replies on secondary interfaces #20554

Open

2 tasks

brb mentioned this pull request Jul 11, 2024

daemon: Do not require socketLB for BPF masq #33728

Merged

Conversation

brb commented Aug 16, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

brb commented Aug 16, 2021

Uh oh!

brb commented Aug 16, 2021

Uh oh!

brb commented Aug 16, 2021

Uh oh!

brb commented Aug 16, 2021

Uh oh!

brb commented Aug 16, 2021

Uh oh!

brb commented Aug 17, 2021

Uh oh!

brb commented Aug 18, 2021

Uh oh!

brb commented Aug 18, 2021

Uh oh!

brb commented Aug 23, 2021

Uh oh!

brb commented Sep 7, 2021

Uh oh!

brb commented Sep 7, 2021 • edited by maintainer-s-little-helper Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Name

Failure Output

Uh oh!

brb commented Sep 8, 2021

Uh oh!

christarazi commented Sep 8, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

brb commented Aug 16, 2021 •

edited

Loading

brb commented Sep 7, 2021 •

edited by maintainer-s-little-helper Bot

Loading