Conversation
23db481 to
690dd15
Compare
| tx_closing:1, | ||
| reserve:14; | ||
| nat46:1, | ||
| reserve:13; |
There was a problem hiding this comment.
Where are these magic numbers coming from?
|
@mchalla What is the status on this? Are you looking for a review or are you still working on this? |
|
Yes these are the changes after our discussion when you were here. This voids the nat46 branch changes. Pl review these ones. Thanks. |
tgraf
left a comment
There was a problem hiding this comment.
Looks almost good to be merged. See some inline comments and please clean up the commit message of this commit a bit.
| goto to_host; | ||
| } | ||
| #if defined ENABLE_NAT46 && defined ENABLE_IPV4 && defined CONNTRACK | ||
| if (unlikely(isMappedIPv6Addr(&tuple->addr))) { |
There was a problem hiding this comment.
Please don't use camelCase in the c code.
There was a problem hiding this comment.
Fixed and moved this function to ipv6.h
| } | ||
| #if defined ENABLE_NAT46 && defined ENABLE_IPV4 && defined CONNTRACK | ||
| if (unlikely(isMappedIPv6Addr(&tuple->addr))) { | ||
| ret = ipv6_to_ipv4(skb, 14, htonl(LXC_IPV4)); |
There was a problem hiding this comment.
Are you sure the htonl() here is correct? LXC_IPV4 should be in network byte order already.
There was a problem hiding this comment.
yeah looks like its not in NB order.
- IPv4 address: 10.1.15.138
inet_addr("10.1.15.138") = 0x8a0f010a
#define LXC_IPV4 0xa010f8a
I need to check why the conversion is not happening in go code.
| do_nat46 = 1; | ||
| goto to_host; | ||
| } | ||
| #if defined ENABLE_NAT46 && defined ENABLE_IPV4 && defined CONNTRACK |
There was a problem hiding this comment.
Please define a macro to hide this logic as you are using this guard in multiple places.
|
|
||
| cilium_trace_capture(skb, DBG_CAPTURE_AFTER_V46, skb->ingress_ifindex); | ||
|
|
||
| ret = ipv6_policy(skb, skb->cb[CB_IFINDEX], skb->cb[CB_SRC_LABEL]); |
There was a problem hiding this comment.
skb->protocol is changed here, right? It might be better to do another tail call into __section_tail(CILIUM_MAP_POLICY, LXC_ID) so we are not inlining the IPv6 policy code segment twice in the program. Did you try that, does the verifier allow for that?
cebc6b7 to
4cc896a
Compare
|
Also changed the commit message a bit. |
tgraf
left a comment
There was a problem hiding this comment.
This looks great now. Some minor stuff left. Also needs a rebase.
There was a problem hiding this comment.
Can we use LXC_ID directly here? lxc_id should always be the ID of the container we are forwarding into, right? I think you can save yourself the hassle of extracting the lxc id again.
There was a problem hiding this comment.
return addr->p1 == 0 && addr->p2 == 0 && addr->p3 == 0xFFFF0000;
There was a problem hiding this comment.
Let's add a warning here to make sure we catch this:
#if defined ENABLE_NAT46
#if defined ENABLE_IPV4 && defined CONNTRACK
#define LXC_NAT46
#else
#warning "ENABLE_NAT46 requires ENABLE_IPv4 and CONNTRACK"
#undef LXC_NAT46
#endif
#else
#undef LXC_NAT46
#endif
ffe3b30 to
c951456
Compare
There was a problem hiding this comment.
I think you should move this function into bpf_lxc.c because CILIUM_CALL_IPV4 which is the tail call you make next is only available in that context. We want to avoid somebody making a tail call to CILIUM_CALL_NAT64 from outside lxc context.
There was a problem hiding this comment.
Same here. You rely on LXC_ID which is only valid in bpf_lxc.c context. Let's move this tail call wrapper into bpf_lxc.c
There was a problem hiding this comment.
Good point, moved the two tail calls to bpf_lxc.c.
If destination is a v4 mapped v6 address ::FFFF:<a.b.c.d> use nat46 to talk to the v4 container. ENABLE_NAT46 depends on LXC_IPV4 and CONNTRACK features. packet flow: v6 container(lxc1) ---------- nat64 -----------> v4 container (lxc2) v6 container(lxc1) <--------- nat46 ------------ v4 container (lxc2) lxc1 v4 conntrack will have needs_nat46=1 in lxc2 -> lxc1 direction. Address @tgraf review comments. 1. LXC_NAT46 to represent combination of ENABLE_NAT46, ENABLE_IPV4 & CONNTRACK 2. rename isMappedIPv6Addr to ipv6_addr_is_mapped and move it to ipv6.h 3. Move ipv6_policy after v46 nat to a tail call. 4. Resolve merge conflict by renaming 07-nat46.sh to 08-nat46.sh 5. Cleanups suggested by @tgraf 6. Move NAT46 processing into its own tail calls to keep the insturction complexity under 4K. 7. Move tail_ipv6_to_ipv4 and tail_ipv4_to_ipv6 to bpf_lxc.c Acked-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Madhu Challa madhu@cilium.io
- cilium#190 ,add new param for storing func return value - use k8s API to get current cilium version - use new param if CM enable with deafult version Signed-off-by: Gergo Szakony <janilution@gmail.com>
add troubleshooting blog
When sending a IPv6 packet to a IPv4 mapped destination (::FFFF:IPv4) we do NAT64 and convert the packet to an IPv4 packet with a source address corresponding to the IPv4 address of the container and the destination address as specified in the mapped IPv6 address.
The connection tracking entry will remeber that the packet was translated to allow reverse translation for reply packets.
ENABLE_NAT46 depends on LXC_IPV4 and CONNTRACK features to do the IPv4 packet processing
and connection tracking.
Signed-off-by: Madhu Challa madhu@cilium.io