bpf: nodeport: handle revDNAT for local backends at to-netdev/to-overlay#22756
Merged
ldelossa merged 6 commits intocilium:masterfrom Jan 19, 2023
Merged
bpf: nodeport: handle revDNAT for local backends at to-netdev/to-overlay#22756ldelossa merged 6 commits intocilium:masterfrom
ldelossa merged 6 commits intocilium:masterfrom
Conversation
Member
Author
|
/test |
cc956cf to
a3144b5
Compare
Member
Author
|
/test |
1 similar comment
Member
Author
|
/test |
a3144b5 to
602478b
Compare
Member
Author
|
/test-1.26-net-next |
602478b to
06f760a
Compare
Member
Author
|
/test-1.26-net-next |
06f760a to
4afea0e
Compare
Member
Author
|
/test |
43940aa to
ac195fd
Compare
Member
Author
|
/test |
ac195fd to
3d4b58a
Compare
Member
Author
|
/test |
Contributor
|
I see it's going to be backported to v1.12 and v1.13. Are there plan for v1.11? |
Member
Author
No objection from my side :). Let's see how smooth the I take it you already tested on mainline that this fixes your issue? |
Contributor
|
We just made the decision to update to 1.12 so we don't need this fix in v1.11. I haven't tested it but we will see. @aanm Regarding v1.12 backport, is there ETA for that. ( I see 1.13 is already done). |
Member
|
@liuyuan10 No ETA for it. |
julianwiedmann
added a commit
to julianwiedmann/cilium
that referenced
this pull request
Aug 1, 2023
We recently added support for Service RevDNAT in to-netdev / to-overlay (cilium#22756). This is currently only used as fall-back, for backends that are either in hostNetwork or bypass the revDNAT step in from-container. With this patch we switch all new connections for local backends to the new RevDNAT mechanism. The code change in itself is simple: once to-container doesn't set the .node_port flag for a pod-level CT entry, from-container also doesn't apply revDNAT for this connection. For new connections, replies by a local backend will now pass through the whole from-container path without being revDNATed. They either get redirected to the tunnel interface, get redirected to an external interface (redirect_direct_*()) or pass to the stack for routing to the external interface. Either way, they eventually reach the revDNAT stage in handle_nat_fwd(). To avoid any cause for disruption, old connections continue to receive their RevDNAT in from-container as before. We can pursue their transition in a subsequent patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
added a commit
to julianwiedmann/cilium
that referenced
this pull request
Nov 24, 2023
We recently added support for Service RevDNAT in to-netdev / to-overlay (cilium#22756). This is currently only used as fall-back, for backends that are either in hostNetwork or bypass the revDNAT step in from-container. With this patch we switch all new connections for local backends to the new RevDNAT mechanism. The code change in itself is simple: once to-container doesn't set the .node_port flag for a pod-level CT entry, from-container also doesn't apply revDNAT for this connection. For new connections, replies by a local backend will now pass through the whole from-container path without being revDNATed. They eventually reach the revDNAT stage in handle_nat_fwd(), and get handled there. To avoid any cause for disruption, old connections continue to receive their RevDNAT in from-container as before (unless they get reopened, which is a good point to stop their handling in bpf_lxc). We can pursue their transition in a subsequent patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replies by local service backends currently get their revDNAT processing in
from-container. There's two problems with that:
from-container program (ie. redirect to host proxy), and
So add an additional check for RevDNAT in handle_nat_fwd() at to-netdev,
before such an untranslated reply leaves the node. The same is needed for
to-overlay, see
3a83623 ("bpf: add support for local NodePort via tunnel").
Fixes: #22659
Fixes: #22838
Fixes: #21955