Skip to content

Fix IPsec support for --devices#31345

Merged
pchaigno merged 4 commits intocilium:mainfrom
pchaigno:fix-ipsec-bpf_host
Mar 25, 2024
Merged

Fix IPsec support for --devices#31345
pchaigno merged 4 commits intocilium:mainfrom
pchaigno:fix-ipsec-bpf_host

Conversation

@pchaigno
Copy link
Copy Markdown
Member

@pchaigno pchaigno commented Mar 12, 2024
edited
Loading

The first two commits are refactoring commits. The third fixes the support for --devices in IPsec. Fourth commit covers this in end-to-end IPsec tests.

Fix a bug that could cause local packet delivery to be skipped, leading to lower performance, when IPsec was enabled and `--devices` provided.

@pchaigno pchaigno added release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature needs-backport/1.15 labels Mar 12, 2024
@pchaigno pchaigno force-pushed the fix-ipsec-bpf_host branch 4 times, most recently from 4c2d590 to 3035a72 Compare March 14, 2024 16:38
@pchaigno pchaigno marked this pull request as ready for review March 15, 2024 13:57
@pchaigno pchaigno requested review from a team as code owners March 15, 2024 13:57
@pchaigno pchaigno requested a review from brlbil March 15, 2024 13:57
jschwinger233
jschwinger233 approved these changes Mar 15, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small discrepancy between commit message and code.

pchaigno added 4 commits March 15, 2024 16:05
@pchaigno
datapath: Move IPsec logic to get local IPs
1eca059 
Those helper functions to retrieve the local IPs are all IPsec specific
so let's move them to the ipsec.go file. No functional changes in this
commit.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
ipsec: Refactor logic to get default IPsec interface
791968a 
This commit extends getDefaultEncryptionInterface to also handle
tunneling mode. That change allows us to start using
getDefaultEncryptionInterface everywhere we need to retrieve the default
IPsec interface.

The unit test for IPsec in subnet encryption mode (ENI and Azure IPAM
modes) must be updated. Subnet encryption is only ever possible in
native routing mode. If we were doing subnet encryption with tunneling,
it would cause undefined behaviors (in the test would fail :)).

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
cmd, datapath: Support --devices for encryption interfaces
5210b72 
The agent supported attaching the IPsec decryption logic to interfaces
given via --devices. In that case, this logic was contained in bpf_host
instead of bpf_network. This support is partially covered in ginkgo
end-to-end tests.

That support is however broken, as there doesn't seem to be anything
preventing bpf_network from being reloaded in place of bpf_host on the
same interfaces.

This commit fixes it by implementing proper support for --devices in
IPsec. If no devices flag is given then we fallback to using the
encrypt-interface flag. That should allow us to deprecate
encrypt-interface at a latter time.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno
workflows: Cover support for devices in IPsec tests
029615c 
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno force-pushed the fix-ipsec-bpf_host branch from 3035a72 to 029615c Compare March 15, 2024 15:27
@pchaigno
Copy link
Copy Markdown
Member Author

pchaigno commented Mar 15, 2024

/test

@viktor-kurchenko viktor-kurchenko requested review from viktor-kurchenko and removed request for brlbil March 18, 2024 11:49
@pchaigno pchaigno enabled auto-merge March 23, 2024 19:45
rgo3
rgo3 approved these changes Mar 25, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@rgo3 rgo3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, just a question for clarification.

@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Mar 25, 2024
@pchaigno pchaigno added this pull request to the merge queue Mar 25, 2024
Merged via the queue into cilium:main with commit f153f42 Mar 25, 2024
@pchaigno pchaigno deleted the fix-ipsec-bpf_host branch March 25, 2024 15:21
@sayboras sayboras mentioned this pull request Mar 26, 2024
Merged
3 tasks
@github-actions github-actions bot added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 labels Mar 28, 2024
@asauber asauber mentioned this pull request Apr 11, 2024
Merged
@julianwiedmann julianwiedmann mentioned this pull request Jul 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tklauser tklauser tklauser approved these changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

@rgo3 rgo3 rgo3 approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees

No one assigned

Labels

area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
cilium v1.15.4
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@pchaigno @tklauser @jschwinger233 @rgo3 @viktor-kurchenko @jrajahalme @sayboras