Skip to content

wireguard:fix: always detach unneeded programs#38179

Merged
julianwiedmann merged 2 commits intocilium:mainfrom
smagnani96:pr/fix-detach-wireguard
Mar 17, 2025
Merged

wireguard:fix: always detach unneeded programs#38179
julianwiedmann merged 2 commits intocilium:mainfrom
smagnani96:pr/fix-detach-wireguard

Conversation

@smagnani96
Copy link
Copy Markdown
Contributor

@smagnani96 smagnani96 commented Mar 13, 2025
edited
Loading

With this PR, we make sure to always detach programs attached to cilium_wg0 in case they're not needed anymore:

  • cil_from_netdev in the ingress hook
  • cil_to_wireguard in the egress hook
Always detach BPF programs from cilium_wg0 when not needed.

@smagnani96 smagnani96 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/author The backport will be carried out by the author of the PR. feature/wireguard Relates to Cilium's Wireguard feature needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Mar 13, 2025
@smagnani96 smagnani96 mentioned this pull request Mar 13, 2025
Merged
@smagnani96 smagnani96 marked this pull request as ready for review March 13, 2025 19:14
@smagnani96 smagnani96 requested review from a team as code owners March 13, 2025 19:14
@smagnani96 smagnani96 requested review from derailed, joamaki and rgo3 March 13, 2025 19:14
@smagnani96
wireguard:config: refactor attach conditions into a function
c76abea 
This commit moves the current check whether to attach cil_to_wireguard
into a specific config utility function.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/fix-detach-wireguard branch from 34d9933 to 58883a3 Compare March 13, 2025 22:43
@smagnani96 smagnani96 mentioned this pull request Mar 13, 2025
Merged
4 tasks
@smagnani96 smagnani96 force-pushed the pr/fix-detach-wireguard branch from 58883a3 to ed7dd43 Compare March 14, 2025 00:21
rgo3
rgo3 reviewed Mar 14, 2025
View reviewed changes
@smagnani96
wireguard: always detach bpf programs when not needed
ee1f3a1 
This commit patches our current logic to always remove the BPF programs
from cilium_wg0 when not needed. Prior to this, we tend to skip the check,
which could cause problems due to the fact that programs are not unloaded.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/fix-detach-wireguard branch from ed7dd43 to ee1f3a1 Compare March 14, 2025 10:07
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Mar 14, 2025

/test

rgo3
rgo3 approved these changes Mar 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rgo3 rgo3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks. This should be back-portable to 1.17 without any additional manual work correct?

@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Mar 14, 2025

LGTM, thanks. This should be back-portable to 1.17 without any additional manual work correct?

Correct. Backport PR (to be updated) doesn't seems to complain.

@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 17, 2025
Merged via the queue into cilium:main with commit 570f056 Mar 17, 2025
67 checks passed
@smagnani96 smagnani96 deleted the pr/fix-detach-wireguard branch March 18, 2025 11:29
@github-actions github-actions bot added the backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. label Mar 18, 2025
@julianwiedmann julianwiedmann removed the needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch label Mar 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joamaki joamaki joamaki approved these changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

@rgo3 rgo3 rgo3 approved these changes

@derailed derailed Awaiting requested review from derailed derailed is a code owner automatically assigned from cilium/cli

Assignees

No one assigned

Labels

area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/author The backport will be carried out by the author of the PR. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. feature/wireguard Relates to Cilium's Wireguard feature kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@smagnani96 @joamaki @jschwinger233 @rgo3 @msune @julianwiedmann