removal logic in v1.17 for handling the from-wireguard program on Cilium downgrade from v1.18#38187
Merged
julianwiedmann merged 1 commit intocilium:v1.17from Mar 20, 2025
Conversation
8b70c6a to
c17886f
Compare
4 tasks
c17886f to
4a9aac6
Compare
This was referenced Mar 14, 2025
4a9aac6 to
322e835
Compare
This commit adds the needed logic to handle removal of the new program cil_from_wireguard introduced in v1.18 and attached to the ingress of cilium_wg0, replacing our previous cil_from_netdev. These are the possible scenarios while downgrading Cilium: * WireGuard is not enabled anymore => interface will be deleted, don't need to manually handle program detach; * ingress hook is still needed => attachNetworkDevices() will attach the previous cil_from_netdev to the hook and will immediately detach the cil_from_wireguard to prevent disruptions; * ingress hook is not needed anymore => replaceWireguardDatapath() will remove the program if present. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
322e835 to
0ccc0fb
Compare
Contributor
Author
|
/test |
gandro
approved these changes
Mar 20, 2025
smagnani96
added a commit
that referenced
this pull request
Mar 25, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Mar 25, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Mar 25, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Mar 31, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 1, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 1, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 1, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 2, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 2, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 3, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 7, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 22, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev Upgrades/Downgrades are correctly handles also due to changin the cilium tailcall map used in the wireguard code path in v1.18: if we preserved the same name cilium_calls_wireguard_2 than v1.17, when downgrading we could experiment MissingTailCall erorr, given that the new from-wireguard program would be still in place while the calls map is completely overwritten from replaceWireguard. The from-wireguard program is later detached upon re-inserting the old from-netdev, but for that time window it would not be able to handle packets, leaving them for the stack (in most of the cases they'd be still reaching their endpoints). An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 23, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev Upgrades/Downgrades are correctly handles also due to changin the cilium tailcall map used in the wireguard code path in v1.18: if we preserved the same name cilium_calls_wireguard_2 than v1.17, when downgrading we could experiment MissingTailCall erorr, given that the new from-wireguard program would be still in place while the calls map is completely overwritten from replaceWireguard. The from-wireguard program is later detached upon re-inserting the old from-netdev, but for that time window it would not be able to handle packets, leaving them for the stack (in most of the cases they'd be still reaching their endpoints). An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
that referenced
this pull request
Apr 24, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev Upgrades/Downgrades are correctly handles also due to changin the cilium tailcall map used in the wireguard code path in v1.18: if we preserved the same name cilium_calls_wireguard_2 than v1.17, when downgrading we could experiment MissingTailCall erorr, given that the new from-wireguard program would be still in place while the calls map is completely overwritten from replaceWireguard. The from-wireguard program is later detached upon re-inserting the old from-netdev, but for that time window it would not be able to handle packets, leaving them for the stack (in most of the cases they'd be still reaching their endpoints). An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 24, 2025
We currently need to attach `cil_from_netdev` to the ingress hook of the Wireguard `cilium_wg0` device to enable encryption of KPR traffic in native routing. In that case, a reply packet would be otherwise dropped due to lacking of rev-SNAT/DNAT (for further info, please refer to the Issue/PR #19401). However, we don't need the whole logic, which might be problematic as described in #19401 (comment): in case of host firewall enabled, policy enforcement would not only (erroneously) happen, but they would also be applied ONLY to the ingress hook of the wireguard device. Let's switch to a dedicated program with the minimal set of needed features. The new `cil_from_wireguard` must look as much as possible to the previous `cil_from_netdev`, while additionally dropping not needed features. For this reason, here's the list of codepaths that have been either dropped or preserved: * Codepaths dropped: * ENABLE_NODEPORT_ACCELERATION * ctx->vlan_present * ENABLE_HOST_FIREWALL * ENABLE_IPSEC * ENABLE_ARP_PASSTHROUGH || ENABLE_ARP_RESPONDER || ENABLE_L2_ANNOUNCEMENTS * Codepaths preserved: * ENABLE_IPV4_FRAGMENTS * ENABLE_NODEPORT * ENABLE_HOST_ROUTING This means that the new wireguard program, as well as the previously attached from_netdev, is able to locally deliver packets to endpoints. However, differently than `cil_from_overlay`, if an endpoint is not identified, the packet is left for the stack. This patch supports Cilium version upgrades with the removal of the previously used cil_from_netdev. Having both the old from-netdev and the new from-wireguard programs attached causes connectivity problems, therefore here we make sure to always detach the old program. For downgrades, we previously landed in v1.17 (i) the removal logic for the newly introduced calls_map, and (ii) the removal logic for the new from-wireguard program #38187: this means that, upon downgrading Cilium, we are able to: * TCX: (1) re-attach from-netdev then (2) remove from-wireguard * TC: replace existing filter with the previous from-netdev Upgrades/Downgrades are correctly handles also due to changin the cilium tailcall map used in the wireguard code path in v1.18: if we preserved the same name cilium_calls_wireguard_2 than v1.17, when downgrading we could experiment MissingTailCall erorr, given that the new from-wireguard program would be still in place while the calls map is completely overwritten from replaceWireguard. The from-wireguard program is later detached upon re-inserting the old from-netdev, but for that time window it would not be able to handle packets, leaving them for the stack (in most of the cases they'd be still reaching their endpoints). An additional thing to note, is that with the cil_from_wireguard program inserted we preserve the same packets' path as before when we used to attach from_netdev rather than from_wg: * Request pod-to-pod: to_pod->to_ndetdev->to_wg->to_ndetdev * Reply pod-to-pod: from_netdev->from_wg->from_pod Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the minimum logic required to be present in v1.17 for handling Cilium downgrade from v1.18.
In v1.18 we transition to a dedicated
cil_from_wireguardprogram, which replaces the previouscil_from_netdev.Upon downgrading Cilium, we therefore need the logic to always detach the
cil_from_wireguardin favor ofcil_from_netdevto preserve connectivity.from-wireguard feature in v1.18 that requires this commit in v1.17 #38077 (Issue #33676)