Skip to content

bpf: Generalize SNAT conflict detection#43955

Merged
ldelossa merged 2 commits intomainfrom
ldelossa/generalize-snat-conflict-detection
Feb 11, 2026
Merged

bpf: Generalize SNAT conflict detection#43955
ldelossa merged 2 commits intomainfrom
ldelossa/generalize-snat-conflict-detection

Conversation

@ldelossa
Copy link
Copy Markdown
Contributor

@ldelossa ldelossa commented Jan 23, 2026

Within the node-port/masq path we must detect locally generated host traffic and create a SNAT reservation or translation to avoid conflict with pod traffic.

Prior to this pull request the node-port code made the assumption that locally generated traffic would always be sourced from the direct routing interface IP and will always egress on this interface as well.

Moving forward we want to remove the direct routing interface and allow multi-homed clusters, where egress traffic maybe sourced from a multitude of source IPs and leave on arbitrary devices.

Therefore, we update the node-port nat conflict detection in the to-netdev path to identity host traffic generically.

Host traffic can be generated from:

  • Pods in the host network namespace
  • Host network namespace processes
  • Egress proxy traffic
Generalize the node-port nat conflict detection by removing dependency on direct routing interface

@ldelossa
daemon: enforce iptable rules are present with node-port is enabled
1b03291 
Moving forward the node-port code path will rely on iptables to
identify locally generated traffic and create NAT reservations for this
traffic in order to avoid reservation conflicts.

We will consider it a fatal error moving forward to disable iptable rule
installation while node-port or eBPF masquerading is enabled.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 23, 2026
@ldelossa ldelossa force-pushed the ldelossa/generalize-snat-conflict-detection branch from f4ee1b3 to 2d20789 Compare January 23, 2026 16:22
@ldelossa ldelossa added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Jan 23, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 23, 2026
@ldelossa ldelossa force-pushed the ldelossa/generalize-snat-conflict-detection branch from 32d19a6 to 4eb8509 Compare January 23, 2026 23:39
@ldelossa ldelossa mentioned this pull request Jan 23, 2026
Open
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Jan 24, 2026

/test

@ldelossa ldelossa marked this pull request as ready for review January 28, 2026 16:28
@ldelossa ldelossa requested review from a team as code owners January 28, 2026 16:28
@ldelossa ldelossa requested review from aditighag, julianwiedmann and rastislavs and removed request for aditighag January 28, 2026 16:28
@ldelossa ldelossa self-assigned this Jan 28, 2026
julianwiedmann
julianwiedmann reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prior to this pull request the node-port code made the assumption that locally generated traffic would always be sourced from the direct routing interface IP and will always egress on this interface as well.

I think it's the other way around - so far the N/S code was always using one specific saddr, and thus it didn't need to care about any other host traffic.

On a more general note (not necessarily something we need to resolve here) - did you consider why we even need this conflict resolution? Why can't we teach the host netns to avoid using the relevant port range? I remember @borkmann mentioning that we even have some logic for this in the agent ...

rastislavs
rastislavs approved these changes Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rastislavs rastislavs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK for the agent bit

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 6, 2026
@joestringer joestringer added dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. and removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Feb 6, 2026
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Feb 6, 2026

(feel free to remove the dont-merge label when the comments are resolved)

@ldelossa ldelossa force-pushed the ldelossa/generalize-snat-conflict-detection branch 3 times, most recently from fc6577b to 6ed3e59 Compare February 9, 2026 20:25
@ldelossa ldelossa added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. and removed dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. labels Feb 9, 2026
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 10, 2026

/test

@julianwiedmann julianwiedmann added the feature/snat Relates to SNAT or Masquerading of traffic label Feb 11, 2026
julianwiedmann
julianwiedmann reviewed Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change, otherwise this looks good to me!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 11, 2026
@ldelossa
bpf,nodeport: generalize SNAT conflict detection
f81a7f8 
Prior to this commit the nodeport SNAT conflict detection assumed host
traffic was sourced from the direct routing interface's IP and always
egressed on this device.

Remove this assumption by detecting locally generated traffic from any
egress interface 'bpf_host' is attached to.

This removes the dependency on the direct routing interface in the
node-port path.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@ldelossa ldelossa force-pushed the ldelossa/generalize-snat-conflict-detection branch from 6ed3e59 to f81a7f8 Compare February 11, 2026 17:43
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 11, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 11, 2026
@ldelossa ldelossa closed this Feb 11, 2026
@ldelossa ldelossa deleted the ldelossa/generalize-snat-conflict-detection branch February 11, 2026 20:26
@ldelossa ldelossa restored the ldelossa/generalize-snat-conflict-detection branch February 11, 2026 20:27
@ldelossa ldelossa reopened this Feb 11, 2026
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 11, 2026

/test

@ldelossa ldelossa enabled auto-merge February 11, 2026 21:02
julianwiedmann
julianwiedmann approved these changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@ldelossa ldelossa added this pull request to the merge queue Feb 11, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 11, 2026
Merged via the queue into main with commit 990f79b Feb 11, 2026
511 checks passed
@ldelossa ldelossa deleted the ldelossa/generalize-snat-conflict-detection branch February 11, 2026 22:03
julianwiedmann
julianwiedmann reviewed Feb 18, 2026
View reviewed changes
daemon/cmd/daemon.go
// The NodePort code must identify locally generated traffic to avoid
// NAT port allocation conflicts.
if (params.KPRConfig.KubeProxyReplacement || params.DaemonConfig.EnableBPFMasquerade) && !params.DaemonConfig.InstallIptRules {
return fmt.Errorf("kube-proxy replacement (--%s) or BPF masquerade (--%s) requires iptables rules (--%s=\"true\")",
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ldelossa I think we should also mention this in the upgrade notes for v1.20. Could you please send a patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@rastislavs rastislavs rastislavs approved these changes

Assignees

@ldelossa ldelossa

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/snat Relates to SNAT or Masquerading of traffic ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ldelossa @joestringer @rastislavs @julianwiedmann @msune