Fix DNS egress L7 policy in ENI mode by joestringer · Pull Request #8837 · cilium/cilium

joestringer · 2019-08-08T04:57:57Z

ENI mode was disabling L7 proxy entirely previously due to an overeager check in the datapath to avoid redirecting to the proxy in cases where the endpoint devices are IPVLAN devices.

These fixes enable the following cases in ENI mode:

Egress L7 policy plus no ingress policy

Fixes: #8813

Future work:

Egress L7 + Ingress L7 policy within a single node (Fix L7 ingress proxy iptables redirects in direct routing mode #8864)
Ingress L7 policy plus no egress policy within single node (Fix L7 ingress proxy iptables redirects in direct routing mode #8864)
Ingress L7 policy plus no egress policy across multiple nodes (This doesn't work at all in my kernel 4.14.128-112.105.amzn2.x86_64 setup)
Egress L7 policy + Ingress L7 policy across multiple nodes (it's not so much that this completely doesn't work, rather in this combination the destination sees source id world rather than of the pod)

This change is

joestringer · 2019-08-08T04:58:06Z

test-me-please

coveralls · 2019-08-08T05:20:04Z

Coverage decreased (-0.009%) to 44.169% when pulling dea7a69 on joestringer:submit/eni-proxy into a234302 on cilium:master.

borkmann

Shouldn't ENI mode simply define ENABLE_HOST_REDIRECT then?
L7 with ipvlan is not supported (https://cilium.readthedocs.io/en/stable/gettingstarted/ipvlan/) at this point.

tgraf · 2019-08-08T14:27:16Z

@joestringer I remember that for the lyft-cni chaining, it was required to specifically route via cilium_host in order to get the redirect to work. It's interesting that this is no longer the case apparently. Could also be specific to kernel versions. I remember @jrfastab saw similar issues related to the encryption work.

joestringer · 2019-08-09T00:59:04Z

Enabling host redirect fixes DNS egress proxy iirc, but had other problems. Long and short is that right now if I just enable host redirect it causes ingress proxy at destination to receive SYN, reply with SYN/ACK, then fail to receive the ACK (and retransmit SYN/ACK ad infinitum). SYN/ACK reaches source node which responds with ACK, which arrives to eth1 of destination but I haven't been able to trace it further than that yet.

EDIT: Here's a rough sense of the netfilter stack paths for this configuration:

[240175.580516] CILIUM_PRE_raw:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=253 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                               
[240175.594056] CILIUM_PRE_mangle:  IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=253 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                               
[240175.607625] CILIUM_PRE_nat:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=253 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                               
[240175.621522] CILIUM_FORWARD:     IN=eth1 OUT=lxc61b3fb1d7642 MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=252 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                
[240175.637058] CILIUM_POST_mangle: IN= OUT=lxc61b3fb1d7642 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=252 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                                                                  
[240175.649602] CILIUM_POST_nat:    IN= OUT=lxc61b3fb1d7642 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=252 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0                                                                                  
[240175.662060] CILIUM_PRE_raw:     IN=cilium_host OUT= MAC=66:70:85:22:a1:91:aa:6a:86:da:04:ac:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=251 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 MARK=0xe83b0200                        
[240175.678050] CILIUM_PRE_mangle:  IN=cilium_host OUT= MAC=66:70:85:22:a1:91:aa:6a:86:da:04:ac:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=251 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 MARK=0xe83b0200                        
[240175.694148] INPUT:              IN=cilium_host OUT= MAC=66:70:85:22:a1:91:aa:6a:86:da:04:ac:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=60 TOS=0x00 PREC=0x00 TTL=251 ID=65417 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=26883 RES=0x00 SYN URGP=0 MARK=0x200                             
[240175.709985] CILIUM_OUTPUT_raw:  IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240175.722579] OUTPUT:             IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240175.735015] CILIUM_POST_mangle: IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240175.747619] CILIUM_PRE_raw:     IN=cilium_net OUT= MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                         
[240175.762845] CILIUM_PRE_mangle:  IN=cilium_net OUT= MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                         
[240175.778255] CILIUM_FORWARD:     IN=cilium_net OUT=eth1 MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                     
[240175.793722] CILIUM_POST_mangle: IN= OUT=eth1 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                                                                             
[240175.807333] CILIUM_PRE_raw:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=65418 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK URGP=0                                                 
[240175.820700] CILIUM_PRE_mangle:  IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=65418 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK URGP=0                                                 
[240175.834169] CILIUM_PRE_raw:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=148 TOS=0x00 PREC=0x00 TTL=253 ID=65419 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK PSH URGP=0                                            
[240175.847866] CILIUM_PRE_mangle:  IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=148 TOS=0x00 PREC=0x00 TTL=253 ID=65419 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK PSH URGP=0                                            
[240176.464183] CILIUM_PRE_raw:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=148 TOS=0x00 PREC=0x00 TTL=253 ID=65420 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK PSH URGP=0                                            
[240176.478037] CILIUM_PRE_mangle:  IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=148 TOS=0x00 PREC=0x00 TTL=253 ID=65420 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK PSH URGP=0                                            
[240176.730940] CILIUM_OUTPUT_raw:  IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240176.743434] OUTPUT:             IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240176.756019] CILIUM_POST_mangle: IN= OUT=cilium_host SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0 MARK=0xa00                                                                           
[240176.768717] CILIUM_PRE_raw:     IN=cilium_net OUT= MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                         
[240176.784031] CILIUM_PRE_mangle:  IN=cilium_net OUT= MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                         
[240176.799456] CILIUM_FORWARD:     IN=cilium_net OUT=eth1 MAC=8a:44:05:29:fe:05:66:70:85:22:a1:91:08:00 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                     
[240176.814885] CILIUM_POST_mangle: IN= OUT=eth1 SRC=192.168.47.21 DST=192.168.94.61 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=80 DPT=34388 WINDOW=26847 RES=0x00 ACK SYN URGP=0                                                                                             
[240176.828098] CILIUM_PRE_raw:     IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=65421 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK URGP=0                                                 
[240176.947137] CILIUM_PRE_mangle:  IN=eth1 OUT= MAC=0a:8a:c1:c9:2f:00:0a:44:02:cb:2a:5e:08:00 SRC=192.168.94.61 DST=192.168.47.21 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=65421 DF PROTO=TCP SPT=34388 DPT=80 WINDOW=211 RES=0x00 ACK URGP=0

Signed-off-by: Joe Stringer <joe@cilium.io>

joestringer · 2019-08-09T22:17:12Z

I've updated the PR to simplify it, this is easier to justify and it fixes the specific case that was reported.

Getting ingress policy to work in ENI mode across multiple nodes will require additional work.

joestringer · 2019-08-09T22:17:19Z

test-me-please

joestringer added pending-review area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. labels Aug 8, 2019

joestringer requested review from a team August 8, 2019 04:57

borkmann reviewed Aug 8, 2019

View reviewed changes

joestringer added wip and removed pending-review labels Aug 8, 2019

datapath: Enable host redirect in ENI mode

dea7a69

Signed-off-by: Joe Stringer <joe@cilium.io>

joestringer force-pushed the submit/eni-proxy branch from d9dd383 to dea7a69 Compare August 9, 2019 22:15

joestringer changed the title ~~Fix some L7 policy cases in ENI mode~~ Fix DNS egress L7 policy in ENI mode Aug 9, 2019

joestringer added pending-review and removed wip labels Aug 9, 2019

borkmann approved these changes Aug 9, 2019

View reviewed changes

ianvernon approved these changes Aug 10, 2019

View reviewed changes

ianvernon merged commit a96d7f4 into cilium:master Aug 10, 2019

joestringer deleted the submit/eni-proxy branch August 10, 2019 16:27

ianvernon mentioned this pull request Aug 12, 2019

v1.6 backports 2019-08-12 #8876

Merged

ianvernon added backport-pending/1.6 and removed needs-backport/1.6 labels Aug 12, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix DNS egress L7 policy in ENI mode#8837

Fix DNS egress L7 policy in ENI mode#8837
ianvernon merged 1 commit intocilium:masterfrom
joestringer:submit/eni-proxy

joestringer commented Aug 8, 2019 •

edited

Loading

Uh oh!

joestringer commented Aug 8, 2019

Uh oh!

coveralls commented Aug 8, 2019 •

edited

Loading

Uh oh!

borkmann left a comment

Uh oh!

tgraf commented Aug 8, 2019

Uh oh!

joestringer commented Aug 9, 2019 •

edited

Loading

Uh oh!

joestringer commented Aug 9, 2019

Uh oh!

joestringer commented Aug 9, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

joestringer commented Aug 8, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

joestringer commented Aug 8, 2019

Uh oh!

coveralls commented Aug 8, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

borkmann left a comment

Choose a reason for hiding this comment

Uh oh!

tgraf commented Aug 8, 2019

Uh oh!

joestringer commented Aug 9, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

joestringer commented Aug 9, 2019

Uh oh!

joestringer commented Aug 9, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

joestringer commented Aug 8, 2019 •

edited

Loading

coveralls commented Aug 8, 2019 •

edited

Loading

joestringer commented Aug 9, 2019 •

edited

Loading