bpf: Support proxy upstream connections with original source address/port by jrajahalme · Pull Request #8870 · cilium/cilium

jrajahalme · 2019-08-12T08:18:51Z

Allow Envoy egress proxies to use the original source address and port in the upstream connections. This allows destination node to map the source IP to the policy ID. Egress Kafka is not supported yet, as Kafka only works for ingress at the moment. DNS proxy (always egress) support for original source address is left for a follow-up PR.

This change is

jrajahalme · 2019-08-12T08:29:53Z

test-me-please

jrajahalme · 2019-08-13T18:45:55Z

test-me-please

jrajahalme · 2019-08-13T23:42:20Z

test-me-please

joestringer

I took a quick look over the changes, and I'm a bit surprised by some of them, questions below.

joestringer · 2019-08-13T23:57:19Z

(Note, not a question): These rules overlap with the same ones being added in #8864.

Right, will rebase on top of #8864 when it merges.

joestringer · 2019-08-14T00:00:59Z

The comment says "ingress proxy" but the code below is setting the mark for egress proxy too..?[0]

reply direction traffic from an LXC, if going to a local proxy, is for the ingress proxy. Original direction traffic from an LXC, if going to a local proxy, if for the egress proxy :-)

jrajahalme · 2019-08-14T19:04:27Z

test-me-please

coveralls · 2019-08-14T19:27:28Z

Coverage decreased (-0.05%) to 44.16% when pulling ba81061 on pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars into 3439d88 on master.

joestringer · 2019-08-14T21:10:31Z

Works like a charm in my cluster with egress + ingress HTTP policy.

houndci-bot · 2019-08-15T01:02:09Z

var sourceIp should be sourceIP

jrajahalme · 2019-08-15T01:03:04Z

test-me-please

jrajahalme · 2019-08-15T01:08:45Z

Using the original source address for the dns proxy may be a stretch. Basic problem that two consecutive requests from the same source address:port will cause two client sockets to be opened, now with the same address:port, and the second one failed with bind: address already in use. I'm testing if SO_REUSEADDR makes any difference, but still miekg/dns expects the response to arrive on the same socket as the request was sent on, so even if two sockets could bind to the same address, it likely does not work.

A proper solution would use one socket for each source address:port, and then multiplex multiple queries on top of it.

jrajahalme · 2019-08-15T01:13:47Z

It may be better to split the DNS proxy changes to a separate follow-on PR, as it seems to be needing more work.

Add a 'proxy_redirect' bit to the conntrack entry so that the reply direction packets on proxy upstream connections using the original source address and port in addition to the original destination address and port can be redirected back to the local stack for local delivery. iptables rules are added to mark packets matching a transparent socket as going to the host proxy. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>

jrajahalme · 2019-08-15T18:44:32Z

Split out the DNS proxy changes to a follow-on PR so that the egress Envoy L7 support can be shipped.

jrajahalme · 2019-08-15T18:44:37Z

test-me-please

jrajahalme added the wip label Aug 12, 2019

jrajahalme requested a review from a team August 12, 2019 08:18

jrajahalme requested a review from a team as a code owner August 12, 2019 08:18

jrajahalme force-pushed the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch from 9122630 to fd1092e Compare August 12, 2019 08:24

jrajahalme force-pushed the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch from fd1092e to d27771b Compare August 13, 2019 18:44

jrajahalme force-pushed the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch from d27771b to 9843f41 Compare August 13, 2019 23:41

jrajahalme requested a review from a team August 13, 2019 23:41

joestringer requested changes Aug 14, 2019

View reviewed changes

jrajahalme force-pushed the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch 2 times, most recently from 8dbb373 to c9fd511 Compare August 14, 2019 19:04

joestringer approved these changes Aug 14, 2019

View reviewed changes

houndci-bot reviewed Aug 15, 2019

View reviewed changes

Comment thread pkg/fqdn/dnsproxy/proxy.go Outdated

Copy link
Copy Markdown

houndci-bot Aug 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

var sourceIp should be sourceIP

jrajahalme force-pushed the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch from cc5459c to ba81061 Compare August 15, 2019 18:41

jrajahalme changed the title ~~WIP: Support proxy upstream connections with original source address/port~~ bpf: Support proxy upstream connections with original source address/port Aug 15, 2019

jrajahalme added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. needs-backport/1.6 and removed wip labels Aug 15, 2019

jrajahalme mentioned this pull request Aug 15, 2019

bpf: Support proxy using original source address and port. #8923

Merged

jrajahalme added backport-pending/1.6 and removed needs-backport/1.6 labels Aug 15, 2019

ianvernon merged commit 830adba into master Aug 15, 2019

ianvernon deleted the pr/jrajahalme/envoy-avoid-bpf-warnings-on-sidecars branch August 15, 2019 22:58

ianvernon added backport-done/1.6 and removed backport-pending/1.6 labels Aug 15, 2019

joestringer mentioned this pull request Aug 16, 2019

Fix L7 ingress proxy iptables redirects in direct routing mode #8864

Closed

Conversation

jrajahalme commented Aug 12, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jrajahalme commented Aug 12, 2019

Uh oh!

jrajahalme commented Aug 13, 2019

Uh oh!

jrajahalme commented Aug 13, 2019

Uh oh!

joestringer left a comment

Choose a reason for hiding this comment

Uh oh!

joestringer Aug 13, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jrajahalme Aug 14, 2019

Choose a reason for hiding this comment

Uh oh!

joestringer Aug 14, 2019

Choose a reason for hiding this comment

Uh oh!

jrajahalme Aug 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

jrajahalme commented Aug 14, 2019

Uh oh!

coveralls commented Aug 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

joestringer commented Aug 14, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

houndci-bot Aug 15, 2019

Choose a reason for hiding this comment

Uh oh!

jrajahalme commented Aug 15, 2019

Uh oh!

jrajahalme commented Aug 15, 2019

Uh oh!

jrajahalme commented Aug 15, 2019

Uh oh!

jrajahalme commented Aug 15, 2019

Uh oh!

jrajahalme commented Aug 15, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

jrajahalme commented Aug 12, 2019 •

edited

Loading

joestringer Aug 13, 2019 •

edited

Loading

jrajahalme Aug 14, 2019 •

edited

Loading

coveralls commented Aug 14, 2019 •

edited

Loading

joestringer commented Aug 14, 2019 •

edited

Loading