Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connectivity: add forbidden ICMPv6 message as expected drop reason #2317

Merged
merged 1 commit into from
Feb 23, 2024
Merged

connectivity: add forbidden ICMPv6 message as expected drop reason #2317

merged 1 commit into from
Feb 23, 2024

Conversation

giorio94
Copy link
Member

When host firewall is enabled, we automatically drop certain ICMPv6 messages according to RFC4890 recommendations. Let's add that drop reason to the default list of expected ones, as possibly generated in legitimate cases, independently from Cilium.

As a special case, an ICMPv6 redirect message can be also triggered when Cilium is first installed on a node, the host firewall is enabled and KPR is disabled, a workload endpoint gets created before the host endpoint (e.g., the health one), and a remote node tries to talk to it. Indeed, the reply is passed to the stack, which is then unable to redirect it through the tunnel as the BPF program has not yet been loaded.

Related: cilium/cilium#30818

@giorio94
connectivity: add forbidden ICMPv6 message as expected drop reason
0f34610 
When host firewall is enabled, we automatically drop certain ICMPv6
messages according to RFC4890 recommendations. Let's add that drop
reason to the default list of expected ones, as possibly generated
in legitimate cases, independently from Cilium.

As a special case, an ICMPv6 redirect message can be also triggered
when Cilium is first installed on a node, the host firewall is
enabled and KPR is disabled, a workload endpoint gets created before
the host endpoint (e.g., the health one), and a remote node tries to
talk to it. Indeed, the reply is passed to the stack, which is then
unable to redirect it through the tunnel as the BPF program has not
yet been loaded.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 marked this pull request as ready for review February 22, 2024 08:49
@giorio94 giorio94 requested a review from a team as a code owner February 22, 2024 08:49
derailed
derailed approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@giorio94 LGTM

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 22, 2024
@sayboras sayboras merged commit 7d215a7 into cilium:main Feb 23, 2024
13 checks passed
@giorio94 giorio94 mentioned this pull request Mar 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derailed derailed derailed approved these changes

Assignees
No one assigned
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@giorio94 @derailed @sayboras