-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: Fix double SNAT #25189
datapath: Fix double SNAT #25189
Conversation
/ci-datapath |
f309a15
to
8844cd8
Compare
8844cd8
to
04bb371
Compare
Please keep the IPv6 path in sync :) |
Unfortunately, atm no BPF-based SNAT for IPv6 😭 |
uh, what about host-originating connections vs Nodeport NAT ports? I believe we should add the same thing in |
We have observed, that the same packet can be handled multiple times by the bpf_host's to-netdev. This can happen when the to-netdev is attached to a bridge and to an outgoing netdev which is attached to the bridge. This can result e.g., into multiple unnecessary SNATs for the same packet which can break the host-firewall (the host-firewall for a reply to such a packet is invoked after only the first rev-SNAT). To fix that particular case set the SNAT done flag (an SKB mark). Tested manually. On kind-worker node (172.18.0.3): ip link add br0 type bridge ip addr add 172.18.0.3/16 dev br0 ip addr del 172.18.0.3/16 dev eth0 ip link set dev br0 up ip link set dev eth0 master br0 ip route replace 0.0.0.0/0 via 172.18.0.1 Make sure that Cilium attached to both: cilium status | grep KubeProxy KubeProxyReplacement: Strict [br0 172.18.0.3, eth0 172.18.0.3] Then start any pod on kind-worker, and run tcpdump on kind-work. curl 1.1.1.1 from that pod. tcpdump -i any -n 'dst port 80' lxc2663158aafe1 In IP 10.244.1.161.43710 > 1.1.1.1.80: Flags [S] br0 Out IP 172.18.0.3.43710 > 1.1.1.1.80: Flags [S] eth0 Out IP 172.18.0.3.43710 > 1.1.1.1.80: Flags [S] Redo the same test w/o the fix. The relevant tcpdump output: tcpdump -i any -n 'dst host 1.1.1.1' lxcbce3c2f349e1 In IP 10.244.1.120.57408 > 1.1.1.1.80: Flags [S] br0 Out IP 172.18.0.3.57408 > 1.1.1.1.80: Flags [S] eth0 Out IP 172.18.0.3.56763 > 1.1.1.1.80: Flags [S] <-- 2nd SNAT! Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt>
04bb371
to
0b57e29
Compare
/test |
The |
We have observed, that the same packet can be handled multiple times by
the bpf_host's to-netdev. This can happen when the to-netdev is attached
to a bridge and to an outgoing netdev which is attached to the bridge.
This can result e.g., into multiple unnecessary SNATs for the same
packet which can break the host-firewall (the host-firewall for a reply
to such a packet is invoked after only the first rev-SNAT).
To fix that particular case set the SNAT done flag (an SKB mark).
Tested manually. On kind-worker node (172.18.0.3):
Make sure that Cilium attached to both:
Then start any pod on kind-worker, and run tcpdump on kind-work. curl
1.1.1.1 from that pod.
Redo the same test w/o the fix. The relevant tcpdump output:
Suggested-by: Julian Wiedmann jwi@isovalent.com
Fix #24916