Skip to content

iptables: Add a fallback to missing xt_socket module. #10299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 25, 2020
Merged

iptables: Add a fallback to missing xt_socket module. #10299

merged 2 commits into from
Feb 25, 2020

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Feb 21, 2020
edited
Loading

In non-tunneled datapath modes a missing xt_socket module breaks proxy
redirection traffic. xt_socket is needed due to
interaction between kernel's ip early demux logic and an explicit drop
for skbs with a socket set in ip_forward(). If xt_socket is not
available we can work around this problem by disabling ip early demux.

Add a cilium configuration option 'enable-xt-socket-fallback' which is
'true' by default, meaning that cilium-agent is allowed to disable ip
early demux if needed. This new option can be set to false to retain
the current behavior (== ip early demux is not disabled, but Cilium
policy enforcement may not function correctly in all datapath modes
with L7 enforcement or visibility.

Signed-off-by: Jarno Rajahalme jarno@covalent.io

Fallback mode for a missing `xt_socket` kernel module is added where kernel's IP early demux functionality is disabled. This fallback is enabled by default if it is needed for correct policy enforcement and visibility functionality. This fallback may be disabled by setting `enable-xt-socket-fallback=false`.

This change is Reviewable

@jrajahalme
iptables: Add a fallback to missing xt_socket module.
f7dbd53 
In non-tunneled datapath modes a missing xt_socket module breaks proxy
redirection traffic. xt_socket is needed due to
interaction between kernel's ip early demux logic and an explicit drop
for skbs with a socket set in ip_forward(). If xt_socket is not
available we can work around this problem by disabling ip early demux.

Add a cilium configuration option 'enable-xt-socket-fallback' which is
'true' by default, meaning that cilium-agent is allowed to disable ip
early demux if needed. This new option can be set to false to retain
the current behavior (== ip early demux is not disabled, but Cilium
policy enforcement may not function correctly in all datapath modes
with L7 enforcement or visibility.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme jrajahalme added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. labels Feb 21, 2020
@jrajahalme jrajahalme requested review from a team February 21, 2020 23:31
@maintainer-s-little-helper
Copy link

Release note label not set, please set the appropriate release note.

1 similar comment
@maintainer-s-little-helper
Copy link

Release note label not set, please set the appropriate release note.

houndci-bot
houndci-bot reviewed Feb 21, 2020
View reviewed changes
pkg/datapath/iptables/iptables.go
haveIp6tables bool
haveSocketMatch bool
waitArgs []string
haveIp6tables bool
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

struct field haveIp6tables should be haveIP6tables

@jrajahalme jrajahalme added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed dont-merge/needs-release-note labels Feb 21, 2020
@jrajahalme
Copy link
Member Author

test-me-please

@jrajahalme jrajahalme force-pushed the pr/jrajahalme/ip-early-demux-disable branch from f3bd304 to f7dbd53 Compare February 21, 2020 23:42
@jrajahalme jrajahalme requested a review from a team as a code owner February 21, 2020 23:42
@jrajahalme
Copy link
Member Author

test-me-please

@jrajahalme jrajahalme added needs-backport/1.6 kind/bug This is a bug in the Cilium logic. labels Feb 21, 2020
@coveralls
Copy link

coveralls commented Feb 21, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.05%) to 45.465% when pulling b8a25e9 on pr/jrajahalme/ip-early-demux-disable into 43f7824 on master.

aanm
aanm requested changes Feb 24, 2020
View reviewed changes
tgraf
tgraf approved these changes Feb 24, 2020
View reviewed changes
Copy link
Member

@tgraf tgraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please add a note in the docs as well.

@jrajahalme
docs: Add docs for enableXTSocketFallback
b8a25e9 
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
Copy link
Member Author

Added docs.

@jrajahalme jrajahalme requested a review from aanm February 24, 2020 18:52
@jrajahalme
Copy link
Member Author

test-me-please

@jrajahalme
Copy link
Member Author

jrajahalme commented Feb 24, 2020
edited
Loading

k8s could not terminate pods before timing out, retesting.

https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/17447/execution/node/178/log/

@jrajahalme
Copy link
Member Author

test-me-please

joestringer
joestringer requested changes Feb 24, 2020
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a few suggestions to streamline the docs below.

@jrajahalme
Copy link
Member Author

Issued #10325 to fix the Istio PODs lingering problem now plaguing k8s 1.17.

@jrajahalme jrajahalme mentioned this pull request Feb 25, 2020
Merged
@jrajahalme jrajahalme force-pushed the pr/jrajahalme/ip-early-demux-disable branch from 82afd97 to b8a25e9 Compare February 25, 2020 02:10
@jrajahalme
Copy link
Member Author

test-docs-please

@jrajahalme
Copy link
Member Author

test-me-please

@aanm
Copy link
Member

aanm commented Feb 25, 2020

test-me-please

@tgraf tgraf merged commit cec34b1 into master Feb 25, 2020
@tgraf tgraf deleted the pr/jrajahalme/ip-early-demux-disable branch February 25, 2020 21:03
@joestringer joestringer mentioned this pull request Feb 27, 2020
Merged
@brb brb mentioned this pull request Feb 27, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgraf tgraf tgraf approved these changes

@aanm aanm aanm approved these changes

@joestringer joestringer Awaiting requested review from joestringer

+1 more reviewer

@houndci-bot houndci-bot houndci-bot left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/bug This is a bug in the Cilium logic. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jrajahalme @coveralls @aanm @joestringer @tgraf @houndci-bot @brb