v1.8 backports 2021-03-23 #15440
Merged
v1.8 backports 2021-03-23 #15440
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 18d64a4 ] This commit adds support for the "misc" features reported by bpftool. This is exposed by the ProbeManager object through the GetMisc() method. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
[ upstream commit 49aac62 ] relax_verifier() is a dummy helper call to introduce a pruning checkpoint to help relax the verifier to avoid reaching complexity limits on older kernels. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
[ upstream commit bb001bd ] Replace the call to `csum_diff` with `get_smp_processor_id()` as with the latter we can avoid having to init r1-r5 registers. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
[ upstream commit e9bf184 ] This commit reduces the complexity of the "to-container" section by introducing a few state pruning points with the help of relax_verifier(). Pruning points have been determined by looking at the instructions that the verifier is spending the most passes on. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io>
[ upstream commit 52cd6da ] When an endpoint connects to itself via service clusterIP, we hairpin the flow using a loopback IP address (configured using ipv4-service-loopback-address). The destination clusterIP (on egress) and loopback IP (on ingress) map to unexpected identities. As a result, policy enforcement fails and the packet is dropped. This is visible in the cilium monitor output: <- endpoint 1844 flow 0x96c8d52 identity 55108->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.123:58242 -> 172.20.0.130:80 tcp SYN Policy verdict log: flow 0x96c8d52 local EP ID 1844, remote ID world, proto 6, egress, action deny, match none, 169.254.42.1:58242 -> 10.12.0.123:80 tcp SYN Since we don't want to enforce policies anyway for the loopback traffic, this commit skips policy enforcements in that case. Co-authored-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io>
|
test-backport-1.8 |
joestringer
approved these changes
Mar 23, 2021
jibi
approved these changes
Mar 24, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
relax_verifier().@joestringer I didn't set backport labels for #13347 because the "feature" introduced by that PR isn't backported here. Is it the right way to proceed?
Once this PR is merged, you can update the PR labels via: