Skip to content

Support host firewall with IPv6 BPF masquerading #26323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Support host firewall with IPv6 BPF masquerading #26323

wants to merge 3 commits into from

Conversation

qmonnet
Copy link
Member

@qmonnet qmonnet commented Jun 16, 2023
edited
Loading

[In progress]

@qmonnet qmonnet added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Jun 16, 2023
@qmonnet qmonnet mentioned this pull request Jun 16, 2023
Open
15 tasks
@qmonnet qmonnet force-pushed the pr/ipv6-masq-host-fw branch from d02b75b to 82c51cb Compare June 16, 2023 22:08
@qmonnet
Copy link
Member Author

qmonnet commented Jun 16, 2023

/test

@qmonnet qmonnet force-pushed the pr/ipv6-masq-host-fw branch 2 times, most recently from bddad09 to afce03c Compare June 23, 2023 20:19
@qmonnet qmonnet added the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jun 27, 2023
qmonnet added 3 commits June 27, 2023 09:36
@qmonnet
bpf: host: Rename whitelist_snated_egress_connections()
d6d8d85 
Function whitelist_snated_egress_connections() allows responses to
SNATed packets to come through without enforcing the host policy. So
far, only the IPv4 path has used this; but IPv6 support is coming and
will need an equivalent function.

In preparation for that, let's prefix the function name with "ipv4_".
Since we're at it, let's also replace the "whitelist" by a more neutral
term.

We also fix references in comments, including where they wrongly refer
to ipv4_host_policy_egress().

Signed-off-by: Quentin Monnet <quentin@isovalent.com>
@qmonnet
bpf: host: Bypass host firewall for IPv6 kube-proxy SNATed connections
55018f8 
If kube-proxy is in use (no BPF-based masquerading), packets from pods
may be SNATed. The response packet will therefore have a host IP as the
destination IP. This was addressed for IPv4 in commit dc6a065
("bpf: Bypass host fw for kube-proxy SNATed connections"). Now that we
have support for IPv6 masquerading (currently not allowed with host
firewall), we must replicate the same behaviour on the IPv6 path.

Signed-off-by: Quentin Monnet <quentin@isovalent.com>
@qmonnet
Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall"
699afe2 
This reverts commit 934e1f2.

Now that we have updated the host firewall code to make it compatible
with IPv6 BPF masquerade, we can enable the two features together.

Signed-off-by: Quentin Monnet <quentin@isovalent.com>
@qmonnet qmonnet force-pushed the pr/ipv6-masq-host-fw branch from afce03c to 699afe2 Compare June 27, 2023 08:36
@joestringer joestringer removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jul 5, 2023
@qmonnet qmonnet added feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic area/host-firewall Impacts the host firewall or the host endpoint. labels Jul 28, 2023
@github-actions
Copy link

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Aug 28, 2023
@github-actions
Copy link

This pull request has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this Sep 11, 2023
@qmonnet qmonnet reopened this Sep 11, 2023
@qmonnet qmonnet removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Sep 11, 2023
@qmonnet qmonnet added the pinned These issues are not marked stale by our issue bot. label Oct 10, 2023
@aanm aanm added dont-merge/blocked Another PR must be merged before this one. dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs and removed dont-merge/blocked Another PR must be merged before this one. labels Dec 4, 2023
@joestringer joestringer removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Dec 15, 2023
@glennpratt
Copy link

@qmonnet is it time to merge this?

@qmonnet
Copy link
Member Author

qmonnet commented Feb 29, 2024

The PR needs a rebase, plus some validation from people more familiar with the host firewall than I am. Maybe some CI coverage as well. I do intend to come back to this at some point, but no ETA.

@qmonnet
Copy link
Member Author

qmonnet commented Mar 19, 2024

Completed in #28813 - Although we could merge the test updates from the current PR, too.

@qmonnet qmonnet mentioned this pull request Mar 19, 2024
Merged
@qmonnet
Copy link
Member Author

qmonnet commented Mar 20, 2024

Now superseded by #31511

@qmonnet qmonnet closed this Mar 20, 2024
@qmonnet qmonnet deleted the pr/ipv6-masq-host-fw branch March 20, 2024 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/host-firewall Impacts the host firewall or the host endpoint. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic pinned These issues are not marked stale by our issue bot. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@qmonnet @glennpratt @joestringer @aanm