Skip to content

cilium: Enable plain IPIP/IP6IP6 termination #31213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 7, 2024
Merged

cilium: Enable plain IPIP/IP6IP6 termination #31213

merged 1 commit into from
Mar 7, 2024

Conversation

borkmann
Copy link
Member

@borkmann borkmann commented Mar 6, 2024

(see commit desc)

@borkmann
cilium: Enable plain IPIP/IP6IP6 termination
0702e81 
Add a simple --enable-ipip-termination option for the agent which
creates the cilium_ipip{4,6} devices similarly as with lb-only mode,
but for the purpose that this does a straight-forward ipip decap for
incoming packets. All are in remote any local any. bpf_netdev pushes
these packets up the stack into the respective ipip devices which do
plain decap, and then travel further up into a corresponding socket.

  [...]
  5159: cilium_ipip4@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default
      link/ipip 0.0.0.0 brd 0.0.0.0 promiscuity 0 minmtu 0 maxmtu 0
      ipip external ipip remote any local any ttl inherit pmtudisc addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
  5160: cilium_ip6tnl@NONE: <NOARP> mtu 1452 qdisc noop state DOWN mode DEFAULT group default qlen 1000
      link/tunnel6 :: brd :: permaddr 7e74:1189:d86c:: promiscuity 0 minmtu 68 maxmtu 65407
      ip6tnl ip6ip6 remote any local any hoplimit inherit encaplimit 0 tclass 0x00 flowlabel 0x00000 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
  5161: cilium_ipip6@NONE: <NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN mode DEFAULT group default
      link/tunnel6 :: brd :: permaddr a28:8495:68b8:: promiscuity 0 minmtu 68 maxmtu 65407
      ip6tnl external any remote any local any hoplimit inherit encaplimit 0 tclass 0x00 flowlabel 0x00000 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
  4994: cilium_tunl@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
      link/ipip 0.0.0.0 brd 0.0.0.0 promiscuity 0 minmtu 0 maxmtu 0
      ipip any remote any local any ttl inherit nopmtudisc numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
  [...]

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann requested review from a team as code owners March 6, 2024 22:12
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 6, 2024
@borkmann borkmann added the release-note/misc This PR makes changes that have no direct user impact. label Mar 6, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 6, 2024
@borkmann borkmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/lb-only Impacts cilium running in lb-only datapath mode labels Mar 6, 2024
@borkmann borkmann requested review from mhofstetter and removed request for lmb and nathanjsweet March 6, 2024 22:14
@borkmann
Copy link
Member Author

borkmann commented Mar 6, 2024

/test

ldelossa
ldelossa approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@ldelossa ldelossa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@borkmann borkmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 7, 2024
@borkmann borkmann merged commit 726cde2 into main Mar 7, 2024
@borkmann borkmann deleted the pr/ipip-dev branch March 7, 2024 17:02
@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 7, 2024
@borkmann borkmann mentioned this pull request May 21, 2024
Closed
3 tasks
@borkmann borkmann mentioned this pull request Jun 12, 2024
Closed
@YakhontovYaroslav YakhontovYaroslav mentioned this pull request Jul 6, 2024
Closed
gyutaeb added a commit to gyutaeb/cilium that referenced this pull request Nov 22, 2024
@gyutaeb
bpf: Decapsulate External LB IPIP tunnel traffic for kube-proxy
eda6050 
When ENABLE_EXTLB_IPIP_TERMINATION is used as a build flag,
cil_from_netdev() decapsulate ipip tunnel traffic. The goal of this
decapsulation is cilium's kube-proxy can handle ipip tunnel traffic.

A test verifies that ENABLE_EXTLB_IPIP_TERMINATION  works as expected.
It creates an IPIP tunnel packet between loadbalancer and node.
And verifies that the packet is correctly terminated in cil_from_netdev.

Note: This feature is expected to be deprecated in the future
by cilium#31213

Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb added a commit to gyutaeb/cilium that referenced this pull request Nov 22, 2024
@gyutaeb
bpf: Decapsulate External LB IPIP tunnel traffic for kube-proxy
141ca3d 
When ENABLE_EXTLB_IPIP_TERMINATION is used as a build flag,
cil_from_netdev() decapsulate ipip tunnel traffic. The goal of this
decapsulation is cilium's kube-proxy can handle ipip tunnel traffic.

A test verifies that ENABLE_EXTLB_IPIP_TERMINATION  works as expected.
It creates an IPIP tunnel packet between loadbalancer and node.
And verifies that the packet is correctly terminated in cil_from_netdev.

Note: This feature is expected to be deprecated in the future
by cilium#31213

Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
gyutaeb added a commit to gyutaeb/cilium that referenced this pull request Nov 25, 2024
@gyutaeb
bpf: Decapsulate External LB IPIP tunnel traffic for kube-proxy
0cf501c 
When ENABLE_EXTLB_IPIP_TERMINATION is used as a build flag,
cil_from_netdev() decapsulate ipip tunnel traffic. The goal of this
decapsulation is cilium's kube-proxy can handle ipip tunnel traffic.

A test verifies that ENABLE_EXTLB_IPIP_TERMINATION  works as expected.
It creates an IPIP tunnel packet between loadbalancer and node.
And verifies that the packet is correctly terminated in cil_from_netdev.

Note: This feature is expected to be deprecated in the future
by cilium#31213

Signed-off-by: Gyutae Bae <gyu.8ae@gmail.com>
@gyutaeb gyutaeb mentioned this pull request Jan 7, 2025
Merged
8 tasks
@gyutaeb gyutaeb mentioned this pull request Jan 19, 2025
Closed
8 tasks
@gyutaeb gyutaeb mentioned this pull request Feb 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldelossa ldelossa ldelossa approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/lb-only Impacts cilium running in lb-only datapath mode release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@borkmann @ldelossa @mhofstetter