Skip to content

Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall" #31511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 21, 2024
Merged

Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall" #31511

merged 1 commit into from
Mar 21, 2024

Conversation

qmonnet
Copy link
Member

@qmonnet qmonnet commented Mar 19, 2024

This reverts commit 934e1f2.

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated traffic"), IPv6 BPF masquerading and the host firewall are compatible in the datapath. Let's allow them to be used together, and use the combination in tests.

CC: @oblazek
Supersedes: #26323

Allow the Host Firewall and IPv6 BPF masquerading to be used together.

@qmonnet
Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall"
5a2f5d0 
This reverts commit 934e1f2.

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated
traffic"), IPv6 BPF masquerading and the host firewall are compatible in
the datapath. Let's allow them to be used together, and use the
combination in tests.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet qmonnet added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/host-firewall Impacts the host firewall or the host endpoint. ci/host-firewall This label enables the host firewall by default in all CI tests. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic labels Mar 19, 2024
@qmonnet qmonnet requested a review from julianwiedmann March 19, 2024 17:49
@qmonnet qmonnet requested review from a team as code owners March 19, 2024 17:49
@qmonnet
Copy link
Member Author

qmonnet commented Mar 19, 2024

/test

julianwiedmann
julianwiedmann reviewed Mar 20, 2024
View reviewed changes
@julianwiedmann
Copy link
Member

julianwiedmann commented Mar 20, 2024
edited
Loading

Since commit 9c1031e ("bpf: fix missing ipv6 ct entry for snated traffic"), IPv6 BPF masquerading and the host firewall are compatible in the datapath. Let's allow them to be used together, and use the combination in tests.

From what I remember in #23165, we were concerned about HostFW and IPv6 BPF Masq interacting.

But turns out the problematic interaction was for HostFW and iptables Masquerading (ie. when BPF Masq is disabled). This is what #28813 fixed. So afaik there were no actual problems for HostFW and IPv6 BPF Masq, and 👍 on allowing this combo.

We could even backport, but at this point I don't see the need.

This was referenced Mar 20, 2024
Closed
Merged
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 21, 2024
@nathanjsweet nathanjsweet added this pull request to the merge queue Mar 21, 2024
Merged via the queue into main with commit cfed66e Mar 21, 2024
@nathanjsweet nathanjsweet deleted the pr/qmonnet/masq6-hfw branch March 21, 2024 17:12
@julianwiedmann julianwiedmann mentioned this pull request Apr 2, 2024
Open
15 tasks
julianwiedmann added a commit that referenced this pull request Jul 10, 2024
@julianwiedmann
gh: cilium-config: enable IPv6 BPF Masquerade with HostFW
579df25 
#31511 enabled the combination of
HostFW with IPv6 BPF Masquerading. Reflect this in the cilium-config
action.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Jul 10, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 10, 2024
@julianwiedmann
gh: cilium-config: enable IPv6 BPF Masquerade with HostFW
e2b5a79 
#31511 enabled the combination of
HostFW with IPv6 BPF Masquerading. Reflect this in the cilium-config
action.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
giorio94 pushed a commit that referenced this pull request Jul 15, 2024
@julianwiedmann @giorio94
gh: cilium-config: enable IPv6 BPF Masquerade with HostFW
4fc451e 
[ upstream commit e2b5a79 ]

#31511 enabled the combination of
HostFW with IPv6 BPF Masquerading. Reflect this in the cilium-config
action.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94 pushed a commit that referenced this pull request Jul 15, 2024
@julianwiedmann @giorio94
gh: cilium-config: enable IPv6 BPF Masquerade with HostFW
811c840 
[ upstream commit e2b5a79 ]

#31511 enabled the combination of
HostFW with IPv6 BPF Masquerading. Reflect this in the cilium-config
action.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@sebastiangaiser
Copy link
Contributor

Hey @qmonnet @julianwiedmann , would it be possible to backport this to 1.15? We're currently facing problems when upgrading from a custom build image (based on 1.15.6 with this fix in it) to 1.16.

@qmonnet
Copy link
Member Author

qmonnet commented Oct 18, 2024

@sebastiangaiser This is not something that we expect to backport at the moment (see the backport criteria). I don't remember testing IPv6 masquerading with the Host Firewall on v1.15 so I'm not super keen.

What's your problem, and how would backporting to 1.15 solve it (considering you already have this commit in your own image, from what I understand)?

@sebastiangaiser
Copy link
Contributor

@qmonnet thank you for your answer. We're facing level=fatal msg="IPv6 BPF masquerade is not supported along with the host firewall." subsys=daemon since 1.15.6. So we decided to build our own image with this fix in it and hoped that it would get fixed in a later 1.15 version. After that, 1.16 was released which fixed the ipv6 masquerade problem but caused other issues for us. IIRC upgrades from one minor to the next are tested and supported only from the latest patch version which we try to do here.
So backporting this would allow us to follow that process.
I hope this was not written in an unmeaning full way.

@qmonnet
Copy link
Member Author

qmonnet commented Oct 18, 2024

Thank you, I see, but I'm still reluctant to backporting a new feature (or even the possibility to activate it) on v1.15. Given that you based your workflow on custom images, you're “outside” of the regular support path, and it's hard to justify making an exception here. How hard would it be to carry on the commit to a custom image based on the latest 1.15 release on your side? From there you should be able to move on to 1.16?

@sebastiangaiser sebastiangaiser mentioned this pull request Oct 22, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@tklauser tklauser tklauser approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/host-firewall Impacts the host firewall or the host endpoint. ci/host-firewall This label enables the host firewall by default in all CI tests. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@qmonnet @julianwiedmann @sebastiangaiser @nathanjsweet @tklauser