Skip to content

Pr/gray/1.15/egress proxy ipsec fix2 #31975

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Pr/gray/1.15/egress proxy ipsec fix2 #31975

wants to merge 7 commits into from

Conversation

jschwinger233
Copy link
Member

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

giorio94 and others added 7 commits April 16, 2024 10:39
@giorio94 @jschwinger233
conformance-ipsec-e2e: add leaked unencrypted packets check
eb91262 
Extend the conformance-ipsec-e2e GHA workflow to additionally check that
we don't leak any unencrypted packets during the connectivity test.
This aims to complement the validation already performed as part of
the connectivity tests by the Cilium CLI.

Specifically, we leverage bpftrace to analyze the packets forwarded by
the bridge device (used by kind), and report those that are not encrypted.
We flag packets with both the source and the destination belonging to
the IPv4/6 PodCIDR, and we consider the inner headers if packets are
encapsulated. In this case, we additionally skip packets originating
or targeting CiliumInternalIP addresses (as these are used for node-to-pod
traffic when running in tunnel mode, which is not encrypted by design).

Extra checks are finally added to always include packets originating
from the L7 and DNS proxies, as their source IP is not that of a pod.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 @jschwinger233
bpftrace: install from release instead that using apt
7efce92 
So that we can install the version we want.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
(cherry picked from commit feaba5a3989700b606f0fe765e11cfc4a7852888)
@julianwiedmann @jschwinger233
conformance-ipsec-e2e: run leak check before/after key rotation
2f0f361 
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann @jschwinger233
HACK leak-detect: ignore sanity-check for missing IPv6 traffic
da05980 
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@jschwinger233
Also routes egress proxy's return traffic to 2005
ea7b7e2 
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
Add iptables rule to avoid conntrack for proxy's forward packets
d95d2a8 
To ensure IPsec encryption for proxy forward packets, we added routing
rule to push them to cilium_host. This change caused side effects for
to-world traffic. This patch fixes the consequences of side effects.

Proxy will perform SNAT for to-world packets, but the new source address
is decided by routing rules. Previously, to-world packets are routed to
eth0, so proxy uses eth0's address for SNAT. Now with new routing rule
to push them to cilium_host instead of eth0, proxy uses cilium_host's
address for SNAT as the side effect.

This change makes to-world packets rely on "external" SNAT, which wasn't
required because proxy's SNAT worked perfectly. We need "external" SNAT
to change source address of to-world packets from cilium_host's IP to
eth0's IP. As IPsec doesn't work with KPR, the "external" SNAT mechanism
is iptables.

However, due to kernel's implementation details, an skb won't be
processed by nat POSTROUTING for twice. When the packet is routed to
cilium_host, it's the first time; when forwarded from cilium_net to
eth0, it's supposed to be the second time.

This is because, After the first POSTROUTING traversal, skb's ct (struct
nf_conn*)(skb->_nfct & ~7) has a status IPS_SRC_NAT_DONE to skip the
second traversal at all.

To avoid setting the IPS_SRC_NAT_DONE flag, this patch adds an iptables
rule `-j CT --notrack`.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
ci: Manually specify downgrade version
10d24b2 
Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Apr 16, 2024
@jschwinger233
Copy link
Member Author

jschwinger233 commented Apr 16, 2024
edited
Loading

/ci-ipsec-upgrade

result: https://github.com/cilium/cilium/actions/runs/8699250500

@jschwinger233
Copy link
Member Author

/test-backport-1.15

@jschwinger233 jschwinger233 mentioned this pull request Apr 16, 2024
Closed
11 tasks
@github-actions GitHub Actions
Copy link

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label May 17, 2024
@github-actions GitHub Actions
Copy link

This pull request has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this May 31, 2024
@jschwinger233
Copy link
Member Author

Can't reopen because "branch was force-pushed" 😬
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport/1.15 This PR represents a backport for Cilium 1.15.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jschwinger233 @giorio94 @julianwiedmann