Skip to content

egressgw: Let the EGW manager relax rp_filter on egress device #32679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 23, 2024
Merged

egressgw: Let the EGW manager relax rp_filter on egress device #32679

merged 1 commit into from
May 23, 2024

Conversation

ysksuzuki
Copy link
Member

Pods running on the Egress GW node fail to communicate with an external endpoint through the Egress GW due to the rp_filter in an environment where egress IP is assigned to a different interface than the one with the default route. The reply packets from the external endpoints are dropped by the rp_filter

  • A request from a local pod hits eth0 with the default route. It matches an IEGP, gets masqueraded & bpf-redirected to eth1 with Egress IP.
  • Replies hit eth1, are revSNATed, and passed on to the stack. rp-filter complains that they are received on eth1, when the route doesn't point towards eth1.

This PR fixes this issue by relaxing rp_filter on interfaces with Egress IP.

@ysksuzuki
egressgw: Let the EGW manager relax rp_filter on egress device
3b71625 
Pods running on the Egress GW node fail to communicate with an external
endpoint through the Egress GW due to the rp_filter in an environment
where egress IP is assigned to a different interface than the one with
the default route. The reply packets from the external endpoints are
dropped by the rp_filter

- A request from a local pod hits eth0 with the default route.
  It matches an IEGP, gets masqueraded & bpf-redirected to eth1 with Egress IP.
- Replies hit eth1, are revSNATed, and passed on to the stack.
  rp-filter complains that they are received on eth1, when the route doesn't point towards eth1.

This PR fixes this issue by relaxing rp_filter on interfaces with Egress IP.

Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 23, 2024
@ysksuzuki ysksuzuki added release-note/misc This PR makes changes that have no direct user impact. feature/egress-gateway Impacts the egress IP gateway feature. labels May 23, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 23, 2024
@ysksuzuki
Copy link
Member Author

/test

@julianwiedmann julianwiedmann added needs-backport/1.15 kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels May 23, 2024
@ysksuzuki ysksuzuki marked this pull request as ready for review May 23, 2024 07:29
@ysksuzuki ysksuzuki requested review from a team as code owners May 23, 2024 07:29
@ysksuzuki ysksuzuki requested review from lmb and markpash May 23, 2024 07:29
@julianwiedmann julianwiedmann added the area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label May 23, 2024
julianwiedmann
julianwiedmann approved these changes May 23, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@julianwiedmann julianwiedmann removed the request for review from markpash May 23, 2024 11:58
@julianwiedmann julianwiedmann enabled auto-merge May 23, 2024 11:58
@julianwiedmann julianwiedmann added this pull request to the merge queue May 23, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 23, 2024
Merged via the queue into cilium:main with commit 43d65ed May 23, 2024
@julianwiedmann julianwiedmann mentioned this pull request May 27, 2024
Merged
@ysksuzuki ysksuzuki mentioned this pull request May 30, 2024
Merged
@ysksuzuki ysksuzuki added the backport/author The backport will be carried out by the author of the PR. label May 30, 2024
@github-actions github-actions bot added the backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. label May 30, 2024
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmb lmb lmb approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport/author The backport will be carried out by the author of the PR. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/egress-gateway Impacts the egress IP gateway feature. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.15.6
Status: Backport done to v1.15
cilium v1.15.6
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ysksuzuki @lmb @julianwiedmann