Skip to content

Attach to-wireguard to the tc egress of cilium_wg0 #33426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 8, 2024
Merged

Attach to-wireguard to the tc egress of cilium_wg0 #33426

merged 4 commits into from
Jul 8, 2024
+1,090 −9

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Jun 27, 2024
edited
Loading

This is to handle rev-DNAT when L7 ingress proxy is enabled with wireguard, nodeport, native routing, and KPR.

Consider a pod-to-remote-nodeport connection via L7 ingress proxy, the reply packet will pass: from_lxc@veth -> redirected to L7 proxy -> from_host@cilium_host -> to_host@cilium_net -> to_netdev@eth0 -> redirected to cilium_wg0. This patch ensures the new attached to-wireguard@cilium_wg0 can do the necessary rev-DNAT in this case.

Fixes: #32899

Fixes a missing rev-DNAT issue when wireguard, nodeport, KPR, and L7 proxy are enabled together.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 27, 2024
@jschwinger233 jschwinger233 force-pushed the gray/to-wireguard branch 3 times, most recently from 9840c37 to a86eee6 Compare June 28, 2024 07:52
julianwiedmann
julianwiedmann reviewed Jul 1, 2024
View reviewed changes
@jschwinger233
Copy link
Member Author

jschwinger233 commented Jul 1, 2024
edited
Loading

Can't believe adding these trivial code leads to BPF program is too large 😨

2024-07-01T08:54:07.534681504Z time="2024-07-01T08:54:07Z" level=error msg="endpoint regeneration failed" ciliumEndpointName=/ containerID= containerInterface= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=2725 error="loading eBPF collection into the kernel: program cil_to_netdev: load program: argument list too long: BPF program is too large. Processed 1000001 insn (1900 line(s) omitted)" identity=1 ipv4= ipv6= k8sPodName=/ subsys=endpoint

Edit: I think compiling to-wireguard independently can solve the problem by getting rid of if (ctx_get_ifindex(ctx) == WG_IFINDEX).

@jschwinger233 jschwinger233 force-pushed the gray/to-wireguard branch 10 times, most recently from f19e66f to 78e7a2a Compare July 3, 2024 07:01
@jschwinger233 jschwinger233 added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/wireguard Relates to Cilium's Wireguard feature labels Jul 3, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jul 3, 2024
@jschwinger233 jschwinger233 added the area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label Jul 3, 2024
@jschwinger233 jschwinger233 marked this pull request as ready for review July 3, 2024 09:34
@jschwinger233 jschwinger233 requested review from a team as code owners July 3, 2024 09:34
brb
brb approved these changes Jul 4, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@jschwinger233 jschwinger233 requested a review from a team as a code owner July 5, 2024 05:38
@jschwinger233 jschwinger233 requested a review from nebril July 5, 2024 05:38
julianwiedmann
julianwiedmann approved these changes Jul 5, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you!

Just two smaller nits in case you need to rebase once more. Otherwise we can clean those up later.

@jschwinger233
Attach to-wireguard to the tc egress of cilium_wg0
392cbc7 
This is to handle rev-DNAT when L7 ingress proxy is enabled with
wireguard, nodeport, native routing, and KPR.

Consider a pod-to-remote-nodeport connection, the reply packet will
pass: from_lxc@veth -> redirected to L7 proxy -> from_host@cilium_host
-> to_host@cilium_net -> to_netdev@eth0 -> redirected to cilium_wg0.
This patch ensures the new attached to-wireguard@cilium_wg0 can do the
necessary rev-DNAT.

Fixes: cilium#32899

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
Add CODEOWNERS for bpf_wireguard.c
23549af 
Signed-off-by: gray <gray.liang@isovalent.com>
@brb
Copy link
Member

brb commented Jul 5, 2024

BTW, with this PR merged, we can easily tackle:

Create and load from-wireguard instead of from-netdev (#19401 (comment)).

From #23032. It will give us a few CPU cycles back 😎

@jschwinger233
bpf/Makefile: Add bpf_wireguard.o for build test
ec4087c 
MAX_WIREGUARD_OPTIONS and WIREGUARD_OPTIONS are set in a similar way to
MAX_HOST_OPTIONS and HOST_OPTIONS, with ENABLE_IPSEC replaced by
ENABLE_WIREGUARD.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
bpf/complexity-test: Cover bpf_wireguard.c
2b3e1c6 
The files are copied from bpf/complexity-tests/*/bpf_host/*.txt,
followed by s/-DENABLE_IPSEC/-DENABLE_WIREGUARD/.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
Copy link
Member Author

/test

@julianwiedmann julianwiedmann added this pull request to the merge queue Jul 8, 2024
Merged via the queue into cilium:main with commit fdf7f09 Jul 8, 2024
@julianwiedmann julianwiedmann mentioned this pull request Jul 9, 2024
Closed
@giorio94 giorio94 mentioned this pull request Jul 15, 2024
Merged
27 tasks
@giorio94 giorio94 added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 15, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Jul 15, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Jul 15, 2024
Merged
@julianwiedmann julianwiedmann mentioned this pull request Sep 3, 2024
Closed
1 task
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Nov 26, 2024
@julianwiedmann
bugtool: dump tail-call map for bpf_wireguard
e3adf58 
This was added with cilium#33426.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Nov 26, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Nov 28, 2024
@julianwiedmann
bugtool: dump tail-call map for bpf_wireguard
256684c 
This was added with #33426.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
nbusseneau pushed a commit to nbusseneau/cilium that referenced this pull request Dec 1, 2024
@julianwiedmann @nbusseneau
bugtool: dump tail-call map for bpf_wireguard
332374c 
[ upstream commit 256684c ]

This was added with cilium#33426.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
nbusseneau pushed a commit to nbusseneau/cilium that referenced this pull request Dec 1, 2024
@julianwiedmann @nbusseneau
bugtool: dump tail-call map for bpf_wireguard
789c400 
[ upstream commit 256684c ]

This was added with cilium#33426.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Dec 3, 2024
@julianwiedmann @nbusseneau
bugtool: dump tail-call map for bpf_wireguard
7656279 
[ upstream commit 256684c ]

This was added with #33426.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@brb brb brb approved these changes

@aanm aanm aanm approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@nebril nebril Awaiting requested review from nebril nebril is a code owner automatically assigned from cilium/ci-structure

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. feature/wireguard Relates to Cilium's Wireguard feature release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Broken connectivity of pod to remote nodeport when Wireguard is used with L7 ingress policy + native routing + KPR
7 participants
@jschwinger233 @julianwiedmann @brb @dylandreimerink @aanm @bimmlerd @giorio94