Skip to content

daemon: Do not require socketLB for BPF masq #33728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 15, 2024
Merged

daemon: Do not require socketLB for BPF masq #33728

merged 1 commit into from
Jul 15, 2024

Conversation

brb
Copy link
Member

@brb brb commented Jul 11, 2024
edited
Loading

Previously, we required socketLB to be enabled in order for BPF masquerade to properly function. The reasoning was outlined in [1] and [2].

As pointed by Julian Wiedmann, [3] resolved the following NAT reply issue:

    On the remote node, the reply (dst=the client node IP) gets
    masqueraded by the BPF-masq feature, because we masquerade pod ->
    remote host IP in the tunnel mode (see comment in the
    "snat_v4_needed()" for the reason), and currently we don't consult
    the CT map to see whether a packet is reply.

Thus, we can remove the check.

[1]: #15437
[2]: 50e59c3
[3]: #17168

Fix #15437
Fix #12699

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 11, 2024
@brb
Copy link
Member Author

brb commented Jul 11, 2024

/ci-e2e

1 similar comment
@brb
Copy link
Member Author

brb commented Jul 11, 2024

/ci-e2e

@brb brb force-pushed the pr/brb/bpf-masq-no-socket-lb branch from b85338b to 01e4049 Compare July 11, 2024 13:16
@brb brb added release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 11, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 11, 2024
@brb brb changed the title WIP: bpf masq w/o socket LB daemon: Do not require socketLB for BPF masq Jul 11, 2024
@brb
Copy link
Member Author

brb commented Jul 11, 2024

/ci-e2e

@brb
daemon: Do not require socketLB for BPF masq
a45c5de 
Previously, we required socketLB to be enabled in order for BPF
masquerade to properly function. The reasoning was outlined in [1] and
[2].

As pointed by Julian Wiedmann, [3] resolved the following NAT reply
issue:

    On the remote node, the reply (dst=the client node IP) gets
    masqueraded by the BPF-masq feature, because we masquerade pod ->
    remote host IP in the tunnel mode (see comment in the
    "snat_v4_needed()" for the reason), and currently we don't consult
    the CT map to see whether a packet is reply.

Thus, we can remove the check.

[1]: #15437
[2]: 50e59c3
[3]: #17168

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb brb force-pushed the pr/brb/bpf-masq-no-socket-lb branch from 01e4049 to a45c5de Compare July 11, 2024 14:15
@brb
Copy link
Member Author

brb commented Jul 11, 2024

/ci-e2e

@brb brb requested a review from julianwiedmann July 11, 2024 14:56
@brb brb marked this pull request as ready for review July 11, 2024 14:56
@brb brb requested review from a team as code owners July 11, 2024 14:56
@brb brb requested review from ldelossa and viktor-kurchenko July 11, 2024 14:56
@brb
Copy link
Member Author

brb commented Jul 11, 2024

/test

@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/snat Relates to SNAT or Masquerading of traffic feature/socket-lb Impacts the Socket-LB part of Cilium's kube-proxy replacement. labels Jul 11, 2024
julianwiedmann
julianwiedmann approved these changes Jul 11, 2024
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Let's see if the reasoning still holds true ...

@brb brb enabled auto-merge July 11, 2024 17:12
ldelossa
ldelossa approved these changes Jul 15, 2024
View reviewed changes
Copy link
Contributor

@ldelossa ldelossa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review the history of this issue.
Change LGTM.

@brb brb added this pull request to the merge queue Jul 15, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 15, 2024
Merged via the queue into main with commit 3de8537 Jul 15, 2024
@brb brb deleted the pr/brb/bpf-masq-no-socket-lb branch July 15, 2024 14:42
@sayboras sayboras mentioned this pull request Jul 16, 2024
Merged
6 tasks
@sayboras sayboras added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 16, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Jul 16, 2024
@julianwiedmann julianwiedmann mentioned this pull request Jul 16, 2024
Closed
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Jul 16, 2024
@julianwiedmann
daemon: clean up an outdated comment re BPF masq needing SocketLB
5cda442 
This was addressed in cilium#33728.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Jul 17, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 18, 2024
@julianwiedmann
daemon: clean up an outdated comment re BPF masq needing SocketLB
51ad510 
This was addressed in #33728.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@joestringer joestringer mentioned this pull request Jul 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldelossa ldelossa ldelossa approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. feature/snat Relates to SNAT or Masquerading of traffic feature/socket-lb Impacts the Socket-LB part of Cilium's kube-proxy replacement. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
5 participants
@brb @ldelossa @julianwiedmann @viktor-kurchenko @sayboras