Skip to content

datapath, netkit: Allow ARP passthrough on host when using netkit #35070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2024
Merged

datapath, netkit: Allow ARP passthrough on host when using netkit #35070

merged 1 commit into from
Oct 3, 2024

Conversation

jrife
Copy link
Contributor

@jrife jrife commented Sep 27, 2024

When using the netkit datapath mode neither ENABLE_ARP_PASSTHROUGH nor ENABLE_ARP_RESPONDER is set for any endpoint. When host firewall is enabled all ARP messages are blocked to and from the netdev. Make an exception for host endpoints to ensure connectivity is maintained between the host and the outside world. Additionally, add test coverage for netkit combined with host firewall.

Fixes: #34230
Fixes: 6895341 ("cilium, connector: Add netkit connector")

netkit: Allow ARP packets through when using host firewall.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 27, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Sep 27, 2024
@hemanthmalla
Copy link
Member

/test

@hemanthmalla hemanthmalla mentioned this pull request Oct 1, 2024
Closed
@jrife
datapath, netkit: Allow ARP passthrough on host when using netkit
8f3cee1 
When using the `netkit` datapath mode neither `ENABLE_ARP_PASSTHROUGH` nor
`ENABLE_ARP_RESPONDER` is set for any endpoint. When host firewall is
enabled all ARP messages are blocked to and from the netdev. Make an
exception for host endpoints to ensure connectivity is maintained
between the host and the outside world. Additionally, add test coverage
for netkit combined with host firewall.

Fixes: cilium#34230
Fixes: 6895341 ("cilium, connector: Add netkit connector")

Signed-off-by: Jordan Rife <jrife@google.com>
@jrife jrife marked this pull request as ready for review October 1, 2024 21:57
@jrife jrife requested review from a team as code owners October 1, 2024 21:57
@jrife jrife requested review from rgo3 and brlbil October 1, 2024 21:57
@jrife
Copy link
Contributor Author

jrife commented Oct 1, 2024

cc @borkmann

@pchaigno pchaigno added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Oct 2, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 2, 2024
@pchaigno pchaigno added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 2, 2024
@pchaigno
Copy link
Member

pchaigno commented Oct 2, 2024
edited
Loading

Thanks for the fix!

/test

borkmann
borkmann approved these changes Oct 2, 2024
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, thanks @jrife !

brlbil
brlbil approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@brlbil brlbil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI changes 👍

@pchaigno pchaigno enabled auto-merge October 2, 2024 14:47
@borkmann borkmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 3, 2024
@borkmann
Copy link
Member

borkmann commented Oct 3, 2024
edited
Loading

(ready to merge. the ginkgo ci failure appears also in other PRs and unrelated to this one here, looks like we don't have a GH issue for it yet)

edit: #35209

@borkmann borkmann disabled auto-merge October 3, 2024 16:14
@borkmann borkmann merged commit c60ea32 into cilium:main Oct 3, 2024
71 of 73 checks passed
@jrife
Copy link
Contributor Author

jrife commented Oct 3, 2024

thanks @borkmann

@giorio94 giorio94 mentioned this pull request Oct 7, 2024
Merged
15 tasks
@giorio94 giorio94 added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 7, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Oct 8, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Oct 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

@pchaigno pchaigno pchaigno approved these changes

@brlbil brlbil brlbil approved these changes

@rgo3 rgo3 rgo3 approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. feature/netkit kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enabling host firewall blocks arp
7 participants
@jrife @hemanthmalla @pchaigno @borkmann @brlbil @rgo3 @giorio94