Skip to content

bpf: nat: handle egressing ICMPv6 error messages with embedded ECHO / ECHO_REPLY #39661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 26, 2025
Merged

bpf: nat: handle egressing ICMPv6 error messages with embedded ECHO / ECHO_REPLY #39661

merged 2 commits into from
May 26, 2025

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented May 21, 2025
edited
Loading

Following on to #38068, this adds support for ECHO / ECHO_REPLY in egressing ICMPv6 error messages.

One relevant scenario is an DEST_UNREACH response for an inbound ECHO.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 21, 2025
@julianwiedmann julianwiedmann changed the title 1.18 bpf icmpv6 echo bpf: nat: handle egressing ICMPv6 error messages with embedded ECHO / ECHO_REPLY May 21, 2025
@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic release-note/misc This PR makes changes that have no direct user impact. labels May 21, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 21, 2025
@julianwiedmann
bpf: nat: support egressing ICMPv6 error with embedded ICMPV6_ECHO_RE…
9071c6f 
…QUEST

If we're sending an ICMPv6 error message for an ICMPV6_ECHO_REQUEST packet,
then this packet was previously received on the node. Therefore the ECHO
session didn't originate locally, and so we don't need to apply SNAT and
can just let the ICMPv6 error message pass through.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: nat: support egressing ICMPv6 error with embedded ICMPV6_ECHO_REPLY
9dc11f8 
If we're sending an ICMPv6 error message for an ICMPV6_ECHO_REPLY packet,
then this packet was previously received on the node. Therefore the ECHO
session originated locally, and we need to check for SNAT.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann force-pushed the 1.18-bpf-icmpv6-echo branch from fc652d9 to 9dc11f8 Compare May 22, 2025 04:49
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review May 22, 2025 06:46
@julianwiedmann julianwiedmann requested a review from a team as a code owner May 22, 2025 06:46
@julianwiedmann julianwiedmann enabled auto-merge May 22, 2025 06:46
@julianwiedmann julianwiedmann added backport/author The backport will be carried out by the author of the PR. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels May 22, 2025
YutaroHayakawa
YutaroHayakawa approved these changes May 22, 2025
View reviewed changes
Copy link
Member

@YutaroHayakawa YutaroHayakawa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me in general, but could you elaborate more about the concrete situation where we hit this REPLY case? If the echo request is locally originated and if we trigger the ICMP error for the reply, the packet will go back to the peer, so we don't really see it I think.

@julianwiedmann julianwiedmann added this pull request to the merge queue May 22, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 22, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 22, 2025
@julianwiedmann
Copy link
Member Author

Looks good to me in general, but could you elaborate more about the concrete situation where we hit this REPLY case? If the echo request is locally originated and if we trigger the ICMP error for the reply, the packet will go back to the peer, so we don't really see it I think.

Local endpoint sends an ECHO, which gets NATed when egressing the node. Remote endpoint sends a REPLY, which gets revNATed on ingress and delivered to the local endpoint.

If the local endpoint then produces an ICMP error message for this REPLY, we need to apply NAT (== undo the RevNAT) on egress again.

@julianwiedmann julianwiedmann added this pull request to the merge queue May 26, 2025
Merged via the queue into cilium:main with commit 58a5e1d May 26, 2025
71 checks passed
@julianwiedmann julianwiedmann deleted the 1.18-bpf-icmpv6-echo branch May 26, 2025 03:49
@julianwiedmann julianwiedmann mentioned this pull request May 29, 2025
Closed
4 tasks
@julianwiedmann julianwiedmann added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport/author The backport will be carried out by the author of the PR. backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. feature/ipv6 Relates to IPv6 protocol support feature/snat Relates to SNAT or Masquerading of traffic ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@julianwiedmann @YutaroHayakawa