Skip to content

L7 policy for HTTP breaks IPv6 connectivity to world #37932

Closed
Closed
L7 policy for HTTP breaks IPv6 connectivity to world#37932
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/kernelRequires upstream work in the Linux kernel.area/proxyImpacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.feature/ipv6Relates to IPv6 protocol supportkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@gentoo-root

Description

@gentoo-root
gentoo-root
opened on Feb 28, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.17.1 and lower than v1.18.0

What happened?

HTTP L7 policy breaks IPv6 connectivity to a server outside the cluster.

How can we reproduce the issue?

Run cilium-cli/cilium connectivity test -v --test 'to-fqdns/pod-to-world$' on this commit (that enables IPv6 PodToWorld tests) on a dual-stack cluster.

Cilium Version

1b28ec1

Kernel Version

6.8.0-54-generic #56-Ubuntu SMP PREEMPT_DYNAMIC Sat Feb 8 00:37:57 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: v1.32.2
Kustomize Version: v5.5.0
The connection to the server localhost:8080 was refused - did you specify the right host or port?

Regression

No response

Sysdump

cilium-sysdump-20250227-185144.zip
cilium-sysdump-20250227-185339.zip

Relevant log output

📋 Test Report [cilium-test-1]
❌ 1/1 tests failed (2/12 actions), 111 tests skipped, 1 scenarios skipped:
Test [to-fqdns]:
  ❌ to-fqdns/pod-to-world/http-to-one.one.one.one.-ipv6-0: cilium-test-1/client-645b68dcf7-jd56d (fd00::1c8) -> one.one.one.one.-http (one.one.one.one.:80)
  ❌ to-fqdns/pod-to-world/http-to-one.one.one.one.-ipv6-1: cilium-test-1/client2-66475877c6-kj9kl (fd00::190) -> one.one.one.one.-http (one.one.one.one.:80)

Anything else?

As pointed out by @jrajahalme, Envoy is getting a connection timeout, that's why it returns 503.

As also pointed out by @jrajahalme, the second CT entry shouldn't be there:

TCP OUT fd00::1c8:37192 -> 2606:4700:4700::1001:80 expires=22444 Packets=0 Bytes=0 RxFlagsSeen=0x16 LastRxReport=22434 TxFlagsSeen=0x00 LastTxReport=22433 Flags=0x0053 [ RxClosing TxClosing SeenNonSyn ProxyRedirect ] RevNAT=0 SourceSecurityID=64922 IfIndex=0 BackendID=0 

TCP IN 2606:4700:4700::1001:80 -> fd00::1c8:37192 expires=30434 Packets=0 Bytes=0 RxFlagsSeen=0x02 LastRxReport=22434 TxFlagsSeen=0x10 LastTxReport=22434 Flags=0x0010 [ SeenNonSyn ] RevNAT=0 SourceSecurityID=16777218 IfIndex=0 BackendID=0 

TCP OUT 2604:1380:4091:ce00::b:37192 -> 2606:4700:4700::1001:80 expires=22444 Packets=0 Bytes=0 RxFlagsSeen=0x16 LastRxReport=22434 TxFlagsSeen=0x12 LastTxReport=22434 Flags=0x0013 [ RxClosing TxClosing SeenNonSyn ] RevNAT=0 SourceSecurityID=0 IfIndex=0 BackendID=0

With IPv4, we only have the 1st and 3rd.

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/kernelRequires upstream work in the Linux kernel.area/proxyImpacts proxy components, including DNS, Kafka, Envoy and/or XDS servers.feature/ipv6Relates to IPv6 protocol supportkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions