Add node CIDRs into ipcache to remove tunnel map#37026
Add node CIDRs into ipcache to remove tunnel map#37026pippolo84 wants to merge 4 commits intocilium:mainfrom
Conversation
Signed-off-by: Fabio Falzoi <[email protected]>
Signed-off-by: Fabio Falzoi <[email protected]>
Signed-off-by: Fabio Falzoi <[email protected]>
Signed-off-by: Fabio Falzoi <[email protected]>
pippolo84
added
the
dont-merge/preview-only
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
|
/test |
| m.ipsetMgr.AddToIPSet(ipset.CiliumNodeIPSetV4, ipset.INetFamily, v4Addrs...) | ||
| m.ipsetMgr.AddToIPSet(ipset.CiliumNodeIPSetV6, ipset.INet6Family, v6Addrs...) | ||
|
|
||
| if !n.IsLocal() { |
There was a problem hiding this comment.
What about if this node is the local node? Do we also need to plumb the local node's pod CIDR into the ipcache?
There was a problem hiding this comment.
Not for tunneling (we don't insert local node allocation CIDRs into the tunnel map).
But it is something we can consider if any other feature can benefit from these new entries.
| if (key->family == ENDPOINT_KEY_IPV4) { | ||
| ep = lookup_ip4_remote_endpoint(key->ip4, key->cluster_id); | ||
| } else { | ||
| ep = lookup_ip6_remote_endpoint(&key->ip6, key->cluster_id); | ||
| } |
There was a problem hiding this comment.
Drive-by comment, there's no need for an extra ipcache lookup here, because all callers already performed it (that's how tunnel_endpoint gets normally populated). E.g,, https://github.com/pippolo84/cilium/blob/pr%2Fpippolo84%2Fmerge-tunnel-map-into-ipcache-exp/bpf/bpf_lxc.c#L920-L928
I haven't explicitly checked the other functions below, but AFAIR the same applies there as well.
There was a problem hiding this comment.
I had the same thought when first looking at it. One subtlety is that the initial ipcache lookup uses the precise IP, while here we use the (fixed-size) PodCIDR (as that's what the caller passed in the tunnel_key).
So right now this is a 1-to-1 replacement. Without considering that the IPcache is LPM and we would have already matched the PodCIDR entry on the first lookup.
There was a problem hiding this comment.
Ah right, this is using the masked IP as key. My comment was based on the fact that being the ipcache an LPM map, the node entry would already been retrieved during the previous lookup. And we'll also need to get rid of the fixed mask to benefit from the additional flexibility provided by the ipcache.
There was a problem hiding this comment.
Drive-by comment, there's no need for an extra ipcache lookup here, because all callers already performed it (that's how
tunnel_endpointgets normally populated).
Tried that approach in #37146 and it seems to work correctly.
|
Superseded by #37146 |
4 participants
-- WORK IN PROGRESS --