bpf: nat: Adding a new config field to enable SNAT for remote node. #35823#37568
bpf: nat: Adding a new config field to enable SNAT for remote node. #35823#37568joestringer merged 1 commit intocilium:mainfrom
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
maintainer-s-little-helper
bot
added
dont-merge/needs-sign-off
github-actions
bot
added
the
kind/community-contribution
behzad-mir
changed the title
|
Thanks for the contribution! Could you give a bit of context in the commit description, also describe how you tested this, and fix the CI failure? I'll mark as draft in the meantime to avoid notifying reviewers. |
pchaigno
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
behzad-mir
force-pushed
the
remoteNode-SNAT
branch
from
1034716 to
3ab7576
Compare
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
behzad-mir
force-pushed
the
remoteNode-SNAT
branch
from
3ab7576 to
d85d845
Compare
@pchaigno |
pchaigno
left a comment
pchaigno
left a comment
There was a problem hiding this comment.
Could you add the additional context in the commit description and not the PR description?
In order to verify and test ithe change. We followed the repro in #35823 and verified that the source address is getting SNATed to the source node IP.
Can you describe exactly how you did that with the current code? It does not work for me.
Did you follow these steps that Victor provide here: You have to make sure that when you run |
behzad-mir
force-pushed
the
remoteNode-SNAT
branch
from
d85d845 to
5f46ecc
Compare
@pchaigno I also updated the commit message with more context about the issue. Let me know if you needed to have a repro with current code. |
|
/test |
@joestringer is it possible to merge the PR with outstanding request for change from @ti-mo? I think @rgo3 is reviewing in his stead. |
|
/test |
|
@joestringer @pchaigno I addressed all of the comments and waiting for your review. |
|
/test |
1 similar comment
|
/test |
|
/test |
2 similar comments
|
/test |
|
/test |
|
Sorry to be a party pooper here... but this flag does not differentiate traffic for node InternalIP and ExternalIP. Both of these IPs will receive identity Wouldn't it be way nicer and "easier" (in the end) to somehow allow end user to define which identities should be assigned to I tried to figure out where in the code node addresses are "assigned" identities, but did not fully grasp how and where this was done. |
…led. Currently, Cilium ebpf based masquerading does not perform SNAT on packets destined for a remote node, even if the node CIDR is not listed in the non-masquerade list. This behavior differs from the upstream ip-masq-agent. With this change if the new confimap field "enable-remote-node-snat" is set to "true" then packets destined to remote nodes will be SNATed in bpf routing mode. The proposed change has been verified in a cilium bpf routing cluster with enable-remote-node-snat = "true". ICMP packet from a pod to a remote node initied. The TCP-dump from remote node indicates that the source IPs for incoming packet SNATed to the ip of source node. Signed-off-by: Behzad Mirkhanzadeh <[email protected]>
|
/test |
@kevinvalk that's correct. I believe the intention of PR is to make the behavior consistent with upstream ip-masq-agent. This PR will snat remote internal node ips if ip masq agent config excludes node cidr from non-masquerade list and new flag |
|
/ci-clustermesh |
|
/ci-ginkgo |
|
@kevinvalk I wonder if this is a use case you could capture into the masquerade discussion thread in #36335 ? I do feel overall that we need a more cohesive configuration for all of the masquerade settings, and I think it would help for us to collect together the use cases in one place so that if someone were to try to come up with a cohesive idea about how all the cases could be configured through a single configuration interface then they would have one place to consult. As far as I understand the common parameters with some of this recent increase in interest is (a) running without tunneling and (b) on networks with nodes across multiple subnets. I'm not entirely sure that more NAT is going to get us into a better space here, because for instance enabling this new flag could cause surprising policy behavior where traffic from Pods towards remote nodes could be misclassified. That said, the main reason I haven't pushed back against this more is that there is an argument for consistency with how upstream ip-masq-agent works. The configuration is arguably pretty clear, even if that causes other features to work poorly. While it'd be ideal to make this work for all the use cases, I don't think it's fair to block this PR which is useful for some people based on the goal of supporting another use case. From that perspective I agree with @tamilmani1989 that we could consider solving this problem on top. |
|
Acknowledging the CI is all green now. The test stability in the main tree has not been as green as I'd like, but getting it green again is a step by step process. Thanks for helping by filing and interacting on issues that you've found. I had been holding back on review of this for a few reasons - one, deferring to @cilium/sig-datapath to better balance the maintenance workload; two, because CI hadn't passed and unless a PR is consistently passing CI it's hard for a third party to understand whether the failures are introduced by the PR or not, and three because I was under the impression some of the feedback had not yet been addressed. Unfortunately given how long it's dragged out, and due to summer vacations the reviewers have rotated a bit. However I think this has received plenty of scrutiny from the primary owners - @cilium/sig-datapath and @cilium/loader . On the last part I think what happened is that some feedback was provided on a couple of the documentation blurbs but not all of them, and you had applied the feedback on the ones which received comments. |
|
Thanks @joestringer for approval and merge! |
12 participants
description and a
Fixes: #XXXline if the commit addresses a particularGitHub issue.
Fixes: <commit-id>tag, thenplease add the commit author[s] as reviewer[s] to this issue.
Following the issues discussed in 35823 and 17177 we are adding a new config field "enable-remote-node-snat" to enable SNAT for remote node in BPF routing mode.
Currently, Cilium ebpf based masquerading does not perform SNAT on packets destined for a remote node, even if the node CIDR is not listed in the non-masquerade list. This behavior differs from the upstream ip-masq-agent. This behavior prevents pods-remote nodes communication in a BPF-masquerade enabled cluster when pod and node network are in different subnets.
With this change if the new confimap field "enable-remote-node-snat" is set to "true"
then packets destined to remote nodes will be SNATed in bpf routing mode.
Changes are reflected in bpf/lib/nat.h :
Before:
After:
In order to verify and test the expected behavior, we followed the repro in 35823 in a cilium bpf routing cluster with the addition of enable-remote-node-snat = "true" in the configmap. ICMP packet from a pod to a remote node initiated.
The TCP-dump from remote node indicates that the source IPs for incoming packet SNATed to the ip of source node.
Fixes: #35823