Skip to content

iptables: no conntrack for overlay traffic#37990

Closed
julianwiedmann wants to merge 1 commit intocilium:mainfrom
julianwiedmann:1.18-overlay-conntrack
Closed

iptables: no conntrack for overlay traffic#37990
julianwiedmann wants to merge 1 commit intocilium:mainfrom
julianwiedmann:1.18-overlay-conntrack

Conversation

@julianwiedmann
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann commented Mar 4, 2025

VXLAN / GENEVE uses a uni-directional connection (src port is random, dst port is pre-defined), and conntrack'ing such traffic makes no sense.

Ignore both the inbound traffic (based on L4 proto and dport) and the outbound traffic (based on the mark that our to-overlay program sets).

Skip netfilter-based conntrack for Cilium's overlay traffic.

@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/iptables Impacts how Cilium interacts with iptables. labels Mar 4, 2025
@julianwiedmann julianwiedmann force-pushed the 1.18-overlay-conntrack branch from 94ff7de to c0c8ca9 Compare March 5, 2025 07:08
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Mar 5, 2025

/test

julianwiedmann
julianwiedmann commented Mar 7, 2025
View reviewed changes
pkg/datapath/iptables/iptables.go
Comment on lines +1557 to +1562
if m.haveTunnel {
// TODO only install these when needed, uninstall otherwise
if err := m.addCiliumNoTrackOverlayRules(); err != nil {
return fmt.Errorf("cannot install overlay rules: %w", err)
}
}
Copy link
Copy Markdown
Member Author

@julianwiedmann julianwiedmann Mar 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pippolo84 you might have more experience here - is cleaning up stale rules something we typically do? I don't see much evidence in iptables.go ...

@giorio94
Copy link
Copy Markdown
Member

giorio94 commented Mar 13, 2025

/scale-egw

@giorio94
Copy link
Copy Markdown
Member

giorio94 commented Mar 17, 2025

@julianwiedmann Could you please rebase this PR? The scale test is otherwise failing because it is still using an old Cilium CLI version which does not support the latest flags required for these tests.

@julianwiedmann
iptables: no conntrack for overlay traffic
f5c9431 
VXLAN / GENEVE uses a uni-directional connection (src port is random, dst
port is pre-defined), and conntrack'ing such traffic makes no sense.

Ignore both the inbound traffic (based on L4 proto and dport) and the
outbound traffic (based on the mark that our to-overlay program sets).

Signed-off-by: Julian Wiedmann <[email protected]>
@julianwiedmann julianwiedmann force-pushed the 1.18-overlay-conntrack branch from c0c8ca9 to f5c9431 Compare March 17, 2025 13:05
@giorio94
Copy link
Copy Markdown
Member

giorio94 commented Mar 17, 2025

/scale-egw

@giorio94
Copy link
Copy Markdown
Member

giorio94 commented Mar 17, 2025
edited
Loading

Results of the scale tests don't seem to show a significant improvement in terms of UDP throughput compared to an average run 😢:

 -------------------------------------------------------------------------------------
📋 Scenario        | Node       | Test            | Duration        | Throughput Mb/s 
-------------------------------------------------------------------------------------
📋 pod-to-host     | other-node | TCP_STREAM      | 30s             | 4926.41      
📋 pod-to-host     | other-node | UDP_STREAM      | 30s             | 4906.60      
📋 pod-to-host     | other-node | TCP_STREAM_MULTI | 30s             | 24404.90     
📋 pod-to-host     | other-node | UDP_STREAM_MULTI | 30s             | 15356.54     
-------------------------------------------------------------------------------------

@julianwiedmann julianwiedmann mentioned this pull request Apr 7, 2025
Merged
8 tasks
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2025

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Apr 17, 2025
@github-actions
Copy link
Copy Markdown

github-actions bot commented May 1, 2025

This pull request has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/iptables Impacts how Cilium interacts with iptables. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@julianwiedmann @giorio94 @msune