Support KPR with IPv6 underlay by pchaigno · Pull Request #39074 · cilium/cilium

pchaigno · 2025-04-22T08:37:40Z

This pull request adds support for KPR when running with an IPv6 underlay. The first commit introduces an IPv6 version of the encapsulation function. The second commit performs some refactoring to ease readability of subsequent commits. The third commit removes a function argument that became unnecessary thanks to the previous commit. The fourth commit adds the support in the datapath. Fifth and last commit enable this in the agent and cover it in the CI.

Add support for kube-proxy replacement with IPv6 underlay

julianwiedmann

two minor comments, except that looks good! Adding the XDP support will be fun ...

bpf/lib/nodeport.h

When using GENEVE tunneling, we can include options in the tunnel header. That is used by the NodePort logic in some cases. This commit adds support for doing this over an IPv6 underlay, by extending ctx_set_encap_info6 and introducing __encap_with_nodeid_opt6 to match their IPv4 counterparts. There are no functional changes in this commit because __encap_with_nodeid_opt6 isn't used yet. Signed-off-by: Paul Chaignon <[email protected]>

Encap functions nodeport_add_tunnel_encap{,_opt} currently take the IPv4 tunnel endpoint address as anargument. These functions will need to also support IPv6 addresses so let's first pass, as an argument, a pointer to the whole ipcache value (i.e., struct remote_endpoint_info) instead of the tunnel endpoint. It will be easier in subsequent commits to retrieve either the IPv4 or IPv6 tunnel endpoint from the ipcache value. There are no functional changes in this commit. Signed-off-by: Paul Chaignon <[email protected]>

Since the previous commit passes the whole ipcache value into nodeport_add_tunnel_encap{,opt}, we don't need the dst_sec_identity argument anymore. We can retrieve its value from the ipcache value. This commit therefore removes the dst_sec_identity argument from the nodeport_add_tunnel_encap{,opt} functions. Signed-off-by: Paul Chaignon <[email protected]>

In tunneling mode with BPF NodePort, when DNATed packets are forwarded to a remote backend, they need to be encapsulated. This commit implements support for an IPv6 underlay in that case. Signed-off-by: Paul Chaignon <[email protected]>

Signed-off-by: Paul Chaignon <[email protected]>

Previous commits added support for IPv6 underlays with BPF NodePort so we can now allow users to enable those options together. This commit also switches the IPv6 underlay test case in end-to-end tests to use KPR and egress gateway. Signed-off-by: Paul Chaignon <[email protected]>

pchaigno · 2025-04-28T10:06:23Z

/test

julianwiedmann

looks good, thank you!

Currently, the nodeport_nat_egress_ipv4_hook in the tail_nodeport_nat_egress_ipv4 is broken in non-tunnel mode because info variable is not declared. Revert the changes made in the 3c4693f to make it work again. Fixes: cilium#39074 Signed-off-by: Yutaro Hayakawa <[email protected]>

Currently, the nodeport_nat_egress_ipv4_hook in the tail_nodeport_nat_egress_ipv4 is broken in non-tunnel mode because info variable is not declared. Revert the changes made in the 3c4693f to make it work again. Fixes: #39074 Signed-off-by: Yutaro Hayakawa <[email protected]>

Currently, the nodeport_nat_egress_ipv4_hook in the tail_nodeport_nat_egress_ipv4 is broken in non-tunnel mode because info variable is not declared. Revert the changes made in the 3c4693f to make it work again. Fixes: cilium#39074 Signed-off-by: Yutaro Hayakawa <[email protected]>

Now that the long standing tunneling + IPv6-only limitation has been lifted [1,2,3], let's enable this previously commented-out matrix entry of the conformance-clustermesh workflow. [1]: #38523 [2]: #38296 [3]: #39074 Signed-off-by: Marco Iorio <[email protected]>

Now that the long standing tunneling + IPv6-only limitation has been lifted [1,2,3], let's enable this previously commented-out matrix entry of the conformance-clustermesh workflow. [1]: cilium#38523 [2]: cilium#38296 [3]: cilium#39074 Signed-off-by: Marco Iorio <[email protected]>

pchaigno marked this pull request as ready for review April 22, 2025 10:37

pchaigno requested review from a team as code owners April 22, 2025 10:37

pchaigno requested review from aspsk, viktor-kurchenko and ysksuzuki April 22, 2025 10:37

julianwiedmann added the area/loadbalancing Impacts load-balancing and Kubernetes service implementations label Apr 22, 2025

julianwiedmann self-requested a review April 22, 2025 11:25

pchaigno enabled auto-merge April 22, 2025 13:34

julianwiedmann reviewed Apr 23, 2025

View reviewed changes

bpf/lib/nodeport.h Show resolved Hide resolved

bpf/lib/nodeport.h Outdated Show resolved Hide resolved

pchaigno force-pushed the pr/pchaigno/ipv6-underlay-kpr branch from 12ef4ab to cb972d1 Compare April 28, 2025 08:13

pchaigno removed request for aspsk and ysksuzuki April 28, 2025 08:54

pchaigno force-pushed the pr/pchaigno/ipv6-underlay-kpr branch from cb972d1 to c73cbe4 Compare April 28, 2025 09:06

pchaigno added 6 commits April 28, 2025 11:30

bpf/nodeport: Support IPv6 underlay for tunneling

ae0e2b2

In tunneling mode with BPF NodePort, when DNATed packets are forwarded to a remote backend, they need to be encapsulated. This commit implements support for an IPv6 underlay in that case. Signed-off-by: Paul Chaignon <[email protected]>

workflows/e2e: Cover IPv6-only + VXLAN

19b4630

Signed-off-by: Paul Chaignon <[email protected]>

pchaigno force-pushed the pr/pchaigno/ipv6-underlay-kpr branch from c73cbe4 to c803a4a Compare April 28, 2025 10:01

pchaigno requested a review from julianwiedmann April 28, 2025 10:05

julianwiedmann approved these changes Apr 28, 2025

View reviewed changes

viktor-kurchenko approved these changes Apr 29, 2025

View reviewed changes

pchaigno added this pull request to the merge queue Apr 29, 2025

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 29, 2025

Merged via the queue into main with commit a3a17cb Apr 29, 2025
309 of 322 checks passed

pchaigno deleted the pr/pchaigno/ipv6-underlay-kpr branch April 29, 2025 06:46

This was referenced May 8, 2025

bpf,nodeport: Fix broken nodeport nat egress hook #39417

Closed

bpf,nodeport: Fix broken nodeport_nat_egress_ipv4_hook #39418

Merged

pchaigno mentioned this pull request May 16, 2025

Support tunneling over IPv6 #17240

Closed

giorio94 mentioned this pull request Jun 18, 2025

gha: enable ipv6-only tunneling matrix entry in conformance-clustermesh #40106

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support KPR with IPv6 underlay#39074

Support KPR with IPv6 underlay#39074
pchaigno merged 6 commits intomainfrom
pr/pchaigno/ipv6-underlay-kpr

pchaigno commented Apr 22, 2025 •

edited by joestringer

Loading

Uh oh!

julianwiedmann left a comment

Uh oh!

Uh oh!

Uh oh!

pchaigno commented Apr 28, 2025

Uh oh!

julianwiedmann left a comment

Uh oh!

Uh oh!

Conversation

pchaigno commented Apr 22, 2025 • edited by joestringer Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

julianwiedmann left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

pchaigno commented Apr 28, 2025

Uh oh!

julianwiedmann left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

pchaigno commented Apr 22, 2025 •

edited by joestringer

Loading