Skip to content

bpf: service loopback for ipv6#39594

Merged
pchaigno merged 4 commits intocilium:mainfrom
saiaunghlyanhtet:pr/ipv6-service-loopback
Sep 4, 2025
Merged

bpf: service loopback for ipv6#39594
pchaigno merged 4 commits intocilium:mainfrom
saiaunghlyanhtet:pr/ipv6-service-loopback

Conversation

@saiaunghlyanhtet
Copy link
Copy Markdown
Member

@saiaunghlyanhtet saiaunghlyanhtet commented May 17, 2025
edited by julianwiedmann
Loading

Service Loopback IPv6

Fixes: #26733

IPv6 support for pods connecting to themselves via a k8s service ("service loopback").

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 17, 2025
@saiaunghlyanhtet saiaunghlyanhtet force-pushed the pr/ipv6-service-loopback branch 2 times, most recently from c6b7c0b to 1052f70 Compare May 17, 2025 14:18
julianwiedmann
julianwiedmann reviewed May 19, 2025
View reviewed changes
@saiaunghlyanhtet saiaunghlyanhtet force-pushed the pr/ipv6-service-loopback branch 7 times, most recently from b91865f to 62fa8cf Compare May 27, 2025 14:22
@julianwiedmann julianwiedmann added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. feature/ipv6 Relates to IPv6 protocol support area/loadbalancing Impacts load-balancing and Kubernetes service implementations labels May 28, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 28, 2025
@julianwiedmann julianwiedmann added area/loader Impacts the loading of BPF programs into the kernel. area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. labels May 28, 2025
jrife
jrife reviewed May 28, 2025
View reviewed changes
@saiaunghlyanhtet saiaunghlyanhtet force-pushed the pr/ipv6-service-loopback branch 5 times, most recently from b16a408 to f056282 Compare June 1, 2025 09:10
@saiaunghlyanhtet saiaunghlyanhtet force-pushed the pr/ipv6-service-loopback branch 2 times, most recently from 31b0c2e to cb050e5 Compare June 8, 2025 01:24
@saiaunghlyanhtet
Copy link
Copy Markdown
Member Author

saiaunghlyanhtet commented Jun 8, 2025

@jrife I have changed to serivce_loopback_ipv6. If you have free time, can you have a look at it?. Currently, I am stuck at the condition in which source ip is not translated back to the service cluster IP. I think that the reverse NAT for the reply path is not being applied correctly. But, I have no idea which is going wrong.

The logs show multiple SYN packets from [fd00:10:244:1::dc8e]:53060 to [fd00:10:96::cd54]:80, indicating that the client is retransmitting SYN packets, likely because it is not receiving properly formatted replies.

$ k exec -ti -n kube-system cilium-qz7tt -- cilium-dbg monitor --related-to 542

Listening for events on 8 CPUs with 64x4096 of shared memory
Press Ctrl-C to quit
time=2025-06-08T07:43:34.15455902Z level=info msg="Initializing dissection cache..."
<- endpoint 542 flow 0x70e2ab0d , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:53060 -> [fd00:10:96::cd54]:80 tcp SYN
-> endpoint 542 flow 0x70e2ab0d , identity 20084->20084 state new ifindex lxc14f4f090a3e0 orig-ip fd00::1: [fd00::1]:53060 -> [fd00:10:244:1::dc8e]:80 tcp SYN
<- endpoint 542 flow 0xcfd94455 , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0xcfd94455 , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0xc34aebbb , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:53060 -> [fd00:10:96::cd54]:80 tcp SYN
-> endpoint 542 flow 0xc34aebbb , identity 20084->20084 state established ifindex lxc14f4f090a3e0 orig-ip fd00::1: [fd00::1]:53060 -> [fd00:10:244:1::dc8e]:80 tcp SYN
<- endpoint 542 flow 0x8c902078 , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0x8c902078 , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0x15fde42f , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0x15fde42f , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0xfb86fd56 , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:53060 -> [fd00:10:96::cd54]:80 tcp SYN
-> endpoint 542 flow 0xfb86fd56 , identity 20084->20084 state established ifindex lxc14f4f090a3e0 orig-ip fd00::1: [fd00::1]:53060 -> [fd00:10:244:1::dc8e]:80 tcp SYN
<- endpoint 542 flow 0xf6a6963b , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0xf6a6963b , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0x3f4fed5 , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:53060 -> [fd00:10:96::cd54]:80 tcp SYN
-> endpoint 542 flow 0x3f4fed5 , identity 20084->20084 state established ifindex lxc14f4f090a3e0 orig-ip fd00::1: [fd00::1]:53060 -> [fd00:10:244:1::dc8e]:80 tcp SYN
<- endpoint 542 flow 0xce35e2bf , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0xce35e2bf , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0x72c6a27e , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
-> endpoint 542 flow 0x72c6a27e , identity 20084->20084 state reply ifindex lxc14f4f090a3e0 orig-ip fd00:10:244:1::dc8e: [fd00:10:244:1::dc8e]:80 -> [fd00::1]:53060 tcp SYN, ACK
<- endpoint 542 flow 0x0 , identity 20084->unknown state unknown ifindex 0 orig-ip 0.0.0.0: fe80::8034:dfff:fe01:1dbf -> fd00:10:244:1::6ec8 icmp NeighborSolicitation

@saiaunghlyanhtet saiaunghlyanhtet requested a review from jrife June 8, 2025 08:13
jrife
jrife reviewed Jun 9, 2025
View reviewed changes
@jrife
Copy link
Copy Markdown
Contributor

jrife commented Jun 9, 2025

Currently, I am stuck at the condition in which source ip is not translated back to the service cluster IP. I think that the reverse NAT for the reply path is not being applied correctly. But, I have no idea which is going wrong.

Off the top of my head, I'm not sure. I may have some time later this week to look at it in a bit more detail. In the meantime, I left a few comments. I'd recommend fixing whatever unit tests and checkpatch checks are failing and try testing again. The checkpatch stuff is likely similar to some of the formatting stuff I commented on.

@saiaunghlyanhtet saiaunghlyanhtet force-pushed the pr/ipv6-service-loopback branch from cb050e5 to 0850415 Compare June 14, 2025 09:16
pchaigno
pchaigno reviewed Sep 3, 2025
View reviewed changes
@saiaunghlyanhtet

This comment was marked as outdated.

Sign in to view
@julianwiedmann julianwiedmann self-requested a review September 3, 2025 12:44
pchaigno
pchaigno reviewed Sep 3, 2025
View reviewed changes
@saiaunghlyanhtet saiaunghlyanhtet requested a review from a team as a code owner September 3, 2025 13:37
@saiaunghlyanhtet

This comment was marked as outdated.

Sign in to view
pchaigno
pchaigno reviewed Sep 3, 2025
View reviewed changes
@saiaunghlyanhtet

This comment was marked as outdated.

Sign in to view
ti-mo
ti-mo approved these changes Sep 4, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@ti-mo ti-mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

gandro
gandro requested changes Sep 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Unfortunately I think there are some minor changes needed

@saiaunghlyanhtet
api: hubble: regenerate flow.pb.go for IPv6 service loopback
79ab377 
- add DebugEventType DBG_LB6_LOOPBACK_SNAT, DBG_LB6_LOOPBACK_SNAT_REV
- regenerate flow.pb.go

Signed-off-by: saiaunghlyanhtet <[email protected]>
@saiaunghlyanhtet
cilium-agent: add IPv6 serviceloopback plumbing
86f6fa1 
Add agent-side support to enable IPv6 service loopback handling so that connections to a service’s own ClusterIP from a
backend pod loop back correctly.

Summary of changes:
- Extend service / LB logic to recognize and mark IPv6 loopback scenarios
- Introduce service_loopback_ipv6 runtime variable for IPv6 service loopback support

Signed-off-by: saiaunghlyanhtet <[email protected]>
@saiaunghlyanhtet
bpf: implement IPv6 service loopback datapath handling
d1c75a0 
Introduce datapath logic to support IPv6 service loopback so that packets originating from a pod targeting its own
service ClusterIP are correctly short-circuited and subject to the standard LB/rev-NAT path without external detours.
Adjust service lookup / backend selection and reverse NAT handling for IPv6 loopback.

Signed-off-by: saiaunghlyanhtet <[email protected]>
@saiaunghlyanhtet
bpf:test: Add BPF selftests to cover IPv6 loopback
f8c0113 
hairpin_flow_1_forward_v6: Test that sending a packet from a pod to its own IPv6 service gets source NAT-ed
with the service loopback IPv6 address and is correctly forwarded to the pod's veth interface.
Verifies SNAT behavior and connection tracking entries for IPv6 hairpin traffic.

hairpin_flow_2_forward_ingress_v6: Test the ingress path for IPv6 hairpin flows where a packet from
the service loopback address to a pod creates the appropriate connection tracking entry on the ingress side
with the loopback flag.

hairpin_flow_3_reverse_v6: Test that return traffic in an IPv6 hairpin flow (from pod back to
service loopback address) is correctly handled and forwarded without any address translation,
maintaining the original flow semantics.

hairpin_flow_4_reverse_ingress_v6: Test the reverse direction ingress path for IPv6 hairpin flows where
return traffic gets NAT-ed back to the original service IP address, completing the hairpin loop and
ensuring the client sees responses from the expected service address.

tc_drop_no_backend_v6: Test that IPv6 packets destined to a service with no available backends
are correctly dropped with TC_ACT_SHOT, ensuring proper error handling for unavailable IPv6 services.

Signed-off-by: saiaunghlyanhtet <[email protected]>
gandro
gandro approved these changes Sep 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@pchaigno
Copy link
Copy Markdown
Member

pchaigno commented Sep 4, 2025

/test

@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Sep 4, 2025

great stuff @saiaunghlyanhtet, glad to see this finally land! 🚀

I added a release-note stanza to the PR description, so that this shows up properly in the releases notes for v1.19. Feel free to polish the wording as you see fit :).

@pchaigno
Copy link
Copy Markdown
Member

pchaigno commented Sep 4, 2025

Congrats on getting this in @saiaunghlyanhtet! Your swift iterations on reviews made a big difference, especially for the details at the end 🙂 Don't hesitate to reach out if you need help on anything else!

@julianwiedmann julianwiedmann mentioned this pull request Sep 4, 2025
Closed
@julianwiedmann julianwiedmann mentioned this pull request Oct 28, 2025
Closed
This was referenced Oct 29, 2025
Closed
Merged
Merged
@Jack-R-lantern Jack-R-lantern mentioned this pull request Dec 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pchaigno pchaigno pchaigno approved these changes

@gandro gandro gandro approved these changes

@joamaki joamaki joamaki approved these changes

@asauber asauber asauber approved these changes

@jrife jrife jrife approved these changes

@ti-mo ti-mo ti-mo approved these changes

@thorn3r thorn3r thorn3r approved these changes

@gentoo-root gentoo-root Awaiting requested review from gentoo-root

@julianwiedmann julianwiedmann Awaiting requested review from julianwiedmann

@glibsm glibsm Awaiting requested review from glibsm glibsm is a code owner automatically assigned from cilium/sig-hubble-api

+1 more reviewer

@Andreagit97 Andreagit97 Andreagit97 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/loader Impacts the loading of BPF programs into the kernel. feature/ipv6 Relates to IPv6 protocol support release-note/major This PR introduces major new functionality to Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pod can't access itself via service (IPv6 loopback)