cilium: Allow to configure tunnel source port range #37777
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6f18359 to
7564968
Compare
7e7af0f to
4f51a54
Compare
56dc736 to
e30755b
Compare
Today, Azure's networking stack supports 1M total flows (500k inbound and
500k outbound) for a VM, see details in the link below.
Users with Cilium tunneling can get limited in terms of E/W traffic for
larger clusters since vxlan/geneve is using the inner hash for deriving
a source port in order to RSS-spread the flows on the remote node CPUs.
This, however, also means that inbound and outbound number of different
flows Azure is tracking can become very large since Azure is looking at
the outer 5-tuple. The skb->hash is not symmetric, so for a given flow
that is tunnled through vxlan, Azure if tracking 2 flows.
Anyway, add the ability to specify the source port range for the vxlan
tunnel device. In the kernel this clamps the port:
src_port = udp_flow_src_port(dev_net(dev), skb, vxlan->cfg.port_min,
vxlan->cfg.port_max, true);
For geneve, this is currently no possible, but I'll do a separate kernel
fix to add support for it to that users for geneve don't suffer the same.
Before:
[...]
61: cilium_vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/ether ca:5b:36:9f:11:4f brd ff:ff:ff:ff:ff:ff promiscuity 0 allmulti 0 minmtu 68 maxmtu 65535
vxlan external id 0 srcport 0 0 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535 gro_max_size 65536
[...]
After (if no prior vxlan device was present):
# ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=false \
--datapath-mode=veth --bpf-lb-mode=snat --devices=enp5s0 \
--k8s-kubeconfig-path=$HOME/.kube/config \
--tunnel-source-port-range=1000-2000
[...]
61: cilium_vxlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/ether ca:5b:36:9f:11:4f brd ff:ff:ff:ff:ff:ff promiscuity 0 allmulti 0 minmtu 68 maxmtu 65535
vxlan external id 0 srcport 1000 2000 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535 gro_max_size 65536
[...]
If a cilium_vxlan device was already present, it is not deleted and
reconfigured given this creates disruptions of ongoing connections.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-machine-network-throughput#flow-limits-and-active-connections-recommendations
|
/test |
gentoo-root
approved these changes
Feb 21, 2025
407dde3 to
caddcb4
Compare
ldelossa
approved these changes
Feb 21, 2025
dylandreimerink
approved these changes
Feb 21, 2025
thorn3r
approved these changes
Feb 21, 2025
|
/test |
nebril
approved these changes
Feb 21, 2025
Small test to validate the low/high source port on the vxlan device and another test on an existing device to ensure the low/high source port range does not change at runtime (only upon first creation). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
The MTU change test never removed the vxlan/geneve device, potentially causing subsequent tests to fail given the device already exists. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add the ability for users to configure tunnel-source-port-range via Helm. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
/test |
|
fyi, the selftest still needs to wait for vishvananda/netlink#1062 |
17 tasks
|
Added #37924 to cover the XDP aspect. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(see commit desc)