[v1.16] bpf: wireguard: avoid ipcache lookup for source's security identity #38683
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test |
[ upstream commit 979f335 ] Pull the goto statement up to clean up an extra level of indirection. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 98f25f3 ] This commit refactors into a separate function `ctx_mark_is_wireguard` the check whether the packet mark contains the`MARK_MAGIC_WG_ENCRYPTED` or not. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit ca18209 ] This commit adds a check to skip SNAT in case of WireGuard traffic. For certain configs, such as when the node-to-node IPv4 address is equal to IPV4_MASQUERADE or IPV4_DIRECT_ROUTING, our engine detects that it potentially conflicts with, for instance, masqueraded traffic. Creating SNAT entries for WireGuard makes little sense, especially considering that replies will be addressed by the WG_PORT. Avoiding such SNAT tracking slightly reduces the pressure on the CT and NAT maps. Here there's and example of the content of the `nat` map before applying this patch (note the two WireGuard-related entries): ```bash UDP OUT 172.18.0.4:51871 -> 172.18.0.3:51871 XLATE_SRC 172.18.0.4:51871 Created=13606sec ago NeedsCT=1 UDP IN 172.18.0.3:51871 -> 172.18.0.4:51871 XLATE_DST 172.18.0.4:51871 Created=13606sec ago NeedsCT=1 ``` Part of: cilium#34089 Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit a321ba4 ] This improves the information in the trace notifications, and allows us to skip the EgressGW policy handling. It also matches the expected security identity when performing an ipcache lookup for the source IP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 19c6d09 ] This might help to improve the to-netdev program in a future release, once we can trust that bpf_overlay has been re-generated. While at it also document that MARK_MAGIC_OVERLAY carries the identity. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit e8543ee ] When the wireguard hook in to-netdev decides whether the packet should be encrypted, it considers the source's security identity. For this it currently looks up the source IP in the ipcache. But for a typical packet that exited a local pod, the from-container program also provides the source identity through the skb->mark. And the to-netdev program already extracts this identity - so we just need to pass this through to the wireguard hook. This in particular helps for packets where the source endpoint has already been torn down by the time that the packet reaches the to-netdev program at a native network interface. Currently the source identity for such a packet is selected as WORLD_ID, and the packet therefore skips encryption. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
711a237 to
37c870c
Compare
|
/test |
|
switching to a branch in the repo: #38747 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of
Once this PR is merged, a GitHub action will update the labels of these PRs: