Skip to main content

Browse the archive

Revision 7ba0e83acc458e8e3c20cc70e31542c0f22f093f authored by John Fastabend on 17 September 2020, 00:39:02 UTC, committed by christarazi on 29 September 2020, 23:45:25 UTC 
cilium: from-netdev and from-network BPF programs conflicting hooks
 
Currently, enabling IPsec and a feature that uses a from-netdev program
type may conflict when both attempt to load on the network facing device.
If this happens then init.sh will load the ipsec program from-network
and then after that the golang bpf loader will replace it with the
from-netdev program. Which could be OK if the from-netdev program handled
IPsec decryption correctly. Unfortunately, it doesn't and what we get
is dropped ESP (IPsec encryption protocol) packets and broken connections.

To fix teach from-netdev how to handle ingress IPsec decryption. And while
doing this cleanup the encryption code blocks so encryption/decryption
logic is split into from_host and from_network parts. This way encrypt
piece is used in from_host and decrypt is used in from_network case.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
1 parent 9ed106a
History
File Mode Size
identity
metrics
option
watchers
.gitignore -rw-r--r-- 82 bytes
Makefile -rw-r--r-- 853 bytes
allocator_providers.go -rw-r--r-- 743 bytes
api.go -rw-r--r-- 4.4 KB
ccnp_event.go -rw-r--r-- 5.0 KB
cilium_node.go -rw-r--r-- 4.1 KB
cmdref.go -rw-r--r-- 1.5 KB
cnp_event.go -rw-r--r-- 5.1 KB
flags.go -rw-r--r-- 12.5 KB
identity_gc.go -rw-r--r-- 1.8 KB
k8s_cep_gc.go -rw-r--r-- 5.2 KB
k8s_identity.go -rw-r--r-- 5.6 KB
k8s_node.go -rw-r--r-- 10.7 KB
k8s_pod_controller.go -rw-r--r-- 3.4 KB
k8s_service_sync.go -rw-r--r-- 9.6 KB
kvstore_watchdog.go -rw-r--r-- 3.1 KB
kvstore_watchdog_test.go -rw-r--r-- 3.5 KB
main.go -rw-r--r-- 15.4 KB
provider_aws_flags.go -rw-r--r-- 2.2 KB
provider_aws_register.go -rw-r--r-- 1.0 KB
provider_azure_flags.go -rw-r--r-- 1.6 KB
provider_azure_register.go -rw-r--r-- 985 bytes
provider_operator_register.go -rw-r--r-- 1001 bytes
back to top