Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
Revision e9e9b81a96949d61d431a4046c09b2847f2f3d85 authored by Kornilios Kourtis on 01 October 2021, 16:17:23 UTC, committed by Ilya Dmitrichenko on 13 October 2021, 13:45:50 UTC 
datapath: egress gw: fix non-tunnel mode
 
[ upstream commit 14331816e9b748cdd6ca8d5ab247e9e357eea64f ]

When a client uses an egress gateway node, it forwards traffic via a
vxlan tunnel to the egress gateway node. If datapath is configured in
non-tunnel mode (direct routing), replies from the gateway to the client
do not go via the tunnel. This causes these replies to be dropped
by iptables because no Cilium's FORWARD rule matches them

This patch identifies above packets (i.e., from egress gw to client),
and steers them via the vlxan tunnel after rev-SNAT is performed even
when datapath is configured in non-tunnel mode.

A suggestion by Paul and Martynas (@brb) was to use the following
condition to identify said packets:
> if rev-SNATed IP ∈ native CIDR && rev-SNATed IP !∈ node pod CIDR => send to tunnel

This patch, instead, checks the egress gateway policy map. This seems
like a safer approach, because all packets that match contents of above
map in the forward direction will be forwarded to the gw node.

Fixes: #17386

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
1 parent abba902
History
Tip revision: e9e9b81a96949d61d431a4046c09b2847f2f3d85 authored by Kornilios Kourtis on 01 October 2021, 16:17:23 UTC
datapath: egress gw: fix non-tunnel mode
Tip revision: e9e9b81
File Mode Size
.github
.travis
Documentation
api
bpf
bugtool
cilium
cilium-health
clustermesh-apiserver
contrib
daemon
envoy
examples
hack
hubble-relay
images
install
jenkinsfiles
operator
pkg
plugins
proxylib
test
tests
tools
vendor
.authors.aux -rw-r--r-- 416 bytes
.gitattributes -rw-r--r-- 260 bytes
.gitignore -rw-r--r-- 1.5 KB
.gitmodules -rw-r--r-- 0 bytes
.golangci.yaml -rw-r--r-- 3.3 KB
.mailmap -rw-r--r-- 3.6 KB
.travis.yml -rw-r--r-- 1.1 KB
AUTHORS -rw-r--r-- 19.5 KB
CHANGELOG.md -rw-r--r-- 139.8 KB
CODEOWNERS -rw-r--r-- 594 bytes
CODE_OF_CONDUCT.md -rw-r--r-- 2.2 KB
CONTRIBUTING.md -rw-r--r-- 227 bytes
FURTHER_READINGS.rst -rw-r--r-- 4.9 KB
GO_VERSION -rw-r--r-- 7 bytes
LICENSE -rw-r--r-- 11.1 KB
MAINTAINERS.md -rw-r--r-- 3.6 KB
Makefile -rw-r--r-- 27.6 KB
Makefile.defs -rw-r--r-- 6.0 KB
Makefile.docker -rw-r--r-- 6.1 KB
Makefile.quiet -rw-r--r-- 718 bytes
README.rst -rw-r--r-- 14.7 KB
SECURITY.md -rw-r--r-- 615 bytes
USERS.md -rw-r--r-- 6.8 KB
VERSION -rw-r--r-- 7 bytes
Vagrantfile -rw-r--r-- 12.8 KB
go.mod -rw-r--r-- 5.5 KB
go.sum -rw-r--r-- 139.6 KB
netlify.toml -rw-r--r-- 92 bytes
vagrant_box_defaults.rb -rw-r--r-- 392 bytes

README.rst

back to top