Cilium: BPF-masq unexpectedly SNATs replies to outside

Created on 15 Jul 2020  路  4Comments  路  Source: cilium/cilium

Follow up from https://github.com/cilium/cilium/pull/12482.

See https://github.com/cilium/cilium/pull/12482#discussion_r454691162.

aredatapath kinbug needs-backpor1.8 priorithigh
Source
picture christarazi

All 4 comments

The test which caught the bug is doing the following:

  1. Add a route from outside to podCIDR via node.
  2. Sends request to a podIP from outside.
  3. A reply (SYN-ACK) gets masqueraded by BPF-masq.
  4. The client @ outside drops the reply.

The problem is that the BPF-masq doesn't check whether a packet (podIP -> outside) is a reply, and does SNAT regardless. One possible fix is to consult CT to see whether a packet is a reply.

brb picture brb on 17 Jul 2020
👍1

@brb Any idea on why this only occurs on net-next kernels?

christarazi picture christarazi on 17 Jul 2020

@christarazi This is because we don't enable the BPF-masq feature on other CI builds (except for 4.19) due to the kernel version constraint.

brb picture brb on 20 Jul 2020
👍1

Had another thought that fixing this by adding the CT lookup would introduce the perf penalty for each packet from a local endpoint to outside. To make the test to work with BPF-based MASQ, we could add the outside IP addr to the ip-masq-agent.

brb picture brb on 3 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aanm picture aanm  路  3Comments
Jianlin-lv picture Jianlin-lv  路  3Comments
hazelnutsgz picture hazelnutsgz  路  3Comments
danwent picture danwent  路  4Comments
twpayne picture twpayne  路  3Comments