Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ipsec: Fix unencrypted traffic when IPsec is used with L7 egress proxy #32683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 5, 2024
Merged

ipsec: Fix unencrypted traffic when IPsec is used with L7 egress proxy #32683

merged 3 commits into from
Jun 5, 2024

Conversation

@jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented May 23, 2024
edited
Loading

This PR fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy.

This PR supersedes #31955 that didn't take cilium/proxy#742 into consideration.

(The last three patches are temporarily added to run leak detection in CI, they'll be dropped after approval. Leak detection will be added separately soon.)

Fixes: #31984

Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 23, 2024
@jschwinger233
Copy link
Member Author

jschwinger233 commented May 23, 2024

/ci-ipsec-upgrade

@jschwinger233
Copy link
Member Author

jschwinger233 commented May 23, 2024

Maybe even the first 2 patches are also not needed? Will try later.

@jschwinger233
Copy link
Member Author

jschwinger233 commented May 23, 2024

Rebase the latest main to include #32331, drop the f817fc1 to see if it's still needed.

No we still need that: https://github.com/cilium/cilium/actions/runs/9205906830/job/25322612955

I think this is because adding 0xb00 lookup 2005 still makes extra netfilter traversal, no matter what src IP proxy uses. f817fc1 is needed due to that additional netfilter traversal.

But I don't understand how #32331 passed ci-ipsec-e2e on kpr=true + bpf.masq=true. My understanding is, since proxy is always transparent, we always need netfilter to do masquerade for go-to-world traffic.

@jschwinger233 jschwinger233 force-pushed the pr/gray/main/egress-proxy-ipsec-fix3 branch 2 times, most recently from a0f49ac to aceca82 Compare May 24, 2024 02:55
@jschwinger233 jschwinger233 mentioned this pull request May 24, 2024
Closed
@jschwinger233 jschwinger233 force-pushed the pr/gray/main/egress-proxy-ipsec-fix3 branch from aceca82 to c4d9fe5 Compare May 27, 2024 04:50
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 28, 2024
@jschwinger233 jschwinger233 force-pushed the pr/gray/main/egress-proxy-ipsec-fix3 branch from 71facda to 7807510 Compare May 28, 2024 09:18
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 28, 2024
@cilium cilium deleted a comment from maintainer-s-little-helper bot May 28, 2024
@jschwinger233 jschwinger233 force-pushed the pr/gray/main/egress-proxy-ipsec-fix3 branch 8 times, most recently from 3766731 to 6cb00de Compare May 29, 2024 07:44
@jschwinger233 jschwinger233 added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/ipsec Relates to Cilium's IPsec feature labels May 30, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 30, 2024
@jschwinger233 jschwinger233 added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. needs-backport/1.13 labels May 30, 2024
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Jun 5, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
5d776c9 
This was addressed by cilium#32683.

Signed-off-by: Julian Wiedmann <[email protected]>
@julianwiedmann julianwiedmann mentioned this pull request Jun 5, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jun 5, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
5f18d88 
This was addressed by #32683.

Signed-off-by: Julian Wiedmann <[email protected]>
This was referenced Jun 7, 2024
Merged
Merged
Merged
@jschwinger233 jschwinger233 added the backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. label Jun 7, 2024
@julianwiedmann julianwiedmann added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-pending/1.13 and removed needs-backport/1.14 labels Jun 7, 2024
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Jun 7, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
f259aa0 
[ upstream commit 5f18d88 ]

This was addressed by cilium#32683.

Signed-off-by: Julian Wiedmann <[email protected]>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Jun 7, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
4e3a403 
[ upstream commit 5f18d88 ]

This was addressed by cilium#32683.

Signed-off-by: Julian Wiedmann <[email protected]>
julianwiedmann added a commit that referenced this pull request Jun 7, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
b648346 
[ upstream commit 5f18d88 ]

This was addressed by #32683.

Signed-off-by: Julian Wiedmann <[email protected]>
julianwiedmann added a commit that referenced this pull request Jun 7, 2024
@julianwiedmann
docs: ipsec: remove limitation for native-routing with L7 egress policy
1862ab4 
[ upstream commit 5f18d88 ]

This was addressed by #32683.

Signed-off-by: Julian Wiedmann <[email protected]>
@michi-covalent michi-covalent mentioned this pull request Jun 8, 2024
Merged
jschwinger233 pushed a commit that referenced this pull request Jun 10, 2024
@julianwiedmann @jschwinger233
docs: ipsec: remove limitation for native-routing with L7 egress policy
fd42f91 
[ upstream commit: 5f18d88 ]

This was addressed by #32683.

Signed-off-by: Julian Wiedmann <[email protected]>
Signed-off-by: gray <[email protected]>
@julianwiedmann julianwiedmann mentioned this pull request Jun 10, 2024
Merged
dylandreimerink pushed a commit that referenced this pull request Jun 11, 2024
@julianwiedmann @dylandreimerink
docs: ipsec: remove limitation for native-routing with L7 egress policy
b98da7f 
[ upstream commit: 5f18d88 ]

This was addressed by #32683.

Signed-off-by: Julian Wiedmann <[email protected]>
Signed-off-by: gray <[email protected]>
@github-actions github-actions bot added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 labels Jun 11, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Jul 10, 2024
Merged
jrajahalme added a commit to jrajahalme/cilium that referenced this pull request Jul 31, 2024
@jrajahalme
iptables: Support Envoy listener chaining
b110308 
Allow Envoy listener chaining via the loopback device by not routing transparent proxy traffic
destined to the loopback device to the cilium_host device.

Fixes: cilium#32683, cilium/proxy#742

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme jrajahalme mentioned this pull request Jul 31, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 8, 2024
@jrajahalme @julianwiedmann
iptables: Support Envoy listener chaining
4c9cf37 
Allow Envoy listener chaining via the loopback device by not routing transparent proxy traffic
destined to the loopback device to the cilium_host device.

Fixes: #32683, cilium/proxy#742

Signed-off-by: Jarno Rajahalme <[email protected]>
ti-mo pushed a commit to ti-mo/cilium that referenced this pull request Aug 8, 2024
@jrajahalme @ti-mo
iptables: Support Envoy listener chaining
580c3e6 
Allow Envoy listener chaining via the loopback device by not routing transparent proxy traffic
destined to the loopback device to the cilium_host device.

Fixes: cilium#32683, cilium/proxy#742

Signed-off-by: Jarno Rajahalme <[email protected]>
jschwinger233 pushed a commit that referenced this pull request Aug 12, 2024
@jrajahalme @jschwinger233
iptables: Support Envoy listener chaining
b3f2783 
[ upstream commit 4c9cf37 ]

Allow Envoy listener chaining via the loopback device by not routing transparent proxy traffic
destined to the loopback device to the cilium_host device.

Fixes: #32683, cilium/proxy#742

Signed-off-by: Jarno Rajahalme <[email protected]>
Signed-off-by: gray <[email protected]>
github-merge-queue bot pushed a commit that referenced this pull request Aug 13, 2024
@jrajahalme @aanm
iptables: Support Envoy listener chaining
a924a31 
[ upstream commit 4c9cf37 ]

Allow Envoy listener chaining via the loopback device by not routing transparent proxy traffic
destined to the loopback device to the cilium_host device.

Fixes: #32683, cilium/proxy#742

Signed-off-by: Jarno Rajahalme <[email protected]>
Signed-off-by: gray <[email protected]>
julianwiedmann
julianwiedmann reviewed Mar 18, 2025
View reviewed changes
bpf/bpf_host.c
Comment on lines +861 to +865

if (from_proxy &&
(!info || !identity_is_cluster(info->sec_identity)))
ctx->mark = MARK_MAGIC_PROXY_TO_WORLD;
#endif /* ENABLE_IPSEC && !TUNNEL_MODE */
Copy link
Member

@julianwiedmann julianwiedmann Mar 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jschwinger233 coming back to this - I only now realized that #36329 also applies here, and the mark potentially gets scrubbed on the transfer between cilium_host and cilium_net. Which is why we're still setting use_meta=true in the set_ipsec_encrypt() call above.

So I suppose this mark works well as mechanism to skip the transparent-socket match in iptables - but we can't really trust yet that it also survives until cilium_net (or a subsequent to-netdev) would see it.

Copy link
Member Author

@jschwinger233 jschwinger233 Mar 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😨

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@pchaigno pchaigno pchaigno approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@aditighag aditighag Awaiting requested review from aditighag aditighag is a code owner automatically assigned from cilium/sig-datapath

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
1.14.12
Status: Backport done to v1.14
1.15.6
Status: Backport done to v1.15
cilium v1.15.6
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unencrypted traffic among nodes when IPsec is used with L7 egress proxy

5 participants

@jschwinger233 @pchaigno @jrajahalme @julianwiedmann