Add DSCP magic mark support for inbound traffic redirection #58285
Conversation
Introduces DSCPMagicMark constant (0x17) and adds iptables rule to redirect TCP packets with matching DSCP mark to ztunnel inbound port (15008).
|
😊 Welcome @electricjesus! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
|
Hi @electricjesus. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi all! this is still a draft. We're still working on a few things related to this here over at ProjectCalico. |
|
|
||
| iptablesBuilder.AppendRule(ChainInpodPrerouting, "nat", | ||
| "-p", "tcp", | ||
| "-m", "dscp", "--dscp", fmt.Sprintf("%#x", config.DSCPMagicMark), |
There was a problem hiding this comment.
This seems to be the best way to do this since this modifies the ip header and doesn't have the same issues a mark on the skb would have.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
|
||
| iptablesBuilder.AppendRule(ChainInpodPrerouting, "nat", | ||
| "-p", "tcp", | ||
| "-m", "dscp", "--dscp", fmt.Sprintf("%#x", config.DSCPMagicMark), |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| ZtunnelInboundPort = 15008 | ||
| ZtunnelOutboundPort = 15001 | ||
| ZtunnelInboundPlaintextPort = 15006 | ||
| DSCPMagicMark = 0x17 // FIXME: needs to be configurable |
There was a problem hiding this comment.
@keithmattix with strict mode can't we just redirect all ingressing traffic to port 15008? This is more relevant for the permissive mode? Or Do I just not fully understand strict vs permissive mode?
What’s the exact use case here? If there’s a design doc or any background info on why we are planning to add a DSCP mark to the traffic, could someone share it? |
The use case is most likely the fact that ztunnel using dst port 15008 and not the original dst port and this interfers with other network plugins network policy especially in the case of L4 enforcement (L5 is a different story). Since the dst port is no longer 15008, nothing will receive on the ztunnel inbound listener socket, so the change is using iptables Redirect action to do this and use the get original dst sock opt to get the original 5 tuple. istio isn't a full network plugin and relies on the calico, ciliums, or whoever to provide the pod networking. That at least is use case/background that I have (we have already POC'd this a couple months ago). This isn't enabled by default as well which means the user would need to enable this. However the design document to iron out the design decisions would be helpful :-) I am also curious if that document has any throughput/latency metrics. |
| ZtunnelInboundPort = 15008 | ||
| ZtunnelOutboundPort = 15001 | ||
| ZtunnelInboundPlaintextPort = 15006 | ||
| DSCPMagicMark = 0x17 // FIXME: needs to be configurable |
There was a problem hiding this comment.
+1 to making this configurable. Depending on the design decision here, we should possibly make sure we use a relevant value.
Introduces DSCPMagicMark constant (0x17) and adds iptables rule to redirect TCP packets with matching DSCP mark to ztunnel inbound port (15008).
Please provide a description of this PR: