datapath/iptable: fuzzy match for devices than exact match #37450
Conversation
Use device filter to fuzzy match the devices than the exact match to match the users input for `devices` and `MasqueradeInterfaces`. We described this in the doc but not really doing it in the code. Fixes: cilium#37448 Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
|
/test |
|
/ci-integration |
|
/ci-ginkgo |
|
/ci-ipsec-upgrade |
1 similar comment
|
/ci-ipsec-upgrade |
|
/ci-e2e-upgrade |
5 similar comments
|
/ci-e2e-upgrade |
|
/ci-e2e-upgrade |
|
/ci-e2e-upgrade |
|
/ci-e2e-upgrade |
|
/ci-e2e-upgrade |
|
I really think the CI failure for e2e upgrade is not related to this PR, but also don't know what caused it |
|
/ci-e2e-upgrade |
|
it looks like CI passed when only retriggering the failed ones. Confirmed in the slack channel. its the CI issue |
|
Even if this is the correct behavior per the documented steps, I worry a little that this may change the way Cilium behaves in production environments and whether that in itself could cause more problems than the bug being fixed. Do you have a sense for the risk of making this change? Could we start dropping traffic that was previously passed for instance? (To be clear, this question relates to the backports; for future versions and even v1.17.x it sounds like the fix makes sense 👍 ) |
joestringer
added
the
release-note/bug
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
Ah, I see the reproducer would require the user to specify the masquerade route source (unusual config) with |
joestringer
added
affects/v1.15
I personally dont think this will cause any issue unless the users don't use this feature correctly (for example the packet following the default/other route ip table rules via eth0, and this bug fix will make the packet going to eth1 or eth1.1 based on the route table.) that's the only changes that I can think of. |
There was a problem hiding this comment.
Thanks for the fix.
Based on the documentation, I wonder if the correct way to get the expected masquerading behavior is by setting the flag egress-masquerade-interfaces to something like eth+.
With the enable-masquerade-to-route-source: "true" option, Cilium will, by default, use interfaces listed in the devices field as the egress masquerade interfaces when egress-masquerade-interfaces is empty. When egress-masquerade-interfaces is set, it takes precedence over devices to choose which network interface should perform masquerading. You can set egress-masquerade-interfaces to match multiple interfaces like this: eth+ ens+.
|
yes. and the more common config is people using the Btw the doc that you copied is also written by me where I have incorrect understanding about how it works Hope I made it clear. |
maintainer-s-little-helper
bot
added
the
ready-to-merge
aditighag
added
the
dont-merge/needs-release-note-label
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
@liyihuang FYI - I rephrased the release note as its purpose is to convey "what user-facing bug was fixed" rather than "how the bug was fixed". |
julianwiedmann
added
sig/datapath
liyihuang
deleted the
pr/liyihuang/fuzzy_match_devices_in_enable_masquerade_route_source
branch
nbusseneau
added
backport-pending/1.17
github-actions
bot
added
backport-done/1.17
Use device filter to fuzzy match the devices than the exact match to match the users input for
devicesandMasqueradeInterfaces. We described this in the doc but not really doing it in the code.we need to backport it all the way to 1.15 since that's when we introduce the MasqueradeRouteSource
Fixes: #37448