egressgw: Let the EGW manager relax rp_filter on egress device#7
Open
MitchLewis930 wants to merge 1 commit intopr_047_beforefrom
Open
egressgw: Let the EGW manager relax rp_filter on egress device#7MitchLewis930 wants to merge 1 commit intopr_047_beforefrom
MitchLewis930 wants to merge 1 commit intopr_047_beforefrom
Conversation
Pods running on the Egress GW node fail to communicate with an external endpoint through the Egress GW due to the rp_filter in an environment where egress IP is assigned to a different interface than the one with the default route. The reply packets from the external endpoints are dropped by the rp_filter - A request from a local pod hits eth0 with the default route. It matches an IEGP, gets masqueraded & bpf-redirected to eth1 with Egress IP. - Replies hit eth1, are revSNATed, and passed on to the stack. rp-filter complains that they are received on eth1, when the route doesn't point towards eth1. This PR fixes this issue by relaxing rp_filter on interfaces with Egress IP. Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR_047
Note
Medium Risk
Changes runtime kernel sysctl (
rp_filter) settings during egress-gateway reconciliation, which can affect node networking behavior if interface selection or reconciliation timing is wrong.Overview
Egress Gateway reconciliation now tracks the selected egress interface for each policy and, when the local node is acting as the gateway, proactively relaxes
rp_filteron that interface by applyingnet.ipv4.conf.<iface>.rp_filter=2via the injectedsysctlprovider (with retry on failure).To support this, gateway config derivation now records
ifaceNameand alocalNodeConfiguredAsGatewayflag, and the netdevice helper for “interface with this IPv4” is upgraded to return the matching interface name. Privileged tests are updated to use a realsysctlimplementation, ensure rp_filter starts enabled, and assert only the active egress interface is relaxed while others remain at the default.Written by Cursor Bugbot for commit 43d65ed. This will update automatically on new commits. Configure here.