-
Notifications
You must be signed in to change notification settings - Fork 735
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use symmetric return path for non-VPC traffic #1460
Conversation
Configure permissive rp_filter on the secondary ENIs and use symmetric return path for non-VPC traffic ingress from the seconary ENIs.
@@ -42,13 +42,18 @@ for b in $PLUGIN_BINS; do | |||
done | |||
|
|||
# Configure rp_filter | |||
echo "Configure default rp_filter loose... " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Below set of changes will set rp_filter
to 2
on all the interfaces and that might be a concern because we currently allow Cx to specify via tags the ENIs they don't want VPC CNI to manage. Same is true for P4d instances that support multiple network cards. Although, we only manage interfaces belonging to network card 0
this change will modify the settings on interfaces tied to non-zero network cards as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any extra information that we can use to reliably ignore the interfaces, for example via IMDS? Since we are setting the default rp_filter, any new interfaces created after this point gets the permissive rp_filter configuration.
With this change, we will start marking the packets ingressing via secondary ENIs with |
This is not a feature, but a bug fix. Something that should have worked but didn't. Having a separate flag to enable the fix specifically would be burdensome for a far more users than the ones that might have used the |
closing in favor of #1475 |
Configure permissive rp_filter on the secondary ENIs and use symmetric
return path for non-VPC traffic ingress from the seconary ENIs.
What type of PR is this?
bug
Which issue does this PR fix:
Fixes #1392
What does this PR do / Why do we need it:
When external SNAT is disabled, this PR does the following
This fix is needed in order to support non-VPC traffic ingress from the secondary ENIs, for example in case of NLB with IP targets and preserve client IP enabled.
If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
upgrading to new version on a running cluster works fine
Does this change require updates to the CNI daemonset config files to work?:
Added secondaryENIConnmark configuration in the file 10.aws.conflist for cni plugin to pickup the configured connmark.
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.