Skip to content

Commit

Permalink
ipsec: fix source template in skip rule
Browse files Browse the repository at this point in the history 
This patch modifies a forward policy update introduced by
0b52fd7 so that the template source
matches the source which is 0.0.0.0/0 (wildcard).

Above modification addresses an issue of intermittent packet drops, as
discussed in detail below.

During an investigation of intermittent dropped packets in AKS (kernel
5.4.0-1061-azure) with IPSec enabled, there was an increase of
(XfrmInTmplMismatch) errors in /proc/net/xfrm_stat as packets were
dropped.

Tracing revaled that the packets were dropped due to an __xfrm_policy_check
failure when the packet was redirected from eth0 (after decryption) to the LXC
device of a pod.

Further investigation, attributed the drops to changes in the forwarding
policy. Specifically, the forwarding policy would change as:

 src 0.0.0.0/0 dst 10.240.0.0/16
        dir fwd priority 2975
-       tmpl src 0.0.0.0 dst 10.240.0.19
+       tmpl src 10.240.0.19 dst 10.240.0.61
                proto esp reqid 1 mode tunnel
                level use

And back:

 src 0.0.0.0/0 dst 10.240.0.0/16
        dir fwd priority 2975
-       tmpl src 10.240.0.19 dst 10.240.0.61
+       tmpl src 0.0.0.0 dst 10.240.0.19
                proto esp reqid 1 mode tunnel
                level use

The above change was caused by: func (n *linuxNodeHandler) enableIPsec(newNode
*nodeTypes.Node) in pkg/datapath/linux/node.go.  Modifying the code to avoid
chancing the policy elimiated the packet drops.

The are two places were the xfrm policy is updated in enableIPsec():
  (1) inside UpsertIPsecEndpoint() when an IN policy is specified (as happens if newNode.IsLocal())
  (2) in enableIPsec() itself, as introduced by 0b52fd7

For example, adding log messages to IpSecReplacePolicyFwd and UpsertIPsecEndpoint produced:
 level=info msg="IpSecReplacePolicyFwd: src=0.0.0.0/0 dst=10.240.0.61/16 tmplSrc=10.240.0.19/16 tmplDst=10.240.0.61/16" subsys=ipsec
 level=info msg="UpsertIPsecEndpoint: local:10.240.0.19/16 remote:0.0.0.0/0 fowrard:10.240.0.19/16" subsys=ipsec
 level=info msg="IpSecReplacePolicyFwd: src=0.0.0.0/0 dst=10.240.0.19/16 tmplSrc=0.0.0.0/0 tmplDst=10.240.0.19/16" subsys=ipsec
 level=info msg="UpsertIPsecEndpoint: exit" subsys=ipsec

Additional testing revealed that the update that resulting in a template
with tmplSrc=10.240.0.19/16  was the culprit for the packet drops.
Making the source template matching the source which is a wildcard in
update (2), eliminated the packet drops.

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
  • Loading branch information
@kkourt @borkmann
kkourt authored and borkmann committed Nov 17, 2021
1 parent 3ffe49e commit b385f0f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/datapath/linux/node.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -967,7 +967,7 @@ func (n *linuxNodeHandler) enableIPsec(newNode *nodeTypes.Node) {

/* Insert wildcard policy rules for traffic skipping back through host */
ipsecIPv4Wildcard := &net.IPNet{IP: net.ParseIP(wildcardIPv4), Mask: net.IPv4Mask(0, 0, 0, 0)}
if err = ipsec.IpSecReplacePolicyFwd(ipsecIPv4Wildcard, ipsecRemote, ipsecLocal, ipsecRemote); err != nil {
if err = ipsec.IpSecReplacePolicyFwd(ipsecIPv4Wildcard, ipsecRemote, ipsecIPv4Wildcard, ipsecRemote); err != nil {
log.WithError(err).Warning("egress unable to replace policy fwd:")
}
}
Expand Down

0 comments on commit b385f0f

Please sign in to comment.