Skip to content

[filters] original src so_mark and ip_transparent#5525

Merged
mattklein123 merged 13 commits intoenvoyproxy:masterfrom
klarose:original_src_extra_options
Jan 23, 2019
Merged

[filters] original src so_mark and ip_transparent#5525
mattklein123 merged 13 commits intoenvoyproxy:masterfrom
klarose:original_src_extra_options

Conversation

@klarose
Copy link
Copy Markdown
Contributor

@klarose klarose commented Jan 7, 2019
edited
Loading

Description:
This completes the primary functionality of the original src listener filter by adding SO_MARK and IP_TRANSPARENT options to the upstream connection. With these, any IP address can now connect upstream. This is one of the tasks mentioned in #5337

My original plan for the options was to have the OriginalSrcSocketOption recurse into them. However, I realized that this was somewhat sketchy when doing the UT -- there was not clean mapping between a socket option and multiple "sub-options". Rather than introduce such a comment, I simply leveraged the fact that we are already adding an option to the socket -- now we just add three instead of one!

Risk Level: Low. Existing filter; minor changes to code used in testing.
Testing: UT + some testing of ipv4 and ipv6 traffic using a container.
Docs Changes: See #5539.

klarose added 5 commits January 7, 2019 15:16
@klarose
Set socket options for original_src
d558ac1 
We need to set SO_MARK and IP_TRANSPARENT. Do so.

This needs some further work to UT it.

Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Update protobuf comment to show mark as implemented
e08782b 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Add description_ to Socket::Option::Details
71030a3 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Refactor sub-options and test
86c4c07 
Rather than relying on the original_src option encapsulating many
options, just have the filter add multiple options. Simpler.

Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Short circuit unsupported tests
065cf23 
If the platform (i.e. mac) doesn't support a given option, short circuit
testing of it by just returning.

Also fix a typo in a comment.

Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose klarose changed the title Original src extra options [filters] original src extra options Jan 7, 2019
@klarose klarose changed the title [filters] original src extra options [filters] original src so_mark and ip_transparent Jan 7, 2019
klarose
klarose commented Jan 7, 2019
View reviewed changes
Comment thread include/envoy/network/listen_socket.h Outdated
@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 8, 2019

/retest

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented Jan 8, 2019

🔨 rebuilding ci/circleci: mac (failed build)

🐱

Caused by: a #5525 (comment) was created by @klarose.

see: more, trace.

lizan
lizan reviewed Jan 9, 2019
View reviewed changes
Comment thread source/extensions/filters/listener/original_src/original_src.cc Outdated
Comment thread test/extensions/filters/listener/original_src/original_src_test.cc Outdated
Comment thread include/envoy/network/listen_socket.h Outdated
Comment thread source/extensions/filters/listener/original_src/original_src_socket_option.h
@klarose
Merge branch 'master' into original_src_extra_options
ea45cdb 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Remove option details description field
ea21e76 
This field didn't make sense. We take a different approach for testing
options which don't have details that make sense.

Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Code review nits
b20b0ac 
Pluralize some stuff.

Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Remove unnecessary conversions.
9317368 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@cmluciano cmluciano mentioned this pull request Jan 10, 2019
Closed
@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 14, 2019

@lizan Thanks for the first pass. How is this looking now?

@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 17, 2019

@lizan Any chance of looking at this in the next few days, please? Thanks. :)

lizan
lizan reviewed Jan 17, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@lizan lizan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo nits.

/wait

Comment thread source/extensions/filters/listener/original_src/original_src_socket_option.h
Comment thread source/extensions/filters/listener/original_src/original_src_socket_option.cc Outdated
@klarose
Merge branch 'master' into original_src_extra_options
b8088ce 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Code review fixes
d3b5dd1 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 21, 2019

@lizan Looking good now?

lizan
lizan previously approved these changes Jan 23, 2019
View reviewed changes
@mattklein123 mattklein123 self-assigned this Jan 23, 2019
mattklein123
mattklein123 reviewed Jan 23, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 1 question.

Comment thread api/envoy/config/filter/listener/original_src/v2alpha1/original_src.proto
// Sets the SO_MARK option on the upstream connection's socket to the provided value. Used to
// ensure that non-local addresses may be routed back through envoy when binding to the original
// source address.
// [#proto-status: experimental]
Copy link
Copy Markdown
Member

@mattklein123 mattklein123 Jan 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize this is not this PR, but does a mark of 0 make sense? Shouldn't this be an optional uint32 WKT wrapper? If a mark of 0 means, no mark, and this is OK, can you document that?

Copy link
Copy Markdown
Contributor Author

@klarose klarose Jan 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A mark of 0 is equivalent to not marking it at all. I could document that for sure, though if I were to do that, I would probably want to make the mark option not set at all if it's zero. I can definitely do that as part of this PR. I'll update the docs while I'm at it too. Now that they're merged, it's not a big deal. :)

Copy link
Copy Markdown
Member

@mattklein123 mattklein123 Jan 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK thank you. Either option is fine with me.

@klarose
Merge branch 'master' into original_src_extra_options
30332ec 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Do not apply mark if 0
c12dad4 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 23, 2019

/retest

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented Jan 23, 2019

🔨 rebuilding ci/circleci: release (failed build)

🐱

Caused by: a #5525 (comment) was created by @klarose.

see: more, trace.

mattklein123
mattklein123 approved these changes Jan 23, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@mattklein123 mattklein123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mattklein123 mattklein123 merged commit 2b9aef1 into envoyproxy:master Jan 23, 2019
danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Jan 24, 2019
@klarose @mattklein123
[filters] original src so_mark and ip_transparent (envoyproxy#5525)
9849055 
Signed-off-by: Kyle Larose <kyle@agilicus.com>

Signed-off-by: Dan Zhang <danzh@google.com>
@jrajahalme
Copy link
Copy Markdown
Contributor

jrajahalme commented Jan 25, 2019

@klarose Could you briefly elaborate how you use the SO_MARK set on the upstream connection to ensure the return traffic is routed back to Envoy? AFAIK only the outgoing packets will have the skb->mark set, return packets will not (unless marked by the destination in the same network namespace).

@klarose
Copy link
Copy Markdown
Contributor Author

klarose commented Jan 25, 2019
edited
Loading

@jrajahalme TL;DR: conntrack

Basically, we save the mark in the conntrack record on egress from envoy. When return packets come back, we use conntrack to restore the mark, then force it through the a different routing table. You can see some example config here: https://www.envoyproxy.io/docs/envoy/latest/configuration/listener_filters/original_src_filter#extra-setup

danzh2010 pushed a commit to danzh2010/envoy that referenced this pull request Jan 31, 2019
@klarose @danzh1989
[filters] original src so_mark and ip_transparent (envoyproxy#5525)
4c2b415 
Signed-off-by: Kyle Larose <kyle@agilicus.com>

Signed-off-by: Kyle Larose <eomereadig@gmail.com>
fredlas pushed a commit to fredlas/envoy that referenced this pull request Mar 5, 2019
@klarose @fredlas
[filters] original src so_mark and ip_transparent (envoyproxy#5525)
d6cde3c 
Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Fred Douglas <fredlas@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattklein123 mattklein123 mattklein123 approved these changes

+1 more reviewer

@lizan lizan lizan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@lizan lizan

@mattklein123 mattklein123

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@klarose @jrajahalme @lizan @mattklein123