upstream: add transparency options #5035
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
You can now set a "mark" unsigned integer value in a cluster. This will mark any upstream packets originating from envoy on this cluster with the given value. You can also configure a cluster to be "src_transparent". This will cause the cluster to use the downstream connection's remote address as the source address for the upstream connection. Signed-off-by: Kyle Larose <kyle@agilicus.com>
We can use this to control whether or not a packet is marked when emitted by Envoy. Signed-off-by: Kyle Larose <kyle@agilicus.com>
The cluster config supports the mark and src_transparent properties in the upstream cluster. The upstream cluster now reads these properties. It sets the corresponding socket options if the properties are present. Signed-off-by: Kyle Larose <kyle@agilicus.com>
klarose
commented
Nov 14, 2018
klarose
commented
Nov 14, 2018
SO_MARK and IP_TRANSPARENT may not be supported on all platforms. Skip tests testing those if they aren't supported. Signed-off-by: Kyle Larose <kyle@agilicus.com>
|
@lyft/network-team Can somebody take a look at this please? Thanks! Edit: I'm not sure the above actually worked... Are the contribution guidelines out of date? |
|
@zuercher do you mind taking a first pass on this? |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
stale
bot
added
the
stale
|
poke. Please review when back from holidays! |
stale
bot
removed
the
stale
zuercher
reviewed
Nov 26, 2018
Signed-off-by: Kyle Larose <kyle@agilicus.com>
- Removed json updates; json config is deprecated - Use scalar types for protobufs - Update new upstream_impl_tests to use yaml rather than json. Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
zuercher
reviewed
Nov 27, 2018
Signed-off-by: Kyle Larose <kyle@agilicus.com>
No need to pollute the already large Cluster definition when there's a perfectly appropriate message to hold the source transparency config! Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
zuercher
reviewed
Nov 28, 2018
|
/retest |
|
🔨 rebuilding |
|
/retest |
|
🔨 rebuilding |
Signed-off-by: Kyle Larose <kyle@agilicus.com>
We want to be able to introspect the options being passed around without needing to actually apply them. The simplest way to do this is to have them return the values they would set. Since the values may differ based on who they are visiting, this introspection takes into account the socket and state passed in. Signed-off-by: Kyle Larose <kyle@agilicus.com>
This changes some tests I added a while back for the source transparency socket options to use the new Option:getOptionInformation API. This is nicer since it decouples the higher level tests from the low level implementation of the socket API. Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
Having some issues running some IPv6 option tests. Signed-off-by: Kyle Larose <kyle@agilicus.com>
Ugh. Sucks to not be able to reproduce locally. Signed-off-by: Kyle Larose <kyle@agilicus.com>
zuercher
previously approved these changes
Dec 8, 2018
Suggestions from review. Signed-off-by: Kyle Larose <kyle@agilicus.com>
zuercher
approved these changes
Dec 10, 2018
|
@mattklein123 or @htuch not sure about your availability this week, but I think this is ready for one of you to take a look |
|
@zuercher will defer to @mattklein123 on this one, as I have limited bandwidth at present. |
|
We may want to wait for the conversation in #5255 to be resolved before merging. We may end up changing the config model. There is still some stuff in here I'd like -- namely, the socket option introspection. I can always do that in a separate PR if we decide to ditch this. |
|
@mattklein123 At least read the conversation we've been having in that PR. We've been discussing an alternative design. I'd like your feedback on it. TL;DR: try to use a filter rather than changing the core components. |
This was referenced Dec 19, 2018
|
Cancelling this as it has been subsumed by the work for another approach (#5337) |
zuercher
pushed a commit
that referenced
this pull request
Dec 22, 2018
IP Source transparency involves non-local IP addresses being routed as though they were local. This requires some magic in the stack to ensure that those flows are sent back to envoy from the upstream host, rather than back to the original source IP address. We plan on using SO_MARK to do this. So, add it into the socket option factory. My intention is for it to be used by a follow-up PR to #5337. This was cherry-picked from PR #5035 where it was already reviewed. I plan on closing that PR. Risk Level: Low. No code invoked in production yet. Testing: Ran newly added UT and other UT in network. Docs Changes: None until we expose this through config. Release Notes: None Signed-off-by: Kyle Larose <kyle@agilicus.com>
fredlas
pushed a commit
to fredlas/envoy
that referenced
this pull request
Mar 5, 2019
IP Source transparency involves non-local IP addresses being routed as though they were local. This requires some magic in the stack to ensure that those flows are sent back to envoy from the upstream host, rather than back to the original source IP address. We plan on using SO_MARK to do this. So, add it into the socket option factory. My intention is for it to be used by a follow-up PR to envoyproxy#5337. This was cherry-picked from PR envoyproxy#5035 where it was already reviewed. I plan on closing that PR. Risk Level: Low. No code invoked in production yet. Testing: Ran newly added UT and other UT in network. Docs Changes: None until we expose this through config. Release Notes: None Signed-off-by: Kyle Larose <kyle@agilicus.com> Signed-off-by: Fred Douglas <fredlas@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This adds two options to the upstream cluster definition:
Mark is a 32-bit unsigned integer whose non-zero value indicates that all packets originating from envoy to the configured upstream cluster should be marked with the provided value.
src_transparent is a boolean where true indicates that L3/L4 source transparency should be enabled for this upstream cluster. That is, connections to the cluster will have the same IP address (and possibly port) as the original downstream connection.
Mark will just work as-is. However, src_transparent still needs implementation to work properly.
The options are implemented by adding socket options to the upstream cluster. Consequently, when an upstream connection is made, the socket options are applied. This infrastructure already existed.
The implementation applies SO_MARK in response to the mark configuration. This option seems to only exist on Linux. It requires CAP_NET_ADMIN privileges.
src_transparent applies IP_TRANSPARENT. The socket option code for this already exists. This change simply invokes it in the context of the upstream cluster. It also requires CAP_NET_ADMIN.
This is part of the infrastructure for #4128.
Risk Level: Low
This is an optional feature which is disabled by default. The only new logic is in choosing whether or not to add the socket options, called from existing code.
Testing:
Unit tests were added for the configuration options at every level. I ran the full unit test suite (which I think runs the integration tests.. If it doesn't, let me know, and I'll run them).
I manually tested that the mark socket option worked by running envoy in a container connected to a simple http upstream. With the required iptables rules in place, I could see the mark using
conntrack -L.Docs Changes:
I documented the API in the protobuf specification. The overall feature will need a proper blurb when it's done.