Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IPv6/dual-stack support #350

Merged
merged 4 commits into from
Mar 28, 2024
Merged

Add IPv6/dual-stack support #350

merged 4 commits into from
Mar 28, 2024

Commits on Mar 19, 2024

  1. Add IPv6/dual-stack support 

    ## Flags Changes

This replaces the proxy-init flags `--firewall-bin-path` and `--firewall-save-bin-path` with the flag `--iptables-mode` (with possible values `legacy` and `nft`).
Also the `--ipv6` flag has been added (default `true`).
Proxy-init won't be relying just on the iptables commands family (iptables-legacy, iptables-legacy-save, iptables-nft, iptable-nft-save), but also on the ip6tables command family, so it's better to know the mode we're in (legacy or nft) and whether ipv6 is enabled, to determine all the commands that need to be used instead of directly passing them as arguments.

After the set of rules run via iptables are processed, if `--ipv6` is true (which is the default), the same set of rules will be run via ip6tables.

Analog changes were applied to linkerd-cni as well.

## Backwards-Compatibility

This is backwards-compatible with older control planes as long as the older flags are not used. If those flags are used, an explanatory error is thrown (better than showing a deprecation message and failing later when legacy/nft iptables don't work).
If `--ipv6` is not passed (and thus defaults to true), this doesn't impact operation even if the cluster doesn't support IPv6; the ip6tables rules are applied but they're innocuous.
OTOH if there's no kernel support for IPv6 then the ip6tables command will fail but we'll just log the failure and not fail the linkerd-init container (nor the `add` command for linkerd-cni). This avoids having to explicitly set `--ipv6=false`, but it can be set if the user is aware of such limitations and wants to get rid of the errors.

## Linkerd IPv6 Support

This allows routing IPv6 traffic to the proxy, but is just the first step towards IPv6/dual-stack support. Control plane and proxy changes will come up next.
    @alpeb
    alpeb committed Mar 19, 2024
    Configuration menu
    Copy the full SHA
    29582b0 View commit details
    Browse the repository at this point in the history

  2. matrix test for legacy/nft

    @alpeb
    alpeb committed Mar 19, 2024
    Configuration menu
    Copy the full SHA
    6163337 View commit details
    Browse the repository at this point in the history

  3. Avoid passing extra ipv6 flag around

    @alpeb
    alpeb committed Mar 19, 2024
    Configuration menu
    Copy the full SHA
    03a7172 View commit details
    Browse the repository at this point in the history

  4. Re-add support for firewall-bin-path, firewall-save-bin-path

    @alpeb
    alpeb committed Mar 19, 2024
    Configuration menu
    Copy the full SHA
    d156e1a View commit details
    Browse the repository at this point in the history