Skip to content

ipsec: Simplify XFRM FWD policies #21602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 10, 2022
Merged

ipsec: Simplify XFRM FWD policies #21602

merged 3 commits into from
Oct 10, 2022
+29 −29

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Oct 6, 2022

This pull request implements various simplifications of our XFRM FWD policies and the code that installs them. See commits for details.

@pchaigno pchaigno added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.10 labels Oct 6, 2022
@pchaigno pchaigno marked this pull request as ready for review October 6, 2022 11:28
@pchaigno pchaigno requested review from a team as code owners October 6, 2022 11:28
christarazi
christarazi approved these changes Oct 7, 2022
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup.

jrfastab
jrfastab approved these changes Oct 10, 2022
View reviewed changes
Copy link
Contributor

@jrfastab jrfastab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 10, 2022
@pchaigno
ipsec: Set 0/0 as source of FWD XFRM policy
9e8085d 
We want the FWD XFRM policy to allow all traffic through so we can
simply set its source CIDR to 0.0.0.0/0. Similarly, the source IP used
in the template doesn't matter so we can set it to 0.0.0.0 to clarify
that to the kernel.

Signed-off-by: Paul Chaignon <[email protected]>
@pchaigno
ipsec: Remove superfluous FWD XFRM policy
e158481 
We currently install two FWD XFRM policies: one as part of
UpsertIPsecEndpoint when called for the In direction and another one as
part of enableIPsec, even though that function already calls
UpsertIPsecEndpoint.

Only one FWD XFRM policy is needed to match all forward traffic.
This commit removes one of the policies.

Signed-off-by: Paul Chaignon <[email protected]>
@pchaigno
ipsec: Simplify UpsertIPsecEndpoint prototype
2650e0a 
The `fwd` argument of the UpsertIPsecEndpoitn function is used as the
matching CIDR for the destination in the FWD XFRM policy. That CIDR
should always be equal to the local CIDR and we already have that as the
first argument of UpsertIPsecEndpoint. Therefore, we don't need the
third, `fwd`, argument. This commit removes it.

Signed-off-by: Paul Chaignon <[email protected]>
@pchaigno pchaigno force-pushed the ipsec-simplify-xfrm-fwd-policies branch from 96d788e to 2650e0a Compare October 10, 2022 09:51
@pchaigno pchaigno removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 10, 2022
@pchaigno
Copy link
Member Author

/test

@sayboras
Copy link
Member

sayboras commented Oct 10, 2022
edited
Loading

All required tests are passed, mark ready to merge.

@sayboras sayboras added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 10, 2022
@sayboras sayboras merged commit b1d7882 into cilium:master Oct 10, 2022
This was referenced Oct 10, 2022
Merged
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 10, 2022
@pchaigno pchaigno deleted the ipsec-simplify-xfrm-fwd-policies branch October 10, 2022 13:47
@sayboras sayboras mentioned this pull request Oct 10, 2022
Merged
5 tasks
@sayboras sayboras added backport-pending/1.12 backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed needs-backport/1.12 labels Oct 10, 2022
This was referenced Oct 11, 2022
Merged
Merged
Merged
@pchaigno pchaigno mentioned this pull request Nov 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfastab jrfastab

@christarazi christarazi

@YutaroHayakawa YutaroHayakawa

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pchaigno @sayboras @jrfastab @christarazi