azure-container-networking icon indicating copy to clipboard operation
azure-container-networking copied to clipboard

Published 20 hours ago verified publisher icon Azure

Windows LoopbackDSR policy missing for IPv6

Open daschott opened this issue 1 year ago • 4 comments

What happened: Consider the following scenario: src pod -> service VIP -> dst pod, such that dst pod = src pod.

This is failing because there is no loopbackDSR policy for IPv6 plumbed in the endpoint policies.

IPv4 loopbackDSR policy (IPv4 works)

                         {
                             "Type":  "OutBoundNAT",
                             "Settings":  {
                                              "Destinations":  [
                                                                   "10.128.30.203",
                                                                   
                                                               ]
                                          }
                         }

Azure CNI needs to add equivalent policy but with IPv6 address as well. This is missing:

                         {
                             "Type":  "OutBoundNAT",
                             "Settings":  {
                                              "Destinations":  [
                                                                   "fd30:87e5:69dc:c5d2::275b",
                                                                   
                                                               ]
                                          }
                         }

Specifically, this method needs to be extended to also add loopbackDSR policy with IPv6 address: https://github.com/Azure/azure-container-networking/blob/a12222bd1a7cc7146ce9af5502174046c1915862/cni/network/network_windows.go#L336

What you expected to happen:
I expect to be able to connect to v6 address.

How to reproduce it:
Create dual-stack service with 1 pod. Run "k get svc" to get the service v4 and v6 external endpoints Run "k get pods -o wide" to get pods for the namespace Exec into pod. Run tnc <v4-external-ip> -Port 80, this succeeds Run tnc <v6-external-ip> -Port 80, this fails and needs to be investigated

Orchestrator and Version (e.g. Kubernetes, Docker):
Kubernetes

Operating System (Linux/Windows):
Windows

Kernel (e.g. uanme -a for Linux or $(Get-ItemProperty -Path "C:\windows\system32\hal.dll").VersionInfo.FileVersion for Windows): Windows Server 2022

Anything else we need to know?:

daschott avatar Feb 20 '24 22:02 daschott

@daschott can you clarify

Run "tnc -Port 80", this succeeds Run "tnc -Port 80", this fails and needs to be investigated

should one of those be a different command?

rbtr avatar Feb 20 '24 22:02 rbtr

@rbtr sorry formatting issue, fixed now.

daschott avatar Feb 20 '24 22:02 daschott

ack

rbtr avatar Feb 20 '24 22:02 rbtr

This issue is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Mar 06 '24 00:03 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Mar 14 '24 00:03 github-actions[bot]

This issue is documenting a regression that will impact all dual-stack IPv4/IPv6 customers. It is likely not a P0 scenario but this issue should remain open until it is addressed, at least to serve as documentation.

daschott avatar Mar 14 '24 17:03 daschott

@ashvindeodhar this needs your attention

rbtr avatar Mar 14 '24 22:03 rbtr

This issue is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Mar 29 '24 00:03 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Apr 05 '24 00:04 github-actions[bot]