cilium Add missing inner IP header in ICMP error-reply packet

With the existing code, icmp packet reply can not be decoded because it has the following format: ipv4 packet = ipv4 + icmp + orig_ipv4 (has all 0s) + original_data(first 8 bytes) ipv6 packet = ipv6 + icmpv6 + orig_ipv6 (has all 0s) + original_data(first 64 bytes)

This change adds the missing inner ip header so that packet can be correctly decoded. ipv4 packet = ipv4 + icmp + orig_ipv4 + 8 bytes of original data ipv6 packet = ipv6 + icmpv6 + orig_ipv6 + 64 bytes of original data

Fixes: #21236 Signed-off-by: Nishant Burte [email protected]

Sep 07 '22 23:09 nnbu

Commit f25c7c1141cc4b719e042e7b222752254cd89488 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Sep 07 '22 23:09 maintainer-s-little-helper[bot]

Commit f25c7c1141cc4b719e042e7b222752254cd89488 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Sep 09 '22 19:09 maintainer-s-little-helper[bot]

Commit f25c7c1141cc4b719e042e7b222752254cd89488 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Sep 09 '22 20:09 maintainer-s-little-helper[bot]

Commit f25c7c1141cc4b719e042e7b222752254cd89488 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Sep 09 '22 20:09 maintainer-s-little-helper[bot]

@nnbu there seems to be quite a few commits which are not related to this PR. Is this intentional?

Sep 09 '22 20:09 ldelossa

@nnbu there seems to be quite a few commits which are not related to this PR. Is this intentional?

No sorry. I am not very familiar with the process. I am trying to correct this.

Sep 09 '22 21:09 nnbu

My tests are failing saying login/authentication failures.

E.g. https://github.com/nnbu/cilium/actions/runs/3026506501

Could someone tell what I am missing?

Sep 10 '22 03:09 nnbu

Thanks, Can I suggest you to add the same kind of support for dsr_reply_icmp6?

Sep 12 '22 08:09 sahid

Thanks, Can I suggest you to add the same kind of support for dsr_reply_icmp6? Yes, I have now added it for dsr_reply_icmp6.

Sep 14 '22 23:09 nnbu

This is the ipv4 response of the form: ipv4 + ipcmv4 + inner_ipv4 + 8 bytes. Check using any packet decoder like https://hpd.gasmi.net/

00 50 56 82 78 82 00 50 56 82 3B FB 08 00 45 00 00 38 81 EB 40 00 40 01 C3 62 0A 01 01 85 15 00 D4 F1 03 04 19 A5 00 00 05 D4 45 00 05 D5 81 EB 00 00 40 11 1F C5 15 00 D4 F1 15 00 D4 76 07 D0 0D 03 05 C1 C2 EE

This is the ipv6 response of the form: ipv6 + ipcmv6 + inner_ipv6 + 64 bytes. Check using any packet decoder like https://hpd.gasmi.net/

00 50 56 82 78 82 00 50 56 82 3B FB 86 DD 60 0E 7C 41 00 70 3A 40 26 20 00 00 10 00 26 31 00 03 00 10 00 03 01 22 26 20 00 00 10 00 26 31 02 50 56 FF FE 82 78 82 02 00 9B FF 00 00 05 C4 60 0E 7C 41 05 9D 11 40 26 20 00 00 10 00 26 31 02 50 56 FF FE 82 78 82 26 20 00 00 10 00 26 31 00 03 00 10 00 02 00 02 07 D0 0D 03 05 9D 00 00 35 4D BF 95 43 C4 BE 62 EB 5D 2E 23 DF E4 E3 69 00 94 19 6B E5 40 CF B6 31 CA 79 64 F7 77 8D 76 42 1A 40 A1 2F 60 BE EC B9 C1 90 A1 90 66 A4 70 3F 2F C6 7D FA D5 77 03

Sep 17 '22 05:09 nnbu

@sahid Could you approve the request if all the queries are answered satisfactorily?

Sep 27 '22 22:09 nnbu

@sahid Could you approve the request if all the queries are answered satisfactorily?

Sure, sorry @nnbu I was off the last couple of days. I will have look shortly :-)

Sep 28 '22 10:09 sahid

/test

Job 'Cilium-PR-K8s-1.25-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathConfig Check BPF masquerading with ip-masq-agent VXLAN

Failure Output

FAIL: Failed to add ip route

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-net-next so I can create one.

Oct 04 '22 07:10 sayboras

Hello @nnbu , checkpatch is not passed, you will have to fix some cosmetic points.

Oct 05 '22 06:10 sahid

Hello @nnbu , checkpatch is not passed, you will have to fix some cosmetic points.

Thank you. make -C bpf checkpatch now passes.

Oct 05 '22 17:10 nnbu

/test

Job 'Cilium-PR-K8s-1.16-kernel-4.9' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing

Failure Output

FAIL: Failed to reach 10.0.1.241:80 from testclient-host-6gwmc

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.9 so I can create one.

Oct 08 '22 12:10 sayboras

@sayboras The test failures look to be unrelated to my change. Could you suggest the next steps please?

Oct 09 '22 19:10 nnbu

:wave: we will need one review from datapath team

cc @cilium/sig-datapath

Oct 09 '22 21:10 sayboras

Commit 36cf8296cfdf85ccf336277cd9c1a1e328c8a656 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Oct 12 '22 22:10 maintainer-s-little-helper[bot]

Overall logic looks good. There are some nits. At least the indentation miss should be fixed. Rest are non-blocker. @YutaroHayakawa addressed all the comments.

Oct 13 '22 01:10 nnbu

/test

Oct 13 '22 10:10 YutaroHayakawa

/test

Oct 13 '22 20:10 nnbu

@YutaroHayakawa There are 2 tests failing, but they don't look related to my changes. e.g. one of the failures is 663 Error: unknown flag: --backend-weights

Anything to be from my side?

Also, waiting for results on 4 tests k8s-.*-kernel-.*. Not sure if they take more time or did not run at all.

Oct 14 '22 00:10 nnbu

You need some permissions to trigger the Jenkins jobs, so they didn't run. /test

Oct 14 '22 10:10 qmonnet

Commit c626e0234e71e05a01fb20f84d60ec046124cf0d does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Oct 17 '22 20:10 maintainer-s-little-helper[bot]

/test

Oct 17 '22 23:10 joestringer

@YutaroHayakawa I see 2 test failures. Looking for some pointers.

Travis CI - This build failure happens only on amd64. The error looks to be unrelated to the changes

gpg: can't open 'clang+llvm-10.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz.sig': No such file or directory
gpg: verify signatures failed: No such file or directory
ERROR: Failed to verify clang+llvm-10.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz

The other cluster mesh failure should not be encountered due to my code. Is the test flaky?

❌ command "curl -w %{local_ip}:%{local_port} -> %{remote_ip}:%{remote_port} = %{response_code} --silent --fail --show-error --connect-timeout 5 --output /dev/null http://echo-other-node:8080" failed: command terminated with exit code 28
  ℹ️  curl output:
  curl: (28) Connection timeout after 5001 ms
:0 -> :0 = 000

Oct 18 '22 06:10 nnbu

Maybe you retried 1. and succeeded?

For 2. it seems it is a known flake (https://github.com/cilium/cilium/issues/21655). And I agree that it is not related to your changes. I think we can ignore that.

Oct 18 '22 07:10 YutaroHayakawa

Travis CI build now passed after it was restarted.

Oct 18 '22 07:10 nnbu

@YutaroHayakawa Can we also cherry-pick this bug fix in v1.11?

Oct 18 '22 17:10 nnbu