cilium icon indicating copy to clipboard operation
cilium copied to clipboard
Published 1 day ago verified publisher icon cilium

CFP: Source routing for L2 Announced / LB IPAM managed addresses

Open zviratko opened this issue 1 year ago • 1 comments

Cilium Feature Proposal

Is your proposed feature related to a problem?

Apparently this worked in the past (<v1.11) if I'm reading https://github.com/cilium/cilium/issues/18712 correctly.

Describe the feature you'd like

I am creating a Talos cluster with several VLAN interfaces where ExternalIPs (VIPs) are wanted on one of the VLANs (and different VLANs will host VIPs from different subnets), but there's no node interface with an address in the same range and no routes on those interfaces (default route goes through the internal network). Accepting the connection works, but the response is routed according to the kernel route table, not back by the same route (to the original MAC by the original interface). I know this is a longstanding feature of many implementations, but I think Cilium could handle this gracefully if wanted (and it did).

.. at least I'm assuming this is expected behaviour and not something that I broke in my setup.

(Optional) Describe your proposed solution

Two solutions come to mind

  1. (Optionally) Preserve the original source MAC and interface inside the Cilium networking stack and reuse it for the response.
  • This would be the most user friendly solution and would do what I think most people just want out of the box, I don't think this setup is so exotic
  1. Allow the specification of routing policies for L2 Announced or LB IPAM assigned addresses like we can do with iproute but embedded in Cilium CRDs.. I am able to get it to work by inserting routing rules in the cilium-agent like so and it seem to work fine. I'd prefer a more supported solution, though. It wouldn't be so bad if I wasn't running Talos... :)
echo 30 svcnet >> /etc/iproute2/rt_tables
ip rule add to 10.64.4.0/24 lookup svcnet
ip route add 10.64.4.0/24 dev eth0.1004 table svcnet
ip route replace default via 10.64.4.250 table svcnet

^ eth.1004 is the interface which has no node addresses ^ 10.64.4.250 is the gateway handling incoming traffic to the service network

Thank you

zviratko avatar Mar 27 '24 13:03 zviratko

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar May 27 '24 01:05 github-actions[bot]

This issue has not seen any activity since it was marked stale. Closing.

github-actions[bot] avatar Jun 10 '24 01:06 github-actions[bot]