1
39%
master: 39%

Ran 02 Aug 2019 12:03AM UTC

Files 436

Run time 37s

Badge

Embed ▾

Committed 01 Aug 2019 11:43PM UTC coverage: 44.142% (-0.02%) from 44.16%

Job # 9662.1

Build Type

push

travis-ci-com

Committed by

ianvernon

Commit Message

cilium: encryption, ensure 0x*d00 and 0x*e00 marks dont cause conflicts

We mark encryption packets with 0xd00 and 0xe00 values to indicate if
the packet should be encrypted (0xe00) or decrypted (0xd00). In the
encryption case we also set the next byte (0x*e00) with the keyID to
encrypt the packet with. This allows multiple keys to be in use at any
specific time.

However, it was observed that the upper bits, where the keyID is
placed, may also be used by kube-proxy. To avoid collision add rules
at the top of iptables to accept any packets with the encrypt/decrypt
mark values. These values will be cleared again before being pushed
to the stack so normal rules will still be hit.

Notice, we already had these rules to exclude encrypted traffic in
the masquerading case. This moves those rules installation to be
done any time encryption is enabled. This issue has existed from the
initial implementation, but our CI and my testing never used those
key id with colliding features.

Fixes: b2b901fb19163 ("cilium: ipsec, add go API to configure xfrm (IPSec)")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>

Coverage Stats

25278 of 57265 relevant lines covered (44.14%)

1181.57 hits per line

cilium / cilium / 9662 / 1
39%
master: 39%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 9662.1

cilium / cilium / 9662 / 1 39% master: 39%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 9662.1

cilium / cilium / 9662 / 1
39%
master: 39%

README BADGES
x