allowedSourcePrefixes option is not available for eBPF mode #11591
Description
On certain cases, the traffic sent out from a pod will have a source IP different than the pod IP. One such case is where the pod acts as a proxy with IP_TRANSPARENT option enabled, using the client IP as the source IP of the packets. Currently, calico interfaces are configured to drop any traffic coming out of the pods that does not have the pod's IP as the source IP. This issue seems to be fixed with the allowedSourcePrefixes annotation for iptables based Calico, but the same feature is not supported for the eBPF dataplane mode.
Expected Behavior
Calico should have the option not to drop packets flowing out of the pod with a different source IP.
Current Behavior
Calico drops packets going out of the pods with a different source IP. Setting bpfLogLevel: Debug displays the following in BPF tracelog
python3-2237505 [050] ..s2. 778538.987120: bpf_trace_printk: cali39c2a41992a-E: Workload RPF check src=<src-IP> skb iface=66.
python3-2237505 [050] ..s2. 778538.987120: bpf_trace_printk: cali39c2a41992a-E: Workload RPF fail: missing route.
python3-2237505 [050] ..s2. 778538.987122: bpf_trace_printk: cali39c2a41992a-E: Final result=DENY (0). Program execution time: 17473ns
Possible Solution
allowedSourcePrefixes annotation should be implemented for eBPF mode as well.
Steps to Reproduce (for bugs)
- Create a simple Python pod that acts as a proxy that preservers client IP with IP_TRANSPARENT option enabled.
- Set
bpfLogLevel: Debugin felixconfiguration - Send Python packets to the pod
- Run tcpdump both on the host machine running the pod and the pod itself
- Listen to bpf logs. (E.g. command
tc exec bpf debug
Context
This bug arose as we were trying to implement source IP preservation with pods that act as a proxy. We encountered the issue both with an Nginx pod, as well as a custom Python script
Your Environment
- Calico version - v3.29.2
- Calico dataplane - eBPF
- Orchestrator version - v1.31
- Operating System and version - Ubuntu 22.04