CFP: Add support for GRE-over-IP with host firewall #26178
Comments
|
Thanks for the feature request. I think that support for this is in line with the direction of the project, subject to seeing a concrete implementation proposal. If you or anyone is interested in solving this problem, you could consider creating a proposal design doc to initiate discussion on the solution, or perhaps propose a PR to demonstrate what the solution could look like. At that point, as a community we can review the proposals and help to guide the solution into the tree. Feel free to stop by the community meeting to help raise awareness of any such efforts. |
joestringer
added
the
help-wanted
|
Guys, happy to help on this one. I would just need some guidance.
|
|
Thank you for your interest. @sterchelen the setup I am using consists of Ubuntu 22.04.2 LTS and the kernel updated to version 6.1.31. I am running K3S v1.25.5, with kube-proxy, servicelb and flannel disabled. I have Cilium 1.13.3 deployed with helm, and metallb as a load balancer. My values for Cilium: cluster:
id: 0
name: default
k8sServiceHost: "127.0.0.1"
k8sServicePort: "6443"
bpf:
masquerade: true
ipam:
mode: "cluster-pool"
operator:
clusterPoolIPv4PodCIDR: "10.43.0.0/16"
clusterPoolIPv4MaskSize: 24
encryption:
nodeEncryption: false
kubeProxyReplacement: "strict"
operator:
replicas: 1
serviceAccounts:
cilium:
name: cilium
operator:
name: cilium-operator
tunnel: vxlan
hostFirewall:
enabled: true
policyEnforcementMode: always
policyAuditMode: false
extraConfig:
allow-localhost: "policy"
bandwidthManager:
enabled: true
bbr: trueThe tunnel is managed by another provider, however if you need help on how you can set up a similar one, let me know and I will be more than happy to write down the steps on how to do it. |
|
@sterchelen awesome! There's a template available under the design cfps repo here, see the cfps directory: https://github.com/cilium/design-cfps/ . It's common to just copy that into a Google doc and post it on a Cilium issue like this one first + ping folks in order to get initial feedback and iterate on a version of the doc. We can also advertize it in the community meeting for folks who join, and of course in #development on Slack. From there, when the design appears to be converging, we can turn it into a markdown doc and put it into a PR on https://github.com/cilium/design-cfps/ for review & acceptance. |
@steveb05 Please, yes 🙏🏼. |
|
@sterchelen Here you go: https://docs.google.com/document/d/1JlEMPZI0m-WXVNl9QUqUVhdy9b-V1Df7-wfSrBCj-qc/edit?usp=sharing If you have any questions or need help let me know and I will respond as soon as I can. |
|
Thank you @steveb05, next week I'll take some time to setup my lab to test and see how we could implement this feature. |
|
Hey @sterchelen, how it's going? Were you able to configure the tunnel on your home lab? |
|
This issue has been automatically marked as stale because it has not |
github-actions
bot
added
the
stale
|
I can try to write a proposal design doc however there are some questions I would like to ask, do I have to ask them in the development channel on slack? |
github-actions
bot
removed
the
stale
|
You're welcome to ask the questions here or on Slack. If you reshare the post onto Slack then there's a higher likelihood that others will see it. |
|
This issue has been automatically marked as stale because it has not |
github-actions
bot
added
the
stale
|
This issue has not seen any activity since it was marked stale. |
Cilium Feature Proposal
Is your feature request related to a problem?
We have some nodes using a GRE tunnel to communicate, however, this in combination with Cilium's host firewall makes the node unreachable, due to the fact that the host firewall currently does not support GRE-over-IP, causing the packets coming from the router to be dropped with the reason
CT: Unknown L4 protocol.Describe the feature you'd like
The ability to use Cilium's host firewall with GRE tunnels.
The text was updated successfully, but these errors were encountered: