From 1bb8a1bd4aa99dad4706394562053e91545725f8 Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Wed, 27 Nov 2024 14:28:14 +0900 Subject: [PATCH 1/2] loxilb-io/loxilb#675 Initial support for proxy protocol v2 --- api/models/loadbalance_entry.go | 3 +++ api/restapi/embedded_spec.go | 12 ++++++++++++ api/restapi/handler/loadbalancer.go | 2 ++ common/common.go | 2 ++ pkg/loxinet/dpbroker.go | 1 + pkg/loxinet/dpebpf_linux.go | 7 ++++++- pkg/loxinet/rules.go | 6 ++++++ 7 files changed, 32 insertions(+), 1 deletion(-) diff --git a/api/models/loadbalance_entry.go b/api/models/loadbalance_entry.go index 4932c847..a469c773 100644 --- a/api/models/loadbalance_entry.go +++ b/api/models/loadbalance_entry.go @@ -460,6 +460,9 @@ type LoadbalanceEntryServiceArguments struct { // value for access protocol Protocol string `json:"protocol,omitempty"` + // flag to enable proxy protocol v2 + Proxyprotocolv2 bool `json:"proxyprotocolv2,omitempty"` + // value for Security mode (0-Plain, 1-HTTPs) Security int32 `json:"security,omitempty"` diff --git a/api/restapi/embedded_spec.go b/api/restapi/embedded_spec.go index 1270a0b5..94ff3998 100644 --- a/api/restapi/embedded_spec.go +++ b/api/restapi/embedded_spec.go @@ -5205,6 +5205,10 @@ func init() { "description": "value for access protocol", "type": "string" }, + "proxyprotocolv2": { + "description": "flag to enable proxy protocol v2", + "type": "boolean" + }, "security": { "description": "value for Security mode (0-Plain, 1-HTTPs)", "type": "integer", @@ -11469,6 +11473,10 @@ func init() { "description": "value for access protocol", "type": "string" }, + "proxyprotocolv2": { + "description": "flag to enable proxy protocol v2", + "type": "boolean" + }, "security": { "description": "value for Security mode (0-Plain, 1-HTTPs)", "type": "integer", @@ -11612,6 +11620,10 @@ func init() { "description": "value for access protocol", "type": "string" }, + "proxyprotocolv2": { + "description": "flag to enable proxy protocol v2", + "type": "boolean" + }, "security": { "description": "value for Security mode (0-Plain, 1-HTTPs)", "type": "integer", diff --git a/api/restapi/handler/loadbalancer.go b/api/restapi/handler/loadbalancer.go index 90f2398a..b38a99d5 100644 --- a/api/restapi/handler/loadbalancer.go +++ b/api/restapi/handler/loadbalancer.go @@ -49,6 +49,7 @@ func ConfigPostLoadbalancer(params operations.PostConfigLoadbalancerParams) midd lbRules.Serv.Name = params.Attr.ServiceArguments.Name lbRules.Serv.Oper = cmn.LBOp(params.Attr.ServiceArguments.Oper) lbRules.Serv.HostUrl = params.Attr.ServiceArguments.Host + lbRules.Serv.ProxyProtocolV2 = params.Attr.ServiceArguments.Proxyprotocolv2 if lbRules.Serv.Proto == "sctp" { for _, data := range params.Attr.SecondaryIPs { @@ -173,6 +174,7 @@ func ConfigGetLoadbalancer(params operations.GetConfigLoadbalancerAllParams) mid tmpSvc.Name = lb.Serv.Name tmpSvc.Snat = lb.Serv.Snat tmpSvc.Host = lb.Serv.HostUrl + tmpSvc.Proxyprotocolv2 = lb.Serv.ProxyProtocolV2 tmpLB.ServiceArguments = &tmpSvc diff --git a/common/common.go b/common/common.go index 2c6b2a09..46e626a1 100644 --- a/common/common.go +++ b/common/common.go @@ -581,6 +581,8 @@ type LbServiceArg struct { Snat bool `json:"snat"` // HostUrl - Ingress Specific URL path HostUrl string `json:"path"` + // ProxyProtocolV2 - Enable proxy protocol v2 + ProxyProtocolV2 bool `json:"proxyprotocolv2"` } // LbEndPointArg - Information related to load-balancer end-point diff --git a/pkg/loxinet/dpbroker.go b/pkg/loxinet/dpbroker.go index df5763fc..e2b54f13 100644 --- a/pkg/loxinet/dpbroker.go +++ b/pkg/loxinet/dpbroker.go @@ -297,6 +297,7 @@ type LBDpWorkQ struct { DsrMode bool CsumDis bool SrcCheck bool + Ppv2En bool SecMode SecT HostURL string Proto uint8 diff --git a/pkg/loxinet/dpebpf_linux.go b/pkg/loxinet/dpebpf_linux.go index 0d8a0595..ad064b86 100644 --- a/pkg/loxinet/dpebpf_linux.go +++ b/pkg/loxinet/dpebpf_linux.go @@ -1022,7 +1022,10 @@ func DpLBRuleMod(w *LBDpWorkQ) int { dat.ca.oaux = 1 } if w.SrcCheck { - dat.chksrc = 1 + dat.opflags = C.NAT_LB_OP_CHKSRC + } + if w.Ppv2En { + dat.ppv2 = 1 } nxfa := (*nxfrmAct)(unsafe.Pointer(&dat.nxfrms[0])) @@ -1265,6 +1268,8 @@ func (ct *DpCtInfo) convDPCt2GoObjFixup(ctKey *C.struct_dp_ct_key, ctDat *C.stru ct.CState = "sync-ack" case t.state == C.CT_TCP_EST: ct.CState = "est" + case t.state == C.CT_TCP_PEST: + ct.CState = "est" case t.state == C.CT_TCP_ERR: ct.CState = "h/e" case t.state == C.CT_TCP_CW: diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go index 9be090f2..531f4e63 100644 --- a/pkg/loxinet/rules.go +++ b/pkg/loxinet/rules.go @@ -292,6 +292,7 @@ type ruleEnt struct { name string inst string secMode cmn.LBSec + ppv2En bool srcList []*allowedSrcElem locIPs map[string]struct{} } @@ -819,6 +820,7 @@ func (R *RuleH) GetLBRule() ([]cmn.LbRuleMod, error) { ret.Serv.ProbeResp = data.hChk.prbResp ret.Serv.Name = data.name ret.Serv.HostUrl = data.tuples.path + ret.Serv.ProxyProtocolV2 = data.ppv2En if data.act.actType == RtActSnat { ret.Serv.Snat = true } @@ -1661,6 +1663,7 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al eRule.hChk.prbReq != serv.ProbeReq || eRule.hChk.prbResp != serv.ProbeResp || eRule.pTO != serv.PersistTimeout || eRule.act.action.(*ruleLBActs).sel != lBActs.sel || eRule.act.action.(*ruleLBActs).mode != lBActs.mode || + eRule.ppv2En != serv.ProxyProtocolV2 || len(allowedSources) != len(eRule.srcList) { ruleChg = true } @@ -1736,6 +1739,7 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al eRule.hChk.prbRetries = serv.ProbeRetries eRule.hChk.prbTimeo = serv.ProbeTimeout eRule.pTO = serv.PersistTimeout + eRule.ppv2En = serv.ProxyProtocolV2 eRule.act.action.(*ruleLBActs).sel = lBActs.sel eRule.act.action.(*ruleLBActs).endPoints = retEps eRule.act.action.(*ruleLBActs).mode = lBActs.mode @@ -1781,6 +1785,7 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al r.managed = serv.Managed r.secIP = nSecIP r.secMode = serv.Security + r.ppv2En = serv.ProxyProtocolV2 // Per LB end-point health-check is supposed to be handled at kube-loxilb/CCM, // but it certain cases like stand-alone mode, loxilb can do its own @@ -2795,6 +2800,7 @@ func (r *ruleEnt) LB2DP(work DpWorkT) int { nWork.InActTo = uint64(r.iTO) nWork.PersistTo = uint64(r.pTO) nWork.HostURL = r.tuples.path + nWork.Ppv2En = r.ppv2En if len(r.srcList) > 0 { nWork.SrcCheck = true } From b0cce27e51ea88ac298d9df89e7cf6caf9720ccb Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Wed, 27 Nov 2024 14:42:36 +0900 Subject: [PATCH 2/2] loxilb-io/loxilb#675 Initial support for proxy protocol v2 --- api/swagger.yml | 3 +++ loxilb-ebpf | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/api/swagger.yml b/api/swagger.yml index a2a7843f..fcf7e9c8 100644 --- a/api/swagger.yml +++ b/api/swagger.yml @@ -3038,6 +3038,9 @@ definitions: host: type: string description: Ingress specific host URL path + proxyprotocolv2: + type: boolean + description: flag to enable proxy protocol v2 endpoints: type: array diff --git a/loxilb-ebpf b/loxilb-ebpf index a3edc2fd..9d182a28 160000 --- a/loxilb-ebpf +++ b/loxilb-ebpf @@ -1 +1 @@ -Subproject commit a3edc2fdf2906f0bcd4a0131af839f184802dd48 +Subproject commit 9d182a2877d2b3a91d13d9c69e468a7e18a69b3b