Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind outbound proxy to the IPv6 loopback #2854

Merged
merged 7 commits into from
Apr 22, 2024
Merged

Bind outbound proxy to the IPv6 loopback #2854

merged 7 commits into from
Apr 22, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Mar 29, 2024
edited
Loading

In order for the proxy to support IPv6 traffic we need to bind the outbound proxy to the IPv6 loopback (::1), in addition to the existing binding to the IPv4 loopback (127.0.0.1).

Note, this is not necessary for inbound; on the proxy side we'll set LINKERD2_PROXY_INBOUND_LISTEN_ADDR (and the other *_LISTEN_ADDR) vars to the IPv6 wildcard address (::) which also works for IPv4.

This change adds the LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS var, which is supposed to be set as 127.0.0.1:4140,[::1]:4140 (maximum two entries). If not set, we default to the value in LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR.

The ServerConfig got expanded with an optional addr_additional field, which should be populated with [::1]:4140. When set, we bind using BindWithOrigDst's new method bind_additional which leverages ServerConfig's InsertParam implementation for putting its addr_additional into addr for the regular binding logic to continue.

Update:
The field ServerConfig.addr is now of the new type DualListenAddr which holds a primary SocketAddr and an optional one.
The outbound listener is now bound via the DualBind implementation of Bind which also binds to the second SocketAddr if set, merging the two streams using Tokio's merge stream extension method.

@alpeb alpeb requested a review from a team as a code owner March 29, 2024 19:21
@alpeb alpeb marked this pull request as draft April 9, 2024 19:14
@alpeb alpeb force-pushed the alpeb/outbound-ipv6 branch from e3ea28e to 423f6f7 Compare April 10, 2024 15:01
@alpeb alpeb marked this pull request as ready for review April 10, 2024 15:16
olix0r
olix0r reviewed Apr 11, 2024
View reviewed changes
linkerd/proxy/transport/src/listen.rs Outdated Show resolved Hide resolved
linkerd/proxy/transport/src/orig_dst.rs Outdated Show resolved Hide resolved
alpeb added 2 commits April 15, 2024 10:04
@alpeb
Bind outbound proxy to the IPv6 loopback
4cd982e 
In order for the proxy to support IPv6 traffic we need to bind the outbound proxy to the IPv6 loopback (`::1`), in addition to the existing binding to the IPv4 loopback (`127.0.0.1`).

Note, this is not necessary for inbound; on the proxy side we'll set `LINKERD2_PROXY_INBOUND_LISTEN_ADDR` (and the other `*_LISTEN_ADDR`) vars to the IPv6 wildcard address (`::`) which also works for IPv4.

This change adds the `LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS` var, which is supposed to be set as `127.0.0.1:4140,[::1]:4140` (maximum two entries). If not set, we default to the value in `LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR`.

The `ServerConfig` got expanded with an optional `addr_additional` field, which should be populated with `[::1]:4140`. When set, we bind using `BindWithOrigDst`'s new method `bind_additional` which leverages `ServerConfig`'s `InsertParam` implementation for putting its `addr_additional` into `addr` for the regular binding logic to continue.
@alpeb
Move logic behind the Bind implementation
bd0dac0
@alpeb alpeb force-pushed the alpeb/outbound-ipv6 branch from 423f6f7 to bd0dac0 Compare April 15, 2024 16:52
@alpeb
Copy link
Member Author

alpeb commented Apr 15, 2024

Ok I've rebased and pushed again using the suggested approach. I introduced a new DualBindWithOrigDst implementation of the Bind trait, used by the outbound listener which forwards two bind calls to BindWithOrigDst. Given we need to return two addresses, I was forced to expand the Bound type to be a triple, which introduced some extra baggage there where we don't require binding twice. Perhaps we can modify that type a bit to make this less ugly.
I also had to introduced an ExtractParam<ServerConfig, SocketAddr> implementation to make that DualBindWithOrigDst->BindWithOrigDst chain work; it didn't feel great so I'm all ears on suggestions.

olix0r
olix0r reviewed Apr 18, 2024
View reviewed changes
linkerd/proxy/transport/src/dual_bind.rs Outdated Show resolved Hide resolved
linkerd/proxy/transport/src/listen.rs Outdated Show resolved Hide resolved
@alpeb
Copy link
Member Author

alpeb commented Apr 19, 2024

In my last push I added the BoundAddrs associated type to Bind to avoid having to deal with the triple everywhere. Also moved dual_bind as a submodule of listen, and other cleanups.

olix0r
olix0r reviewed Apr 19, 2024
View reviewed changes
Copy link
Member

@olix0r olix0r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me! Thanks. Two small suggestions.

linkerd/proxy/transport/src/listen/dual_bind.rs Outdated Show resolved Hide resolved
linkerd/proxy/transport/src/listen/dual_bind.rs Outdated Show resolved Hide resolved
alpeb and others added 2 commits April 19, 2024 13:46
@alpeb @olix0r
Apply suggestions from code review
a70cb05 
Co-authored-by: Oliver Gould <ver@buoyant.io>
@alpeb
More renamings
c82b170
olix0r
olix0r approved these changes Apr 20, 2024
View reviewed changes
linkerd/app/src/env.rs Outdated Show resolved Hide resolved
@alpeb alpeb merged commit 5268124 into main Apr 22, 2024
17 checks passed
@alpeb alpeb deleted the alpeb/outbound-ipv6 branch April 22, 2024 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r olix0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alpeb @olix0r