diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h index 70a22a4c279b..2e9b6490b1c5 100644 --- a/bpf/lib/nodeport.h +++ b/bpf/lib/nodeport.h @@ -820,8 +820,8 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx) __s8 ext_err = 0; #ifdef TUNNEL_MODE struct remote_endpoint_info *info; - int verdict = CTX_ACT_REDIRECT; - bool use_tunnel = false; + __be32 tunnel_endpoint = 0; + __u32 dst_sec_identity = 0; union v6addr *dst; #endif @@ -837,18 +837,10 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx) dst = (union v6addr *)&ip6->daddr; info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN, 0); if (info && info->tunnel_endpoint != 0) { - ret = __encap_with_nodeid(ctx, info->tunnel_endpoint, - WORLD_ID, - info->sec_identity, - NOT_VTEP_DST, - (enum trace_reason)CT_NEW, - TRACE_PAYLOAD_LEN, &oif); - if (IS_ERR(ret)) - goto drop_err; + tunnel_endpoint = info->tunnel_endpoint; + dst_sec_identity = info->sec_identity; BPF_V6(target.addr, ROUTER_IP); - use_tunnel = true; - verdict = ret; } #endif ret = snat_v6_nat(ctx, &target, &ext_err); @@ -857,12 +849,21 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx) ctx_snat_done_set(ctx); #ifdef TUNNEL_MODE - if (use_tunnel) { + if (tunnel_endpoint) { + ret = __encap_with_nodeid(ctx, tunnel_endpoint, + WORLD_ID, + dst_sec_identity, + NOT_VTEP_DST, + (enum trace_reason)CT_NEW, + TRACE_PAYLOAD_LEN, &oif); + if (IS_ERR(ret)) + goto drop_err; + cilium_capture_out(ctx); - if (verdict == CTX_ACT_REDIRECT) + if (ret == CTX_ACT_REDIRECT) return ctx_redirect(ctx, oif, 0); ctx_move_xfer(ctx); - return verdict; + return ret; } #endif if (!revalidate_data(ctx, &data, &data_end, &ip6)) { @@ -2033,8 +2034,8 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx) __s8 ext_err = 0; #ifdef TUNNEL_MODE struct remote_endpoint_info *info; - int verdict = CTX_ACT_REDIRECT; - bool use_tunnel = false; + __be32 tunnel_endpoint = 0; + __u32 dst_sec_identity = 0; if (!revalidate_data(ctx, &data, &data_end, &ip4)) { ret = DROP_INVALID; @@ -2043,6 +2044,19 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx) info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0); if (info && info->tunnel_endpoint != 0) { + tunnel_endpoint = info->tunnel_endpoint; + dst_sec_identity = info->sec_identity; + + target.addr = IPV4_GATEWAY; + } +#endif + ret = snat_v4_nat(ctx, &target, &ext_err); + if (IS_ERR(ret) && ret != NAT_PUNT_TO_STACK) + goto drop_err; + + ctx_snat_done_set(ctx); +#ifdef TUNNEL_MODE + if (tunnel_endpoint) { /* The request came from outside, so we need to * set the security id in the tunnel header to WORLD_ID. * Otherwise, the remote node will assume, that the @@ -2050,32 +2064,20 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx) * bypass any netpol which disallows LB requests from * outside. */ - ret = __encap_with_nodeid(ctx, info->tunnel_endpoint, + ret = __encap_with_nodeid(ctx, tunnel_endpoint, WORLD_ID, - info->sec_identity, + dst_sec_identity, NOT_VTEP_DST, (enum trace_reason)CT_NEW, TRACE_PAYLOAD_LEN, &oif); if (IS_ERR(ret)) goto drop_err; - target.addr = IPV4_GATEWAY; - use_tunnel = true; - verdict = ret; - } -#endif - ret = snat_v4_nat(ctx, &target, &ext_err); - if (IS_ERR(ret) && ret != NAT_PUNT_TO_STACK) - goto drop_err; - - ctx_snat_done_set(ctx); -#ifdef TUNNEL_MODE - if (use_tunnel) { cilium_capture_out(ctx); - if (verdict == CTX_ACT_REDIRECT) + if (ret == CTX_ACT_REDIRECT) return ctx_redirect(ctx, oif, 0); ctx_move_xfer(ctx); - return verdict; + return ret; } #endif if (!revalidate_data(ctx, &data, &data_end, &ip4)) {