bpf: Add TC_ACT_REDIRECT check for nodeport

[ upstream commit 80d99a6 ] [ backporter's notes: minor conflicts as nodeport_lb{4,6} differ from the ones in main] Relates: #18894 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
cilium · Nov 7, 2023 · 0c10678 · 0c10678
1 parent 8a1cc1f
commit 0c10678
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/bpf/bpf_overlay.c b/bpf/bpf_overlay.c
@@ -60,7 +60,13 @@ static __always_inline int handle_ipv6(struct __ctx_buff *ctx,
 #ifdef ENABLE_NODEPORT
 	if (!ctx_skip_nodeport(ctx)) {
 		ret = nodeport_lb6(ctx, *identity);
-		if (ret < 0)
+		/* nodeport_lb6() returns with TC_ACT_REDIRECT for
+		 * traffic to L7 LB. Policy enforcement needs to take
+		 * place after L7 LB has processed the packet, so we
+		 * return to stack immediately here with
+		 * TC_ACT_REDIRECT.
+		 */
+		if (ret < 0 || ret == TC_ACT_REDIRECT)
 			return ret;
 	}
 #endif
@@ -215,8 +221,13 @@ static __always_inline int handle_ipv4(struct __ctx_buff *ctx, __u32 *identity)
 #ifdef ENABLE_NODEPORT
 	if (!ctx_skip_nodeport(ctx)) {
 		int ret = nodeport_lb4(ctx, *identity);
-
-		if (ret < 0)
+		/* nodeport_lb4() returns with TC_ACT_REDIRECT for
+		 * traffic to L7 LB. Policy enforcement needs to take
+		 * place after L7 LB has processed the packet, so we
+		 * return to stack immediately here with
+		 * TC_ACT_REDIRECT.
+		 */
+		if (ret < 0 || ret == TC_ACT_REDIRECT)
 			return ret;
 	}
 #endif