bpf: Fix missing tail calls

[ upstream commit e1afa06 ] The changes to the dead tail call elimination revealed 2 cases of missing tail calls. First is to do with NAT46x64 logic where there still existed a call path from the IPv4 logic which would attempt to tail call into IPv6 to recirculate the packet, even when the IPv6 tail call wasn't compiled in. The second was that when XDP offloaded, the IPv6 logic would tail call into a ICMP6 tail call which is only compiled in for TC programs. This commit fixes both possible missing tail calls. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Timo Beckers <timo@isovalent.com>
cilium · Mar 22, 2024 · 0db21c7 · 0db21c7
1 parent aad13f5
commit 0db21c7
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -600,13 +600,13 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx __maybe_unused,
 			bool __maybe_unused is_dsr = false;
 
 			int ret = nodeport_lb4(ctx, ip4, ETH_HLEN, secctx, ext_err, &is_dsr);
-
+#ifdef ENABLE_IPV6
 			if (ret == NAT_46X64_RECIRC) {
 				ctx_store_meta(ctx, CB_SRC_LABEL, secctx);
 				ep_tail_call(ctx, CILIUM_CALL_IPV6_FROM_NETDEV);
 				return DROP_MISSED_TAIL_CALL;
 			}
-
+#endif
 			/* nodeport_lb4() returns with TC_ACT_REDIRECT for
 			 * traffic to L7 LB. Policy enforcement needs to take
 			 * place after L7 LB has processed the packet, so we

diff --git a/bpf/lib/icmp6.h b/bpf/lib/icmp6.h
@@ -276,7 +276,6 @@ int tail_icmp6_send_time_exceeded(struct __ctx_buff *ctx __maybe_unused)
 	return 0;
 # endif
 }
-#endif
 
 /*
  * icmp6_send_time_exceeded
@@ -297,6 +296,7 @@ static __always_inline int icmp6_send_time_exceeded(struct __ctx_buff *ctx,
 
 	return DROP_MISSED_TAIL_CALL;
 }
+#endif
 
 static __always_inline int __icmp6_handle_ns(struct __ctx_buff *ctx, int nh_off)
 {

diff --git a/bpf/lib/l3.h b/bpf/lib/l3.h
@@ -28,15 +28,16 @@
 #ifdef ENABLE_IPV6
 static __always_inline int ipv6_l3(struct __ctx_buff *ctx, int l3_off,
 				   const __u8 *smac, const __u8 *dmac,
-				   __u8 direction)
+				   __u8 __maybe_unused direction)
 {
 	int ret;
 
 	ret = ipv6_dec_hoplimit(ctx, l3_off);
 	if (IS_ERR(ret)) {
+#ifndef SKIP_ICMPV6_HOPLIMIT_HANDLING
 		if (ret == DROP_TTL_EXCEEDED)
 			return icmp6_send_time_exceeded(ctx, l3_off, direction);
-
+#endif
 		return ret;
 	}