Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf: Lookup tunnel endpoint for IPsec rewrite
In a subsequent commit, we will need offset 4 of skb->cb. Unfortunately, this offset is currently used to store the tunnel endpoint IP. We store the tunnel endpoint IP before encryption and, after encryption, we pass it to the encapsulation functions to build the correct VXLAN or GENEVE outer IP header. (Remember we do ESP-on-VXLAN/GENEVE.) Thus, to free offset 4, we need another way to retrieve the tunnel endpoint IP. Currently, in Cilium with IPsec and tunneling, packets are encrypted with the CiliumInternalIPs (cilium_host IPs) and then encapsulated with the NodeInternalIPs. The CiliumInternalIPs are in the ipcache and have a corresponding tunnel endpoint, the corresponding NodeInternalIP. Therefore, when we receive the to-be-encapsulated, encrypted packets, we can lookup their destination IP in the ipcache to retrieve the tunnel endpoint IP to use for VXLAN or GENEVE encapsulation. This commit implements just that. If the ipcache lookup fails, we drop the packet with a DROP_NO_TUNNEL_ENDPOINT event. Signed-off-by: Paul Chaignon <paul@cilium.io>
- Loading branch information