bpf: Lookup tunnel endpoint for IPsec rewrite

In a subsequent commit, we will need offset 4 of skb->cb. Unfortunately, this offset is currently used to store the tunnel endpoint IP. We store the tunnel endpoint IP before encryption and, after encryption, we pass it to the encapsulation functions to build the correct VXLAN or GENEVE outer IP header. (Remember we do ESP-on-VXLAN/GENEVE.) Thus, to free offset 4, we need another way to retrieve the tunnel endpoint IP. Currently, in Cilium with IPsec and tunneling, packets are encrypted with the CiliumInternalIPs (cilium_host IPs) and then encapsulated with the NodeInternalIPs. The CiliumInternalIPs are in the ipcache and have a corresponding tunnel endpoint, the corresponding NodeInternalIP. Therefore, when we receive the to-be-encapsulated, encrypted packets, we can lookup their destination IP in the ipcache to retrieve the tunnel endpoint IP to use for VXLAN or GENEVE encapsulation. This commit implements just that. If the ipcache lookup fails, we drop the packet with a DROP_NO_TUNNEL_ENDPOINT event. Signed-off-by: Paul Chaignon <paul@cilium.io>
cilium · Feb 28, 2023 · 19a62da · 19a62da
1 parent b596cea
commit 19a62da
Showing 1 changed file with 30 additions and 3 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -746,12 +746,39 @@ static __always_inline int do_netdev_encrypt_encap(struct __ctx_buff *ctx, __u32
 		.reason = TRACE_REASON_ENCRYPTED,
 		.monitor = TRACE_PAYLOAD_LEN,
 	};
-	__be32 tunnel_endpoint = ctx_get_encrypt_dip(ctx);
+	struct remote_endpoint_info *ep = NULL;
+	void *data, *data_end;
+	struct ipv6hdr *ip6 __maybe_unused;
+	struct iphdr *ip4 __maybe_unused;
+	__u16 proto;
 
-	ctx->mark = 0;
+	if (!validate_ethertype(ctx, &proto))
+		return DROP_UNSUPPORTED_L2;
 
+	switch (proto) {
+# ifdef ENABLE_IPV6
+	case bpf_htons(ETH_P_IPV6):
+		if (!revalidate_data(ctx, &data, &data_end, &ip6))
+			return DROP_INVALID;
+		ep = lookup_ip6_remote_endpoint((union v6addr *)&ip6->daddr, 0);
+		break;
+# endif /* ENABLE_IPV6 */
+# ifdef ENABLE_IPV4
+	case bpf_htons(ETH_P_IP):
+		if (!revalidate_data(ctx, &data, &data_end, &ip4))
+			return DROP_INVALID;
+		ep = lookup_ip4_remote_endpoint(ip4->daddr, 0);
+		break;
+# endif /* ENABLE_IPV4 */
+	}
+	if (!ep)
+		return send_drop_notify_error(ctx, src_id,
+					      DROP_NO_TUNNEL_ENDPOINT,
+					      CTX_ACT_DROP, METRIC_EGRESS);
+
+	ctx->mark = 0;
 	bpf_clear_meta(ctx);
-	return __encap_and_redirect_with_nodeid(ctx, tunnel_endpoint, src_id,
+	return __encap_and_redirect_with_nodeid(ctx, ep->tunnel_endpoint, src_id,
 						0, NOT_VTEP_DST, &trace);
 }