bpf: finally compile out lxc service lookup on netns-aware sock LB

Finally we are able to compile out bpf_lxc's service handling if we have a latest kernel where socket LB programs are netns aware and we therefore can handle all translation from there. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
cilium · Apr 1, 2020 · 24069d7 · 24069d7
1 parent d7bf451
commit 24069d7
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -91,7 +91,8 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
 	 * address.
 	 */
 #ifdef ENABLE_SERVICES
-# if !defined(ENABLE_HOST_SERVICES_FULL) || defined(ENABLE_EXTERNAL_IP)
+# if !defined(ENABLE_HOST_SERVICES_FULL) || \
+     (defined(ENABLE_EXTERNAL_IP) && !defined(ENABLE_HOST_SERVICES_NETNS))
 	{
 		struct lb6_service *svc;
 		struct lb6_key key = {};
@@ -114,7 +115,7 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
 	}
 
 skip_service_lookup:
-# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP*/
+# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP && !ENABLE_HOST_SERVICES_NETNS */
 #endif /* ENABLE_SERVICES */
 
 	/* The verifier wants to see this assignment here in case the above goto
@@ -444,7 +445,8 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 	l4_off = l3_off + ipv4_hdrlen(ip4);
 
 #ifdef ENABLE_SERVICES
-# if !defined(ENABLE_HOST_SERVICES_FULL) || defined(ENABLE_EXTERNAL_IP)
+# if !defined(ENABLE_HOST_SERVICES_FULL) || \
+     (defined(ENABLE_EXTERNAL_IP) && !defined(ENABLE_HOST_SERVICES_NETNS))
 	{
 		struct lb4_service *svc;
 		struct lb4_key key = {};
@@ -468,7 +470,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 	}
 
 skip_service_lookup:
-# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP */
+# endif /* !ENABLE_HOST_SERVICES_FULL || ENABLE_EXTERNAL_IP && !ENABLE_HOST_SERVICES_NETNS */
 #endif /* ENABLE_SERVICES */
 
 	/* The verifier wants to see this assignment here in case the above goto

diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c
@@ -79,8 +79,7 @@ void ctx_set_port(struct bpf_sock_addr *ctx, __be16 dport)
 static __always_inline __maybe_unused bool
 ctx_in_hostns(void *ctx __maybe_unused)
 {
-#if HAVE_PROG_TYPE_HELPER(cgroup_sock_addr, bpf_get_netns_cookie) && \
-    HAVE_PROG_TYPE_HELPER(cgroup_sock,      bpf_get_netns_cookie)
+#ifdef ENABLE_HOST_SERVICES_NETNS
 	return get_netns_cookie(ctx) == get_netns_cookie(NULL);
 #else
 	return true;

diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -48,6 +48,11 @@
 # endif
 #endif
 
+#if HAVE_PROG_TYPE_HELPER(cgroup_sock_addr, bpf_get_netns_cookie) && \
+    HAVE_PROG_TYPE_HELPER(cgroup_sock,      bpf_get_netns_cookie)
+# define ENABLE_HOST_SERVICES_NETNS 1
+#endif
+
 /* These are shared with test/bpf/check-complexity.sh, when modifying any of
  * the below, that script should also be updated. */
 #define CILIUM_CALL_DROP_NOTIFY			1