bpf: nodeport: fix rev_nat_index check for stale NAT CT entries

For non-DSR connections, the nodeport code creates a special CT_EGRESS
entry to maintain its own state (and eg. trigger RevDNAT from it).

This CT entry also tracks the service's rev_nat_index. On a successful
CT lookup, we detect a stale entry by comparing its rev_nat_index to
the currently matched svc's rev_nat_index.

But there's a special case in lb*_lookup() where the backend lookup fails,
and we fall back to a fresh svc lookup. The new svc entry isn't reflected
back to the callers, and consequently they would use the wrong
svc->rev_nat_index to check for staleness of their CT entry.

The actual rev_nat_index *is* reflected back to the caller via the
passed-in ct_state_new struct. So use that for the staleness check instead.

Note that this matches how bpf_lxc determines the current rev_nat_index
in lb*_ctx_store_state().

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

bpf/lib/nodeport.h

@@ -1029,7 +1029,7 @@ static __always_inline int nodeport_lb6(struct __ctx_buff *ctx,
 		case CT_REOPENED:
 		case CT_ESTABLISHED:
 			if (unlikely(ct_state.rev_nat_index !=
-				     svc->rev_nat_index))
+				     ct_state_new.rev_nat_index))
 				goto redo;
 			break;
 		default:
@@ -2281,7 +2281,7 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
 			 * belongs to a flow which target a different svc.
 			 */
 			if (unlikely(ct_state.rev_nat_index !=
-				     svc->rev_nat_index))
+				     ct_state_new.rev_nat_index))
 				goto redo;
 			break;
 		default: