bpf: Pass security ID via skb->cb from lxc to host

We need to free the packet mark between bpf_lxc and bpf_host so that it can carry the node ID when IPsec is enabled, to match against XFRM states. Instead of using the packet mark to pass the source security ID, we thus use a skb->cb field. Signed-off-by: Paul Chaignon <paul@cilium.io>
cilium · Feb 28, 2023 · 4de20fc · 4de20fc
1 parent 4c7cce1
commit 4de20fc
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 6 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -1197,7 +1197,6 @@ int cil_to_host(struct __ctx_buff *ctx)
 	if ((magic & MARK_MAGIC_HOST_MASK) == MARK_MAGIC_ENCRYPT) {
 		ctx->mark = magic; /* CB_ENCRYPT_MAGIC */
 		src_id = ctx_load_meta(ctx, CB_ENCRYPT_IDENTITY);
-		set_identity_mark(ctx, src_id);
 	} else if ((magic & 0xFFFF) == MARK_MAGIC_TO_PROXY) {
 		/* Upper 16 bits may carry proxy port number */
 		__be16 port = magic >> 16;

diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -632,7 +632,7 @@ static __always_inline int handle_ipv6_from_lxc(struct __ctx_buff *ctx, __u32 *d
 	if (encrypt_key && tunnel_endpoint) {
 		set_encrypt_key_mark(ctx, encrypt_key);
 #  ifdef ENABLE_IDENTITY_MARK
-		set_identity_mark(ctx, SECLABEL);
+		set_identity_meta(ctx, SECLABEL);
 #  endif /* ENABLE_IDENTITY_MARK */
 	} else
 # endif /* ENABLE_IPSEC */
@@ -1131,7 +1131,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, __u32 *d
 	if (encrypt_key && tunnel_endpoint) {
 		set_encrypt_key_mark(ctx, encrypt_key);
 #  ifdef ENABLE_IDENTITY_MARK
-		set_identity_mark(ctx, SECLABEL);
+		set_identity_meta(ctx, SECLABEL);
 #  endif
 	} else
 # endif /* ENABLE_IPSEC */

diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -698,7 +698,6 @@ enum {
 #define	CB_NAT_46X64		CB_IFINDEX	/* Alias, non-overlapping */
 #define	CB_ADDR_V4		CB_IFINDEX	/* Alias, non-overlapping */
 #define	CB_ADDR_V6_1		CB_IFINDEX	/* Alias, non-overlapping */
-#define	CB_ENCRYPT_IDENTITY	CB_IFINDEX	/* Alias, non-overlapping */
 #define	CB_IPCACHE_SRC_LABEL	CB_IFINDEX	/* Alias, non-overlapping */
 #define CB_SRV6_SID_2		CB_IFINDEX	/* Alias, non-overlapping */
 #define CB_ENCAP_SECLABEL	CB_IFINDEX	/* XDP */
@@ -713,6 +712,9 @@ enum {
 #define CB_SRV6_SID_4		CB_NAT		/* Alias, non-overlapping */
 	CB_CT_STATE,
 #define	CB_ADDR_V6_4		CB_CT_STATE	/* Alias, non-overlapping */
+#define	CB_ENCRYPT_IDENTITY	CB_CT_STATE	/* Alias, non-overlapping,
+						 * Not used by xfrm.
+						 */
 #define	CB_CUSTOM_CALLS		CB_CT_STATE	/* Alias, non-overlapping */
 #define	CB_SRV6_VRF_ID		CB_CT_STATE	/* Alias, non-overlapping */
 };

diff --git a/bpf/lib/encap.h b/bpf/lib/encap.h
@@ -46,7 +46,7 @@ encap_and_redirect_ipsec(struct __ctx_buff *ctx, __u8 key, __u32 seclabel)
 	 * to send ctx onto tunnel for encap.
 	 */
 	set_encrypt_key_mark(ctx, key);
-	set_identity_mark(ctx, seclabel);
+	set_identity_meta(ctx, seclabel);
 	return CTX_ACT_OK;
 }
 #endif /* ENABLE_IPSEC */

diff --git a/bpf/lib/identity.h b/bpf/lib/identity.h
@@ -113,7 +113,7 @@ static __always_inline __u32 inherit_identity_from_host(struct __ctx_buff *ctx,
 	} else if (magic == MARK_MAGIC_HOST) {
 		*identity = HOST_ID;
 	} else if (magic == MARK_MAGIC_ENCRYPT) {
-		*identity = get_identity(ctx);
+		*identity = ctx_load_meta(ctx, CB_ENCRYPT_IDENTITY);
 #if defined(ENABLE_L7_LB)
 	} else if (magic == MARK_MAGIC_PROXY_EGRESS_EPID) {
 		*identity = get_epid(ctx); /* endpoint identity, not security identity! */