From 5b80b6913e2eab0c83177a9bac630a0e6de95b4c Mon Sep 17 00:00:00 2001 From: Thomas Graf Date: Fri, 10 Apr 2020 00:23:12 +0200 Subject: [PATCH] bpf: Preserve source identity for hairpin via stack When Cilium is used in chaining mode with portmap, the hostPort is translated using iptables DNAT as inserted by the portmap plugin. When this happens all within a node, we can preserve the source identity for the reply traffic for correct visibility. The traffic will be allowed anyway based on the connection tracking state. Updates: #9784 Signed-off-by: Thomas Graf --- bpf/bpf_lxc.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c index c1392616d0f2..77ea2f86b69d 100644 --- a/bpf/bpf_lxc.c +++ b/bpf/bpf_lxc.c @@ -354,12 +354,17 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx, set_encrypt_key_mark(ctx, encrypt_key); #ifdef IP_POOLS set_encrypt_dip(ctx, tunnel_endpoint); -#else - set_identity_mark(ctx, SECLABEL); #endif } #endif #endif + /* Always encode the source identity when passing to the stack. If the + * stack hairpins the packet back to a local endpoint the source + * identity can still be derived even if SNAT is performed by a + * component such as portmap */ + ctx->mark |= MARK_MAGIC_IDENTITY; + set_identity_mark(ctx, SECLABEL); + return CTX_ACT_OK; } @@ -705,12 +710,18 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, set_encrypt_key_mark(ctx, encrypt_key); #ifdef IP_POOLS set_encrypt_dip(ctx, tunnel_endpoint); -#else - set_identity_mark(ctx, SECLABEL); #endif } #endif #endif + + /* Always encode the source identity when passing to the stack. If the + * stack hairpins the packet back to a local endpoint the source + * identity can still be derived even if SNAT is performed by a + * component such as portmap */ + ctx->mark |= MARK_MAGIC_IDENTITY; + set_identity_mark(ctx, SECLABEL); + cilium_dbg_capture(ctx, DBG_CAPTURE_DELIVERY, 0); return CTX_ACT_OK; }