bpf: Add missing traces for reply traffic to the proxy

[ upstream commit 503417a ] This commit adds two missing packet traces for reply traffic to the proxy. Because of those missing traces, we would see a from-container not followed by any to-xxx trace. Backporting conflicts: * replaced SECLABEL_IPV{4,6} with SECLABEL Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> add missing traces
cilium · Sep 5, 2023 · 636580a · 636580a
1 parent 490bdb4
commit 636580a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -444,6 +444,9 @@ static __always_inline int handle_ipv6_from_lxc(struct __ctx_buff *ctx, __u32 *d
 	if (ct_status == CT_REPLY || ct_status == CT_RELATED) {
 		/* Check if this is return traffic to an ingress proxy. */
 		if (ct_state->proxy_redirect) {
+			send_trace_notify(ctx, TRACE_TO_PROXY, SECLABEL,
+					  0, 0, 0, trace.reason,
+					  trace.monitor);
 			/* Stack will do a socket match and deliver locally. */
 			return ctx_redirect_to_proxy6(ctx, tuple, 0, false);
 		}
@@ -877,6 +880,9 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, __u32 *d
 	if (ct_status == CT_REPLY || ct_status == CT_RELATED) {
 		/* Check if this is return traffic to an ingress proxy. */
 		if (ct_state->proxy_redirect) {
+			send_trace_notify(ctx, TRACE_TO_PROXY, SECLABEL,
+					  0, 0, 0, trace.reason,
+					  trace.monitor);
 			/* Stack will do a socket match and deliver locally. */
 			return ctx_redirect_to_proxy4(ctx, tuple, 0, false);
 		}