bpf: nodeport: drop reply by local backend if revDNAT is skipped

RevDNAT for replies from a local service backend is handled by tail-calling from bpf_lxc to CILIUM_CALL_IPV*_NODEPORT_REVNAT with bpf_skip_recirculation() set. If rev_nodeport_lb*() then doesn't find a matching CT entry, don't return CTX_ACT_REDIRECT to the caller. Without a CT entry we also didn't perform a FIB lookup, so `ifindex` is still 0 and the subsequent bpf_redirect() won't do any good. As bpf_lxc only performs the tail-call if ct_state->node_port is set, finding no related Nodeport CT entry is unexpected. So drop the packet. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium · Jan 12, 2023 · 6936db5 · 6936db5
1 parent da6eb99
commit 6936db5
Showing 1 changed file with 16 additions and 14 deletions.
diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
@@ -1090,15 +1090,16 @@ static __always_inline int rev_nodeport_lb6(struct __ctx_buff *ctx, __u32 *ifind
 			if (eth_store_saddr(ctx, fib_params.smac, 0) < 0)
 				return DROP_WRITE_ERROR;
 		}
-	} else {
-		if (!bpf_skip_recirculation(ctx)) {
-			ctx_skip_nodeport_set(ctx);
-			ep_tail_call(ctx, CILIUM_CALL_IPV6_FROM_NETDEV);
-			return DROP_MISSED_TAIL_CALL;
-		}
+
+		return CTX_ACT_REDIRECT;
 	}
 
-	return CTX_ACT_REDIRECT;
+	if (bpf_skip_recirculation(ctx))
+		return DROP_NAT_NO_MAPPING;
+
+	ctx_skip_nodeport_set(ctx);
+	ep_tail_call(ctx, CILIUM_CALL_IPV6_FROM_NETDEV);
+	return DROP_MISSED_TAIL_CALL;
 }
 
 __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV6_NODEPORT_REVNAT)
@@ -2083,15 +2084,16 @@ static __always_inline int rev_nodeport_lb4(struct __ctx_buff *ctx, __u32 *ifind
 			if (eth_store_saddr(ctx, fib_params.smac, 0) < 0)
 				return DROP_WRITE_ERROR;
 		}
-	} else {
-		if (!bpf_skip_recirculation(ctx)) {
-			ctx_skip_nodeport_set(ctx);
-			ep_tail_call(ctx, CILIUM_CALL_IPV4_FROM_NETDEV);
-			return DROP_MISSED_TAIL_CALL;
-		}
+
+		return CTX_ACT_REDIRECT;
 	}
 
-	return CTX_ACT_REDIRECT;
+	if (bpf_skip_recirculation(ctx))
+		return DROP_NAT_NO_MAPPING;
+
+	ctx_skip_nodeport_set(ctx);
+	ep_tail_call(ctx, CILIUM_CALL_IPV4_FROM_NETDEV);
+	return DROP_MISSED_TAIL_CALL;
 
 #if (defined(ENABLE_EGRESS_GATEWAY) || defined(TUNNEL_MODE))
 encap_redirect: