bpf: Improve compilation coverage

Compile test NodePort, DSR, HostPort, masquerading, and IPSec.
Previously, NodePort and DSR were always undefined (because FROM_HOST
was always defined), whereas masquerading and IPSec were always defined.
HostPort was also not compile tested because of a typo and MAX_LXC_OPTIONS
was missing a few options.

Because programs compiled with MAX_*_OPTIONS are then loaded on a 4.9
kernel during the RuntimeVerifier test, we can't enable NodePort and
associated options there.

Signed-off-by: Paul Chaignon <paul@cilium.io>

bpf/Makefile

@@ -34,9 +34,11 @@ LB_OPTIONS = \
 	-DENABLE_IPV4:-DLB_L3 \
 	-DENABLE_IPV4:-DLB_L4 \
 	-DENABLE_IPV4:-DLB_L3:-DLB_L4 \
+	-DENABLE_IPV4:-DENABLE_IPSEC \
 	-DENABLE_IPV6:-DLB_L3 \
 	-DENABLE_IPV6:-DLB_L4 \
 	-DENABLE_IPV6:-DLB_L3:-DLB_L4 \
+	-DENABLE_IPV6:-DENABLE_IPSEC \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3 \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L4 \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4 \
@@ -46,13 +48,14 @@ LB_OPTIONS = \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT \
-	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP
+	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP \
+	-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_IPSEC:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP
 
 # These options are intended to max out the BPF program complexity. it is load
 # tested as well.
 MAX_LB_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6 -DLB_L3 -DLB_L4 \
-	-DENABLE_HOST_SERVICES_TCP -DENABLE_HOST_SERVICES_UDP -DENABLE_NODEPORT \
-	-DENABLE_EXTERNAL_IP
+	-DENABLE_HOST_SERVICES_TCP -DENABLE_HOST_SERVICES_UDP \
+	-DENABLE_IPSEC
 
 bpf_sock.ll: bpf_sock.c $(LIB)
 	$(QUIET) set -e; \
@@ -76,7 +79,7 @@ OVERLAY_OPTIONS = \
 
 # These options are intended to max out the BPF program complexity. it is load
 # tested as well.
-MAX_OVERLAY_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6 #-DENABLE_IPSEC (from node_config.h)
+MAX_OVERLAY_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6 -DENABLE_IPSEC
 
 bpf_overlay.ll: bpf_overlay.c $(LIB)
 	$(QUIET) set -e; \
@@ -95,12 +98,14 @@ bpf_overlay.o: bpf_overlay.ll
 
 NETDEV_OPTIONS = $(LB_OPTIONS) \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_EXTERNAL_IP:-DENABLE_DSR:-DFROM_HOST \
-	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DHOST_PORT \
+	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_IPSEC:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_EXTERNAL_IP:-DENABLE_DSR:-DFROM_HOST \
+	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DENABLE_HOSTPORT \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DENABLE_MASQUERADE \
+	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_IPSEC:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DENABLE_MASQUERADE \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DENABLE_DSR \
 	-DENABLE_IPV4:-DENABLE_IPV6:-DLB_L3:-DLB_L4:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_EXTERNAL_IP:-DENABLE_DSR:-DENABLE_DSR_HYBRID \
 
-MAX_NETDEV_OPTIONS = $(MAX_LB_OPTIONS) -DENABLE_DSR -DENABLE_MASQUERADE -DENABLE_DSR_HYBRID -DENABLE_HOSTPORT
+MAX_NETDEV_OPTIONS = $(MAX_LB_OPTIONS)
 
 bpf_netdev.ll: bpf_netdev.c $(LIB)
 	$(QUIET) set -e; \
@@ -133,11 +138,14 @@ LXC_OPTIONS = \
 	 -DENABLE_IPV6:-DENABLE_IPV4:-DENABLE_ROUTING \
 	 -DENABLE_IPV4:-DENABLE_IPV6:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE \
 	 -DENABLE_HOST_REDIRECT:-DENABLE_IPV4:-DENABLE_IPV6 \
-	 -DENABLE_HOST_REDIRECT:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NAT46
+	 -DENABLE_HOST_REDIRECT:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NAT46 \
+	 -DENABLE_NODEPORT:-DENABLE_IPV4:-DENABLE_IPV6 \
+	 -DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_IPV4:-DENABLE_IPV6
 
 # These options are intended to max out the BPF program complexity. it is load
 # tested as well.
-MAX_LXC_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6
+MAX_LXC_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6 -DENABLE_HOST_REDIRECT -DENABLE_NAT46 \
+	-DENABLE_ROUTING -DENABLE_IPSEC
 
 bpf_lxc.ll: bpf_lxc.c $(LIB)
 	$(QUIET) set -e; \

bpf/lib/conntrack.h

@@ -827,57 +827,70 @@ static __always_inline int ct_create4(const void *map_main, const void *map_rela
 	return 0;
 }
 #else /* !CONNTRACK */
-static __always_inline int ct_lookup6(void *map, struct ipv6_ct_tuple *tuple,
-				      struct __ctx_buff *ctx, int off, int dir,
-				      struct ct_state *ct_state, __u32 *monitor)
+static __always_inline int
+ct_lookup6(void *map __maybe_unused, struct ipv6_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused, int off __maybe_unused,
+	   int dir __maybe_unused, struct ct_state *ct_state __maybe_unused,
+	   __u32 *monitor __maybe_unused)
 {
 	return 0;
 }
 
-static __always_inline int ct_lookup4(void *map, struct ipv4_ct_tuple *tuple,
-				      struct __ctx_buff *ctx, int off, int dir,
-				      struct ct_state *ct_state, __u32 *monitor)
+static __always_inline int
+ct_lookup4(void *map __maybe_unused, struct ipv4_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused, int off __maybe_unused,
+	   int dir __maybe_unused, struct ct_state *ct_state __maybe_unused,
+	   __u32 *monitor __maybe_unused)
 {
 	return 0;
 }
 
-static __always_inline void ct_update6_backend_id(void *map,
-						  struct ipv6_ct_tuple *tuple,
-						  struct ct_state *state)
+static __always_inline void
+ct_update6_backend_id(void *map __maybe_unused,
+		      struct ipv6_ct_tuple *tuple __maybe_unused,
+		      struct ct_state *state __maybe_unused)
 {
 }
 
 static __always_inline void
-ct_update6_rev_nat_index(void *map, struct ipv6_ct_tuple *tuple,
-			 struct ct_state *state)
+ct_update6_rev_nat_index(void *map __maybe_unused,
+			 struct ipv6_ct_tuple *tuple __maybe_unused,
+			 struct ct_state *state __maybe_unused)
 {
 }
 
-static __always_inline int ct_create6(const void *map_main, const void *map_related,
-				      struct ipv6_ct_tuple *tuple,
-				      struct __ctx_buff *ctx, const int dir,
-				      struct ct_state *ct_state,
-				      bool from_proxy)
+static __always_inline int
+ct_create6(const void *map_main __maybe_unused,
+	   const void *map_related __maybe_unused,
+	   struct ipv6_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused, const int dir __maybe_unused,
+	   struct ct_state *ct_state __maybe_unused,
+	   bool from_proxy __maybe_unused)
 {
 	return 0;
 }
 
-static __always_inline void ct_update4_backend_id(void *map,
-						  struct ipv4_ct_tuple *tuple,
-					          struct ct_state *state)
+static __always_inline void
+ct_update4_backend_id(void *map __maybe_unused,
+		      struct ipv4_ct_tuple *tuple __maybe_unused,
+		      struct ct_state *state __maybe_unused)
 {
 }
 
 static __always_inline void
-ct_update4_rev_nat_index(void *map, struct ipv4_ct_tuple *tuple,
-			 struct ct_state *state)
+ct_update4_rev_nat_index(void *map __maybe_unused,
+			 struct ipv4_ct_tuple *tuple __maybe_unused,
+			 struct ct_state *state __maybe_unused)
 {
 }
 
-static __always_inline int ct_create4(const void *map_main, const void *map_related,
-				      struct ipv4_ct_tuple *tuple,
-				      struct __ctx_buff *ctx, const int dir,
-				      struct ct_state *ct_state, bool from_proxy)
+static __always_inline int
+ct_create4(const void *map_main __maybe_unused,
+	   const void *map_related __maybe_unused,
+	   struct ipv4_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused, const int dir __maybe_unused,
+	   struct ct_state *ct_state __maybe_unused,
+	   bool from_proxy __maybe_unused)
 {
 	return 0;
 }

bpf/lib/encap.h

@@ -156,7 +156,8 @@ __encap_and_redirect_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
  */
 static __always_inline int
 encap_and_redirect_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
-			       __u8 key, __u32 seclabel, __u32 monitor)
+			       __u8 key __maybe_unused, __u32 seclabel,
+			       __u32 monitor)
 {
 #ifdef ENABLE_IPSEC
 	if (key)
@@ -177,8 +178,8 @@ encap_and_redirect_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
  */
 static __always_inline int
 encap_and_redirect_lxc(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
-		       __u8 encrypt_key, struct endpoint_key *key, __u32 seclabel,
-		       __u32 monitor)
+		       __u8 encrypt_key __maybe_unused,
+		       struct endpoint_key *key, __u32 seclabel, __u32 monitor)
 {
 	struct endpoint_key *tunnel;
 

bpf/lib/nat.h

@@ -1030,8 +1030,9 @@ void snat_v6_delete_tuples(struct ipv6_ct_tuple *tuple __maybe_unused)
 #endif
 
 #ifdef CONNTRACK
-static __always_inline __maybe_unused void ct_delete4(void *map, struct ipv4_ct_tuple *tuple,
-						      struct __ctx_buff *ctx)
+static __always_inline __maybe_unused void
+ct_delete4(void *map __maybe_unused, struct ipv4_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused)
 {
 	int err;
 
@@ -1041,8 +1042,9 @@ static __always_inline __maybe_unused void ct_delete4(void *map, struct ipv4_ct_
 		snat_v4_delete_tuples(tuple);
 }
 
-static __always_inline __maybe_unused void ct_delete6(void *map, struct ipv6_ct_tuple *tuple,
-						      struct __ctx_buff *ctx)
+static __always_inline __maybe_unused void
+ct_delete6(void *map __maybe_unused, struct ipv6_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused)
 {
 	int err;
 
@@ -1052,18 +1054,21 @@ static __always_inline __maybe_unused void ct_delete6(void *map, struct ipv6_ct_
 		snat_v6_delete_tuples(tuple);
 }
 #else
-static __always_inline __maybe_unused void ct_delete4(void *map, struct ipv4_ct_tuple *tuple,
-						      struct __ctx_buff *ctx)
+static __always_inline __maybe_unused void
+ct_delete4(void *map __maybe_unused, struct ipv4_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused)
 {
 }
 
-static __always_inline __maybe_unused void ct_delete6(void *map, struct ipv6_ct_tuple *tuple,
-						      struct __ctx_buff *ctx)
+static __always_inline __maybe_unused void
+ct_delete6(void *map __maybe_unused, struct ipv6_ct_tuple *tuple __maybe_unused,
+	   struct __ctx_buff *ctx __maybe_unused)
 {
 }
 #endif
 
-static __always_inline __maybe_unused int snat_process(struct __ctx_buff *ctx, int dir)
+static __always_inline __maybe_unused int
+snat_process(struct __ctx_buff *ctx __maybe_unused, int dir __maybe_unused)
 {
 	int ret = CTX_ACT_OK;
 

bpf/node_config.h

@@ -31,7 +31,6 @@ DEFINE_IPV6(HOST_IP, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x
 #define REMOTE_NODE_ID 6
 #define HOST_IFINDEX_MAC { .addr = { 0xce, 0x72, 0xa7, 0x03, 0x88, 0x56 } }
 #define NAT46_PREFIX { .addr = { 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0 } }
-#define ENABLE_MASQUERADE 1
 #define BPF_PKT_DIR 1
 #define NODEPORT_PORT_MIN 30000
 #define NODEPORT_PORT_MAX 32767
@@ -56,15 +55,15 @@ DEFINE_IPV6(HOST_IP, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x
 #define IPV4_MASK 0xffff
 #define IPV4_GATEWAY 0xfffff50a
 #define IPV4_LOOPBACK 0x1ffff50a
-#ifdef ENABLE_MASQUERADE
+#if defined ENABLE_MASQUERADE || defined ENABLE_NODEPORT
 #define SNAT_IPV4_EXTERNAL IPV4_GATEWAY
 #define SNAT_MAPPING_IPV4 cilium_snat_v4_external
 #define SNAT_MAPPING_IPV4_SIZE 524288
 #endif /* ENABLE_MASQUERADE */
 #endif /* ENABLE_IPV4 */
 
 #ifdef ENABLE_IPV6
-#ifdef ENABLE_MASQUERADE
+#if defined ENABLE_MASQUERADE || defined ENABLE_NODEPORT
 DEFINE_IPV6(SNAT_IPV6_EXTERNAL, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0);
 #define SNAT_MAPPING_IPV6 cilium_snat_v6_external
 #define SNAT_MAPPING_IPV6_SIZE 524288
@@ -108,9 +107,8 @@ DEFINE_IPV6(SNAT_IPV6_EXTERNAL, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0
 #endif
 #define MONITOR_AGGREGATION 5
 #define MTU 1500
-#define ENABLE_IPSEC
 #define EPHEMERAL_MIN 32768
-#ifdef ENABLE_MASQUERADE
+#if defined ENABLE_MASQUERADE || defined ENABLE_NODEPORT
 #define CT_MAP_TCP6 test_cilium_ct_tcp6_65535
 #define CT_MAP_ANY6 test_cilium_ct_any6_65535
 #define CT_MAP_TCP4 test_cilium_ct_tcp4_65535

test/bpf/unit-test.c

@@ -10,6 +10,8 @@
 #include "lib/common.h"
 #include "node_config.h"
 
+#define CONNTRACK
+
 #define htonl bpf_htonl
 #define ntohl bpf_ntohl