bpf: host: add drop notify for do_netdev_encrypt()

do_netdev_encrypt_encap() can return various errors, but its caller doesn't raise the corresponding drop notification. Also clean up the one case in do_netdev_encrypt_encap() where we currently *do* raise a drop notification. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium · May 12, 2023 · 9788f53 · 9788f53
1 parent f601b4c
commit 9788f53
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -957,9 +957,7 @@ static __always_inline int do_netdev_encrypt_encap(struct __ctx_buff *ctx, __u32
 # endif /* ENABLE_IPV4 */
 	}
 	if (!ep)
-		return send_drop_notify_error(ctx, src_id,
-					      DROP_NO_TUNNEL_ENDPOINT,
-					      CTX_ACT_DROP, METRIC_EGRESS);
+		return DROP_NO_TUNNEL_ENDPOINT;
 
 	ctx->mark = 0;
 	bpf_clear_meta(ctx);
@@ -1018,7 +1016,11 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 			send_trace_notify(ctx, TRACE_FROM_STACK, identity, 0, 0,
 					  ctx->ingress_ifindex, TRACE_REASON_ENCRYPTED,
 					  TRACE_PAYLOAD_LEN);
-			return do_netdev_encrypt(ctx, identity);
+			ret = do_netdev_encrypt(ctx, identity);
+			if (IS_ERR(ret))
+				return send_drop_notify_error(ctx, identity, ret,
+							      CTX_ACT_DROP, METRIC_EGRESS);
+			return ret;
 		}
 #endif