bpf: Refactor egressgw code into is_cluster_destination

Move several check from bpf_lxc into a helper function is_cluster_destination(). Signed-off-by: Paul Chaignon <paul@cilium.io>
cilium · Nov 15, 2021 · ef858bb · ef858bb
1 parent 3d54ee5
commit ef858bb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 11 deletions.
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -798,17 +798,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 		struct egress_info *info;
 		struct endpoint_key key = {};
 
-		/* If tunnel endpoint is found in ipcache, it means the remote endpoint is
-		 * in cluster. In this case, we should skip egress gateway. If destination
-		 * is either remote node or host node, also skip egress gateway.
-		 */
-		if (tunnel_endpoint != 0 || *dst_id == REMOTE_NODE_ID || *dst_id == HOST_ID)
-			goto skip_egress_gateway;
-
-		/* If destination ip matches a local endpoint, we should also
-		 * skip egress gateway.
-		 */
-		if (lookup_ip4_endpoint(ip4))
+		if (is_cluster_destination(ip4, *dst_id, tunnel_endpoint))
 			goto skip_egress_gateway;
 
 		info = lookup_ip4_egress_endpoint(ip4->saddr, ip4->daddr);

diff --git a/bpf/lib/egress_policies.h b/bpf/lib/egress_policies.h
@@ -5,6 +5,33 @@
 #define __LIB_EGRESS_POLICIES_H_
 
 #ifdef ENABLE_EGRESS_GATEWAY
+/* is_cluster_destination returns true if the given destination is part of the
+ * cluster. It uses the ipcache and endpoint maps information.
+ */
+static __always_inline bool
+is_cluster_destination(struct iphdr *ip4, __u32 dst_id, __u32 tunnel_endpoint)
+{
+	/* If tunnel endpoint is found in ipcache, it means the remote endpoint
+	 * is in cluster.
+	 */
+	if (tunnel_endpoint != 0)
+		return true;
+
+	/* If the destination is a Cilium-managed node (remote or local), it's
+	 * part of the cluster.
+	 */
+	if (dst_id == REMOTE_NODE_ID || dst_id == HOST_ID)
+		return true;
+
+	/* Use the endpoint map to know if the destination is a local endpoint.
+	 */
+	if (lookup_ip4_endpoint(ip4))
+		return true;
+
+	/* Everything else is outside the cluster. */
+	return false;
+}
+
 /* EGRESS_STATIC_PREFIX gets sizeof non-IP, non-prefix part of egress_key */
 # define EGRESS_STATIC_PREFIX							\
 	(8 * (sizeof(struct egress_key) - sizeof(struct bpf_lpm_trie_key)	\