bpf: Preserve source identity for hairpin via stack

When Cilium is used in chaining mode with portmap, the hostPort is translated using iptables DNAT as inserted by the portmap plugin. When this happens all within a node, we can preserve the source identity for the reply traffic for correct visibility. The traffic will be allowed anyway based on the connection tracking state. Updates: #9784 Signed-off-by: Thomas Graf <thomas@cilium.io>
cilium · Apr 14, 2020 · f25d8b9 · f25d8b9
1 parent fcc5b2b
commit f25d8b9
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -354,12 +354,17 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
 		set_encrypt_key_mark(ctx, encrypt_key);
 #ifdef IP_POOLS
 		set_encrypt_dip(ctx, tunnel_endpoint);
-#else
-		set_identity_mark(ctx, SECLABEL);
 #endif
 	}
 #endif
 #endif
+	/* Always encode the source identity when passing to the stack. If the
+	 * stack hairpins the packet back to a local endpoint the source
+	 * identity can still be derived even if SNAT is performed by a
+	 * component such as portmap */
+	ctx->mark |= MARK_MAGIC_IDENTITY;
+	set_identity_mark(ctx, SECLABEL);
+
 	return CTX_ACT_OK;
 }
 
@@ -705,12 +710,18 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 		set_encrypt_key_mark(ctx, encrypt_key);
 #ifdef IP_POOLS
 		set_encrypt_dip(ctx, tunnel_endpoint);
-#else
-		set_identity_mark(ctx, SECLABEL);
 #endif
 	}
 #endif
 #endif
+
+	/* Always encode the source identity when passing to the stack. If the
+	 * stack hairpins the packet back to a local endpoint the source
+	 * identity can still be derived even if SNAT is performed by a
+	 * component such as portmap */
+	ctx->mark |= MARK_MAGIC_IDENTITY;
+	set_identity_mark(ctx, SECLABEL);
+
 	cilium_dbg_capture(ctx, DBG_CAPTURE_DELIVERY, 0);
 	return CTX_ACT_OK;
 }