bpf: dsr: also RevDNAT the tunnel_key for replies in hs-ipcache mode

When a DSR backend replies back to the client in a hs-ipcache configuration, it potentially uses tunnel encapsulation (based on the configured WorldCIDR). RevDNAT for the reply is then handled in to-overlay. To match the LB path (where both the inner and outer DstIP were set to the service IP), we should also revDNAT the outer SrcIP. As we're in the to-overlay program, the SrcIP is stored in the tunnel_key. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium · Jun 1, 2023 · f541499 · f541499
1 parent e7d5a18
commit f541499
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
@@ -2445,6 +2445,29 @@ nodeport_rev_dnat_fwd_ipv4(struct __ctx_buff *ctx, struct trace_ctx *trace)
 			ret = xlate_dsr_v4(ctx, &tuple, l4_off, has_l4_header);
 			if (IS_ERR(ret))
 				return ret;
+
+ #if defined(ENABLE_HIGH_SCALE_IPCACHE) &&				\
+     defined(IS_BPF_OVERLAY) &&						\
+     DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
+			/* For HS IPCache, we also need to revDNAT the OuterSrcIP: */
+			{
+				struct bpf_tunnel_key key;
+
+				if (ctx_get_tunnel_key(ctx, &key, sizeof(key), 0) < 0)
+					return DROP_NO_TUNNEL_KEY;
+
+				if (!revalidate_data(ctx, &data, &data_end, &ip4))
+					return DROP_INVALID;
+
+				/* kernel returns addresses in flipped locations: */
+				key.remote_ipv4 = key.local_ipv4;
+				key.local_ipv4 = bpf_ntohl(ip4->saddr);
+
+				if (ctx_set_tunnel_key(ctx, &key, sizeof(key),
+						       BPF_F_ZERO_CSUM_TX) < 0)
+					return DROP_WRITE_ERROR;
+			}
+ #endif
 #endif
 		}
 	}