bpf: host: optimize from-host's ICMPv6 path

[ upstream commit: 475a194 ] [ backporter's notes: minor conflict due to v1.15 icmp6_host_handle() doesn't have ext_err parameter. ] The ICMPv6 handling in handle_ipv6() is only required for the HostFW or by from-netdev. Exclude it otherwise. This is a minor optimization for dc9dfd7 ("bpf: Re-introduce ICMPv6 NS responder on from-netdev"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
cilium · Mar 5, 2024 · fa3cf94 · fa3cf94
1 parent f3e7943
commit fa3cf94
Showing 1 changed file with 15 additions and 12 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -148,23 +148,26 @@ handle_ipv6(struct __ctx_buff *ctx, __u32 secctx __maybe_unused,
 #endif /* ENABLE_HOST_FIREWALL */
 	void *data, *data_end;
 	struct ipv6hdr *ip6;
-	int ret, hdrlen;
-	__u8 nexthdr;
+	int ret;
 
 	if (!revalidate_data(ctx, &data, &data_end, &ip6))
 		return DROP_INVALID;
 
-	nexthdr = ip6->nexthdr;
-	hdrlen = ipv6_hdrlen(ctx, &nexthdr);
-	if (hdrlen < 0)
-		return hdrlen;
+	if (is_defined(ENABLE_HOST_FIREWALL) || !from_host) {
+		__u8 nexthdr = ip6->nexthdr;
+		int hdrlen;
 
-	if (likely(nexthdr == IPPROTO_ICMPV6)) {
-		ret = icmp6_host_handle(ctx, ETH_HLEN + hdrlen, !from_host);
-		if (ret == SKIP_HOST_FIREWALL)
-			goto skip_host_firewall;
-		if (IS_ERR(ret))
-			return ret;
+		hdrlen = ipv6_hdrlen(ctx, &nexthdr);
+		if (hdrlen < 0)
+			return hdrlen;
+
+		if (likely(nexthdr == IPPROTO_ICMPV6)) {
+			ret = icmp6_host_handle(ctx, ETH_HLEN + hdrlen, !from_host);
+			if (ret == SKIP_HOST_FIREWALL)
+				goto skip_host_firewall;
+			if (IS_ERR(ret))
+				return ret;
+		}
 	}
 
 #ifdef ENABLE_NODEPORT