New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium: fib lookup consolidation #23884
Conversation
7134301
to
17a3535
Compare
/test |
(All green except net-next and external workloads (https://github.com/cilium/cilium/actions/runs/4223077357)) |
c908c37
to
446aa87
Compare
/test |
b3d63f8
to
31a4262
Compare
/test |
b180b2e
to
007210a
Compare
(CI was all green before, squashed some of the commits. No code changes.) |
@borkmann if this is major, can you please add a |
@borkmann can you update the release note labels? This is currently marked as both major and misc. It's fixing bugs, so it seems like it's a bugfix? |
The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in #23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: #16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in #23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: #16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in cilium#23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: cilium#16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit bd8b4d0 ] [ manual conflict resolution in kube_proxy_replacement.go and nodeport.h due to difference from upstream, the latter mainly in locations where we ifdef ct_state.ifindex ] The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in #23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: #16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit bd8b4d0 ] [ manual conflict resolution in kube_proxy_replacement.go and nodeport.h due to difference from upstream, the latter mainly in locations where we ifdef ct_state.ifindex ] The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in #23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: #16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit bd8b4d0 ] [ manual conflict resolution in kube_proxy_replacement.go and nodeport.h due to difference from upstream, the latter mainly in locations where we ifdef ct_state.ifindex ] The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in cilium#23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: cilium#16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
This series reworks and consolidates all fib lookups in our BPF code to utilize common functionality.
For tc BPF, this means that redirect_neigh code can be used whenever neighbors cannot be resolved. XDP utilizes the BPF neighbor map as we cannot do this ad-hoc in this layer.
This affects KPR, standalone LB, NAT46x64 GW, DSR code.
Fixes: #22782
Fixes: #22800