bpf: lb: clean up IPv4 loopback handling #25456
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
|
/test |
julianwiedmann
added
sig/datapath
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
/test |
julianwiedmann
force-pushed
the
1.14-bpf-lb-cleanups
branch
2 times, most recently
from
0175730
to
5e8d1dc
Compare
|
/test |
julianwiedmann
force-pushed
the
1.14-bpf-lb-cleanups
branch
from
5e8d1dc
to
980808a
Compare
|
/ci-verifier |
|
/test |
julianwiedmann
changed the title
julianwiedmann
added
the
kind/complexity-issue
|
Some random before/after observations: |
ldelossa
approved these changes
May 17, 2023
julianwiedmann
force-pushed
the
1.14-bpf-lb-cleanups
branch
from
980808a
to
9a39a1c
Compare
Mirror how the agent compiles these programs, so that we can exclude the IPv4 loopback code from the nodeport LB paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
There's no loopback support for IPv6, see lb6_local(). So this flag will always be 0. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The relevant loopback code in lb4_local() already has this condition. So also apply it to all the CT paths that would process an entry with the .loopback flag set. This excludes the CT loopback code sections from all nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The loopback case is only relevant after a successful service lookup in bpf_lxc's from-container flow. Here the CT entry is created with CT_EGRESS scope. Make this obvious in the code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This hasn't aged well, so might as well remove it to make our life easier. For nodeport connections we inherit the ct_state from the preceding call to lb4_local(), and ct_state->addr is set to the backend address. We can get the same information from the actual connection tuple (as the packet has already been service-DNATed). For service connections from bpf_lxc we typically don't restore state->addr in lb4_ctx_restore_state(), so this field will just be 0. The expection being a loopback connection, where it's hard-coded to IPV4_LOOPBACK. In either case this has long stopped being the "lb address". Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Neither of the callers cares about this field. In particular for the loopback case, lb4_ctx_restore_state() simply sets up the "new" ct_state struct with IPV4_LOOPBACK when .loopback is set. So even here it's not required to reflect the .saddr back to the caller from lb4_local(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The loopback handling is only relevant for usage in bpf_lxc. Don't include it from the nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…_state Make it easier to catch stray users of the loopback-specific fields. And improve the compile tests to actually cover this. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
force-pushed
the
1.14-bpf-lb-cleanups
branch
from
9a39a1c
to
4ed09d5
Compare
-> pushed https://github.com/cilium/cilium/compare/980808a212338add90c7c1b34993a761b880930a..9a39a1c1731cc949e89a44946df7181b18701d89 |
|
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2383/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next |
|
opened #25522 for the runtime flake |
|
/test-runtime |
|
Jumping in for mlh, opened #25524 for the net-next flake in https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2383/testReport/Suite-k8s-1/26/K8sDatapathServicesTest_Checks_N_S_loadbalancing_With_host_policy_Tests_NodePort/ |
|
/test-1.26-net-next Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2386/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/test-1.26-net-next |
julianwiedmann
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bpf_host,bpf_overlayandbpf_xdpare compiled by the agent withDISABLE_LOOPBACK_LB, to exclude the IPv4 loopback handling from their nodeport LB code paths.Apply this fact across