New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: lb: clean up IPv4 loopback handling #25456
bpf: lb: clean up IPv4 loopback handling #25456
Conversation
/test |
/test |
0175730
to
5e8d1dc
Compare
/test |
5e8d1dc
to
980808a
Compare
/ci-verifier |
/test |
Some random before/after observations:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved, contingent on a small nit with the conditional changing of structure field layout.
Discussed out of bound with Julian.
980808a
to
9a39a1c
Compare
Mirror how the agent compiles these programs, so that we can exclude the IPv4 loopback code from the nodeport LB paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
There's no loopback support for IPv6, see lb6_local(). So this flag will always be 0. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The relevant loopback code in lb4_local() already has this condition. So also apply it to all the CT paths that would process an entry with the .loopback flag set. This excludes the CT loopback code sections from all nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The loopback case is only relevant after a successful service lookup in bpf_lxc's from-container flow. Here the CT entry is created with CT_EGRESS scope. Make this obvious in the code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This hasn't aged well, so might as well remove it to make our life easier. For nodeport connections we inherit the ct_state from the preceding call to lb4_local(), and ct_state->addr is set to the backend address. We can get the same information from the actual connection tuple (as the packet has already been service-DNATed). For service connections from bpf_lxc we typically don't restore state->addr in lb4_ctx_restore_state(), so this field will just be 0. The expection being a loopback connection, where it's hard-coded to IPV4_LOOPBACK. In either case this has long stopped being the "lb address". Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Neither of the callers cares about this field. In particular for the loopback case, lb4_ctx_restore_state() simply sets up the "new" ct_state struct with IPV4_LOOPBACK when .loopback is set. So even here it's not required to reflect the .saddr back to the caller from lb4_local(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The loopback handling is only relevant for usage in bpf_lxc. Don't include it from the nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…_state Make it easier to catch stray users of the loopback-specific fields. And improve the compile tests to actually cover this. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
9a39a1c
to
4ed09d5
Compare
-> pushed https://github.com/cilium/cilium/compare/980808a212338add90c7c1b34993a761b880930a..9a39a1c1731cc949e89a44946df7181b18701d89 |
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2383/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next |
opened #25522 for the runtime flake |
/test-runtime |
Jumping in for mlh, opened #25524 for the net-next flake in https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2383/testReport/Suite-k8s-1/26/K8sDatapathServicesTest_Checks_N_S_loadbalancing_With_host_policy_Tests_NodePort/ |
/test-1.26-net-next Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2386/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/test-1.26-net-next |
bpf_host
,bpf_overlay
andbpf_xdp
are compiled by the agent withDISABLE_LOOPBACK_LB
, to exclude the IPv4 loopback handling from their nodeport LB code paths.Apply this fact across