bpf: nat: tolerate unhandled protocol types in revSNAT path

[julianwiedmann]

In the past we would just pass up packets with unknown protocols, and let the next layer (or the stack) deal with them.

#19753 recently added error handling for the revSNAT paths, so that we can catch errors while eg. rewriting the packet headers.

But we want to preserve the old behaviour of tolerating unknown protocol types. So return NAT_PUNT_TO_STACK from a few additional ICMP paths.

[julianwiedmann]

/test

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) with L7 policy Tests NodePort with L7 Policy

Failure Output

FAIL: Request from testclient-ffqvl pod to service tftp://[fd04::12]:30606/hello failed

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/208/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

Then please upload the Jenkins artifacts to that issue.

[julianwiedmann]

https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/208/ failed with #24961.

[julianwiedmann]

/test-1.25-4.19

[brb]

@julianwiedmann Too late to the party, but do you plan to do the same for snat_v4_nat()?

[julianwiedmann]

@julianwiedmann Too late to the party, but do you plan to do the same for snat_v4_nat()?

We should make the same change, but not sure whether I will get to it. It's also not quite as trivial (as we should at least consider whether all types of traffic are ok to leave the node untranslated).