New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: minor HostFW cleanups #25881
bpf: minor HostFW cleanups #25881
Conversation
Combine some ENABLE_HOST_FIREWALL sections, and limit the definition of relevant variables. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cil_to_netdev() only uses the `proto` variable when the hostFW is enabled. handle_to_netdev_ipv6() is already wrapped in ENABLE_HOST_FIREWALL, no need to also check it inside the function. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This feels rather bogus, the .node_port flag should only ever be used by the nodeport code. We can also trust that ct_buffer.ct_state.node_port is never actually set: - the callers of ipv*_host_policy_ingress_lookup() 0-initialize the whole ct_buffer struct, and - the CT lookup returned CT_NEW, thus ct_buffer.ct_state is unchanged. So just remove this code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
fdb449e
to
278ca25
Compare
/test |
from_host_raw = ctx_load_meta(ctx, CB_FROM_HOST); | ||
ctx_store_meta(ctx, CB_FROM_HOST, 0); | ||
#endif /* ENABLE_HOST_FIREWALL */ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we want this block to be above any potential early return, so that we don't leak any non-zero metadata.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the only preceding return is a drop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, yes, I guess it should be safe then.
I was under impression we try to clear metadata the first thing in the function for extra robustness, but it doesn't look problematic in this case.
from_host_raw = ctx_load_meta(ctx, CB_FROM_HOST); | ||
ctx_store_meta(ctx, CB_FROM_HOST, 0); | ||
#endif /* ENABLE_HOST_FIREWALL */ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
Some innocent cleanups from poking around in the HostFW paths.