bpf: nat: use common set of rewrite helpers #27509
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julianwiedmann
added
kind/enhancement
|
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
f4df877
to
ae51fa8
Compare
|
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
ae51fa8
to
cd33b06
Compare
|
/ci-verifier |
|
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
cd33b06
to
7d7aeca
Compare
|
/test |
We've grown way too many variants of helpers that rewrite the packet headers for NAT purposes. They all slightly differ in terms of what input parameters they expect, and what types of ICMP packets they support. Introduce a generic set of flexible helpers to rule them all. Start by converting the DSR RevDNAT path to these new helpers. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
We've previously removed the IPv6 variant of this code in ae197e6, as `icmp_echoreply` would always cause us to skip SNAT for such packets. The IPv4 path is slightly different: here we need to consider that the EgressGW section could force us to SNAT the packet. But in practice that's not a concern - the packet is a reply for an inbound ECHO, and EgressGW policy only applies to outbound connections. Thus we can remove this code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This starts exercising the ICMP support in the generic helpers. Thus we need to pass down a variable `port_off` parameter from snat_v*_nat(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…pers These ICMP types embed the original packet that exceeded the path MTU. If this packet was SNATed on egress, we need to rewrite the inner headers before passing the ICMP packet up. Otherwise the originating endpoint will not be able to match it against the offending connection. Instead of maintaining custom helpers for this rewrite, switch the handlers over to the generic helpers. While at it also pass a `inner_l3_off` parameter to make them a bit more agnostic of the outer ICMP packet type. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…pers We currently call csum_l4_replace() to apply the L3 NAT diff into the L4 csum's pseudo-hdr component. But l4_modify_port() internally also updates the L4 csum when rewriting the port. Combine these two calls into one. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
7d7aeca
to
7215a2c
Compare
|
/test |
julianwiedmann
changed the title
maintainer-s-little-helper
bot
added
ready-to-merge
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've grown way too many variants of helpers that rewrite the packet
headers for NAT purposes. They all slightly differ in terms of what
input parameters they expect, and what types of ICMP packets they support.
This PR introduces a generic set of flexible helpers to rule them all, and converts over many of the old paths.
There's a few more places to convert, but I believe this is good enough for a first shot. I'll take on the others as a follow-on.