New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: nat: use common set of rewrite helpers #27509
Merged
julianwiedmann
merged 5 commits into
cilium:main
from
julianwiedmann:1.15-bpf-nat-rewrite-helpers
Aug 17, 2023
Merged
bpf: nat: use common set of rewrite helpers #27509
julianwiedmann
merged 5 commits into
cilium:main
from
julianwiedmann:1.15-bpf-nat-rewrite-helpers
Aug 17, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julianwiedmann
added
kind/enhancement
This would improve or streamline existing functionality.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
release-note/misc
This PR makes changes that have no direct user impact.
feature/snat
Relates to SNAT or Masquerading of traffic
labels
Aug 15, 2023
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
August 15, 2023 13:37
f4df877
to
ae51fa8
Compare
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
August 15, 2023 14:07
ae51fa8
to
cd33b06
Compare
/ci-verifier |
/test |
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
August 16, 2023 06:08
cd33b06
to
7d7aeca
Compare
/test |
We've grown way too many variants of helpers that rewrite the packet headers for NAT purposes. They all slightly differ in terms of what input parameters they expect, and what types of ICMP packets they support. Introduce a generic set of flexible helpers to rule them all. Start by converting the DSR RevDNAT path to these new helpers. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
We've previously removed the IPv6 variant of this code in ae197e6, as `icmp_echoreply` would always cause us to skip SNAT for such packets. The IPv4 path is slightly different: here we need to consider that the EgressGW section could force us to SNAT the packet. But in practice that's not a concern - the packet is a reply for an inbound ECHO, and EgressGW policy only applies to outbound connections. Thus we can remove this code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This starts exercising the ICMP support in the generic helpers. Thus we need to pass down a variable `port_off` parameter from snat_v*_nat(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…pers These ICMP types embed the original packet that exceeded the path MTU. If this packet was SNATed on egress, we need to rewrite the inner headers before passing the ICMP packet up. Otherwise the originating endpoint will not be able to match it against the offending connection. Instead of maintaining custom helpers for this rewrite, switch the handlers over to the generic helpers. While at it also pass a `inner_l3_off` parameter to make them a bit more agnostic of the outer ICMP packet type. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
…pers We currently call csum_l4_replace() to apply the L3 NAT diff into the L4 csum's pseudo-hdr component. But l4_modify_port() internally also updates the L4 csum when rewriting the port. Combine these two calls into one. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
force-pushed
the
1.15-bpf-nat-rewrite-helpers
branch
from
August 16, 2023 08:22
7d7aeca
to
7215a2c
Compare
/test |
julianwiedmann
changed the title
1.15 bpf nat rewrite helpers
bpf: nat: use common set of rewrite helpers
Aug 16, 2023
YutaroHayakawa
approved these changes
Aug 17, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with nit.
maintainer-s-little-helper
bot
added
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
labels
Aug 17, 2023
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
Aug 17, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
feature/snat
Relates to SNAT or Masquerading of traffic
kind/enhancement
This would improve or streamline existing functionality.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/misc
This PR makes changes that have no direct user impact.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've grown way too many variants of helpers that rewrite the packet
headers for NAT purposes. They all slightly differ in terms of what
input parameters they expect, and what types of ICMP packets they support.
This PR introduces a generic set of flexible helpers to rule them all, and converts over many of the old paths.
There's a few more places to convert, but I believe this is good enough for a first shot. I'll take on the others as a follow-on.