[v1.14] bpf: Fix identity determination in bpf_overlay.c #29606
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
backport/1.14
ysksuzuki
force-pushed
the
backport-cidr-geneve
branch
from
9d49537
to
ebed3ee
Compare
|
/test-backport-1.14 |
|
Need #29553 to run BPF complexity tests |
|
There is a verifier complexity issue on kernel 6.1 with my branch. e3367b9 fixed it. (It doesn't occur with v1.14 branch with the same config) |
ysksuzuki
force-pushed
the
backport-cidr-geneve
branch
from
ebed3ee
to
677603d
Compare
|
/ci-verifier |
|
The BPF complexity test is green. It seems that the issue only occurs with kernel 6.1 |
|
/test-backport-1.14 |
julianwiedmann
approved these changes
Dec 6, 2023
8 tasks
|
@ysksuzuki Looks like the commit messages are missing upstream commit references, see https://docs.cilium.io/en/latest/contributing/release/backports/#codecell6 for an example. If you're not using the backporting scripts/tools, you have to add them in by yourself. 🙂 |
ti-mo
changed the title
[ upstream commit 124d6f6 ] CT lookups are typically done in reply direction first, and potentially in forward direction afterwards. tuple->flags is selected accordingly, and then swapped inbetween the two lookups. But with SCOPE_FORWARD we perform just one lookup in the forward direction. Currently the relevant code still expects a "reverse" tuple, and then swaps it into forward layout. Here we can clean things up a bit by having the caller build a "forward" tuple, and feeding that into the CT lookup code. Start by selecting the actual tuple type (TUPLE_F_*) from the start (and while at it also de-dup the existing code for this). We'll deal with swapping the addrs/ports in a subsequent patch. Suggested-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 2495587 ] Complete the refactor of the SCOPE_FORWARD path, by doing the needed addr/port swap in the callers. Suggested-by: Maxim Mikityanskiy <maxim@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit d5ee4e7 ] We're still using all variants of the tuple-swap helpers in some parts of the code base. But let's at least re-use the intermediate helpers to compose the bigger ones. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 5c39551 ] For a CT lookup, the calling paths currently need to determine a `ct_action` parameter. This is typically ACTION_CREATE (for TCP/UDP/SCTP), or ACTION_UNSPEC for most types of ICMP traffic. But ever since fd5ea2a ("bpf: Don't reset TCP timer on final ACK"), __ct_lookup() will only apply ACTION_CREATE handling to TCP packets with the SYN flag set. Otherwise it has the same effect as ACTION_UNSPEC. Simplify the logic by ignoring the passed-in value, and manually selecting ACTION_CREATE for applicable traffic in the CT lookup helpers (same as we already do for ACTION_CLOSE). A subsequent patch will remove all the unused code that passed the ct_action around. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 07c05fe ] __ct_lookup*() now selects this value internally, and the caller's parameter is ignored. Remove all the calling logic that determined the ct_action and plumbed it into the CT lookup. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit c00d313 ] The DSR Ingress path was initially implemented through a tail-call for program size reasons. But with the recent improvements to the CT handling, we have sufficient program space to run the DSR ingress handling straight from nodeport_lb*(). This reduces duplicated code (eg. extracting the CT tuple and DSR info twice), avoids additional error handling, and simplifies the overall code flow. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 895630b ] When DSR with Geneve is enabled, Cilium identity is not determined by the client's IP address and requests from outside cluster are dropped even though they are permitted by CiliumNetworkPolicy using `fromCIDR`. This commit inputs identity that is from the client IP address. Fixes: cilium#29153 Signed-off-by: Tomoki Sugiura <tomoki-sugiura@cybozu.co.jp>
ysksuzuki
force-pushed
the
backport-cidr-geneve
branch
from
677603d
to
7a9de67
Compare
|
/test-backport-1.14 |
|
@ti-mo I have added upstream commit references. PTAL. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is the manual backport of #29155 for v1.14.
When DSR with Geneve is enabled, Cilium identity is not determined by the client's IP address and requests from outside cluster are dropped even though they are permitted by CiliumNetworkPolicy using
fromCIDR.This commit inputs identity that is from the client IP address.
Fixes: #29153
Also, this PR backports the following PRs to reduce the divergence from the main to make it easier to backport later changes.