bpf: split off debug options and do not run it in ci

bpf/bpf_host.c

@@ -110,7 +110,7 @@ ipcache_lookup_srcid6(struct __ctx_buff *ctx)
 
 static __always_inline __u32
 resolve_srcid_ipv6(struct __ctx_buff *ctx, __u32 srcid_from_proxy,
-		   bool from_host)
+		   const bool from_host)
 {
 	__u32 src_id = WORLD_ID, srcid_from_ipcache = srcid_from_proxy;
 	struct remote_endpoint_info *info = NULL;
@@ -323,7 +323,7 @@ ipv6_host_policy_ingress(struct __ctx_buff *ctx, __u32 *srcID)
 #endif /* ENABLE_HOST_FIREWALL */
 
 static __always_inline int
-handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, bool from_host)
+handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, const bool from_host)
 {
 	struct remote_endpoint_info *info = NULL;
 	void *data, *data_end;
@@ -390,15 +390,10 @@ handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, bool from_host)
 		ret = ipv6_host_policy_egress(ctx, secctx);
 	else
 		ret = ipv6_host_policy_ingress(ctx, &remoteID);
-
-	/* Needed to pass 128k complexity limit. Measured on 4.9 verifier:
-	 * 173251 insns before, 148991 after. */
-	relax_verifier();
 	if (IS_ERR(ret))
 		return ret;
 	if (skip_redirect)
 		return CTX_ACT_OK;
-
 	if (!revalidate_data(ctx, &data, &data_end, &ip6))
 		return DROP_INVALID;
 #endif /* ENABLE_HOST_FIREWALL */
@@ -471,19 +466,17 @@ handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, bool from_host)
 }
 
 static __always_inline int
-tail_handle_ipv6(struct __ctx_buff *ctx, bool from_host)
+tail_handle_ipv6(struct __ctx_buff *ctx, const bool from_host)
 {
 	__u32 proxy_identity = ctx_load_meta(ctx, CB_SRC_IDENTITY);
 	int ret;
 
 	ctx_store_meta(ctx, CB_SRC_IDENTITY, 0);
 
 	ret = handle_ipv6(ctx, proxy_identity, from_host);
-	if (IS_ERR(ret)) {
-		relax_verifier();
+	if (IS_ERR(ret))
 		return send_drop_notify_error(ctx, proxy_identity, ret,
 					      CTX_ACT_DROP, METRIC_INGRESS);
-	}
 	return ret;
 }
 
@@ -525,7 +518,7 @@ ipcache_lookup_srcid4(struct __ctx_buff *ctx)
 
 static __always_inline __u32
 resolve_srcid_ipv4(struct __ctx_buff *ctx, __u32 srcid_from_proxy,
-		   bool from_host)
+		   const bool from_host)
 {
 	__u32 src_id = WORLD_ID, srcid_from_ipcache = srcid_from_proxy;
 	struct remote_endpoint_info *info = NULL;
@@ -741,7 +734,7 @@ ipv4_host_policy_ingress(struct __ctx_buff *ctx, __u32 *srcID)
 #endif /* ENABLE_HOST_FIREWALL */
 
 static __always_inline int
-handle_ipv4(struct __ctx_buff *ctx, __u32 secctx, bool from_host)
+handle_ipv4(struct __ctx_buff *ctx, __u32 secctx, const bool from_host)
 {
 	struct remote_endpoint_info *info = NULL;
 	__u32 __maybe_unused remoteID = 0;
@@ -888,19 +881,17 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx, bool from_host)
 }
 
 static __always_inline int
-tail_handle_ipv4(struct __ctx_buff *ctx, bool from_host)
+tail_handle_ipv4(struct __ctx_buff *ctx, const bool from_host)
 {
 	__u32 proxy_identity = ctx_load_meta(ctx, CB_SRC_IDENTITY);
 	int ret;
 
 	ctx_store_meta(ctx, CB_SRC_IDENTITY, 0);
 
 	ret = handle_ipv4(ctx, proxy_identity, from_host);
-	if (IS_ERR(ret)) {
-		relax_verifier();
+	if (IS_ERR(ret))
 		return send_drop_notify_error(ctx, proxy_identity,
 					      ret, CTX_ACT_DROP, METRIC_INGRESS);
-	}
 	return ret;
 }
 
@@ -1075,7 +1066,7 @@ static __always_inline int do_netdev_encrypt(struct __ctx_buff *ctx, __u16 proto
 #endif /* ENABLE_IPSEC */
 
 static __always_inline int
-do_netdev(struct __ctx_buff *ctx, __u16 proto, bool from_host)
+do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 {
 	__u32 __maybe_unused identity = 0;
 	int ret;
@@ -1176,7 +1167,7 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, bool from_host)
  * Handle netdev traffic coming towards the Cilium-managed network.
  */
 static __always_inline int
-handle_netdev(struct __ctx_buff *ctx, bool from_host)
+handle_netdev(struct __ctx_buff *ctx, const bool from_host)
 {
 	__u16 proto;
 
@@ -1216,18 +1207,6 @@ int to_netdev(struct __ctx_buff *ctx __maybe_unused)
 	__u16 __maybe_unused proto = 0;
 	int ret = CTX_ACT_OK;
 
-#if defined(ENABLE_NODEPORT) && \
-	(!defined(ENABLE_DSR) || \
-	 (defined(ENABLE_DSR) && defined(ENABLE_DSR_HYBRID)))
-	if ((ctx->mark & MARK_MAGIC_SNAT_DONE) != MARK_MAGIC_SNAT_DONE) {
-		ret = nodeport_nat_fwd(ctx, false);
-		if (IS_ERR(ret))
-			return send_drop_notify_error(ctx, 0, ret,
-						      CTX_ACT_DROP,
-						      METRIC_EGRESS);
-	}
-#endif
-
 #ifdef ENABLE_HOST_FIREWALL
 	if (!proto && !validate_ethertype(ctx, &proto)) {
 		ret = DROP_UNSUPPORTED_L2;
@@ -1271,6 +1250,18 @@ int to_netdev(struct __ctx_buff *ctx __maybe_unused)
 	ret = CTX_ACT_OK;
 #endif /* ENABLE_HOST_FIREWALL */
 
+#if defined(ENABLE_NODEPORT) && \
+	(!defined(ENABLE_DSR) || \
+	 (defined(ENABLE_DSR) && defined(ENABLE_DSR_HYBRID)))
+	if ((ctx->mark & MARK_MAGIC_SNAT_DONE) != MARK_MAGIC_SNAT_DONE) {
+		ret = nodeport_nat_fwd(ctx, false);
+		if (IS_ERR(ret))
+			return send_drop_notify_error(ctx, 0, ret,
+						      CTX_ACT_DROP,
+						      METRIC_EGRESS);
+	}
+#endif
+
 	return ret;
 }
 

bpf/bpf_lxc.c

@@ -409,7 +409,6 @@ int tail_handle_ipv6(struct __ctx_buff *ctx)
 	int ret = handle_ipv6(ctx, &dstID);
 
 	if (IS_ERR(ret)) {
-		relax_verifier();
 		return send_drop_notify(ctx, SECLABEL, dstID, 0, ret, CTX_ACT_DROP,
 		                        METRIC_EGRESS);
 	}
@@ -593,10 +592,8 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 		if (ct_state.rev_nat_index) {
 			ret = lb4_rev_nat(ctx, l3_off, l4_off, &csum_off,
 					  &ct_state, &tuple, 0);
-			if (IS_ERR(ret)) {
-				relax_verifier();
+			if (IS_ERR(ret))
 				return ret;
-			}
 		}
 		break;
 

bpf/bpf_sock.c

@@ -299,16 +299,14 @@ static __always_inline int __sock4_xlate_fwd(struct bpf_sock_addr *ctx,
 
 		if (backend_id != 0) {
 			backend = __lb4_lookup_backend(backend_id);
-			if (!backend) {
+			if (!backend)
 				/* Backend from the session affinity no longer
 				 * exists, thus select a new one. Also, remove
 				 * the affinity, so that if the svc doesn't have
 				 * any backend, a subsequent request to the svc
 				 * doesn't hit the reselection again.
 				 */
-				lb4_delete_affinity_by_netns(svc, &id);
 				backend_id = 0;
-			}
 		}
 	}
 
@@ -729,10 +727,8 @@ static __always_inline int __sock6_xlate_fwd(struct bpf_sock_addr *ctx,
 
 		if (backend_id != 0) {
 			backend = __lb6_lookup_backend(backend_id);
-			if (!backend) {
-				lb6_delete_affinity_by_netns(svc, &id);
+			if (!backend)
 				backend_id = 0;
-			}
 		}
 	}
 

bpf/include/bpf/api.h

@@ -13,7 +13,6 @@
 #include "section.h"
 #include "helpers.h"
 #include "builtins.h"
-#include "verifier.h"
 #include "tailcall.h"
 #include "errno.h"
 #include "loader.h"

bpf/lib/conntrack.h

@@ -34,11 +34,7 @@ enum {
  * */
 static __always_inline bool conn_is_dns(__u16 dport)
 {
-	if (dport == bpf_htons(53)) {
-		relax_verifier();
-		return true;
-	}
-	return false;
+	return dport == bpf_htons(53);
 }
 
 union tcp_flags {
@@ -389,7 +385,6 @@ static __always_inline int ct_lookup6(const void *map,
 
 	default:
 		/* Can't handle extension headers yet */
-		relax_verifier();
 		return DROP_CT_UNKNOWN_PROTO;
 	}
 
@@ -570,7 +565,6 @@ static __always_inline int ct_lookup4(const void *map,
 
 	default:
 		/* Can't handle extension headers yet */
-		relax_verifier();
 		return DROP_CT_UNKNOWN_PROTO;
 	}
 

bpf/lib/lb.h

@@ -545,27 +545,6 @@ lb6_update_affinity_by_addr(const struct lb6_service *svc,
 {
 	__lb6_update_affinity(svc, false, id, backend_id);
 }
-
-static __always_inline void
-__lb6_delete_affinity(const struct lb6_service *svc, bool netns_cookie,
-		      union lb6_affinity_client_id *id)
-{
-	struct lb6_affinity_key key = {
-		.rev_nat_id	= svc->rev_nat_index,
-		.netns_cookie	= netns_cookie,
-	};
-
-	ipv6_addr_copy(&key.client_id.client_ip, &id->client_ip);
-
-	map_delete_elem(&LB6_AFFINITY_MAP, &key);
-}
-
-static __always_inline void
-lb6_delete_affinity_by_addr(const struct lb6_service *svc,
-			    union lb6_affinity_client_id *id)
-{
-	__lb6_delete_affinity(svc, false, id);
-}
 #endif /* ENABLE_SESSION_AFFINITY */
 
 static __always_inline __u32
@@ -589,15 +568,6 @@ lb6_update_affinity_by_netns(const struct lb6_service *svc __maybe_unused,
 #endif
 }
 
-static __always_inline void
-lb6_delete_affinity_by_netns(const struct lb6_service *svc __maybe_unused,
-			     union lb6_affinity_client_id *id __maybe_unused)
-{
-#if defined(ENABLE_SESSION_AFFINITY)
-	__lb6_delete_affinity(svc, true, id);
-#endif
-}
-
 static __always_inline int lb6_local(const void *map, struct __ctx_buff *ctx,
 				     int l3_off, int l4_off,
 				     struct csum_offset *csum_off,
@@ -631,10 +601,8 @@ static __always_inline int lb6_local(const void *map, struct __ctx_buff *ctx,
 				backend_from_affinity = true;
 
 				backend = lb6_lookup_backend(ctx, backend_id);
-				if (backend == NULL) {
-					lb6_delete_affinity_by_addr(svc, &client_id);
+				if (backend == NULL)
 					backend_id = 0;
-				}
 			}
 		}
 #endif
@@ -702,13 +670,6 @@ static __always_inline int lb6_local(const void *map, struct __ctx_buff *ctx,
 	 * session we are likely to get a TCP RST.
 	 */
 	if (!(backend = lb6_lookup_backend(ctx, state->backend_id))) {
-/* NOTE(brb): Can't enable the removal for newer kernels, as otherwise
- * the verifier hits 1mln insn limit. Hovewer, the removal of the affinity
- * in this case is just an optimization. */
-#if defined(ENABLE_SESSION_AFFINITY) && !defined(HAVE_LARGE_INSN_LIMIT)
-		if (backend_from_affinity)
-			lb6_delete_affinity_by_addr(svc, &client_id);
-#endif
 		key->slave = 0;
 		if (!(svc = lb6_lookup_service(key))) {
 			goto drop_no_service;
@@ -1089,26 +1050,6 @@ lb4_update_affinity_by_addr(const struct lb4_service *svc,
 {
 	__lb4_update_affinity(svc, false, id, backend_id);
 }
-
-static __always_inline void
-__lb4_delete_affinity(const struct lb4_service *svc, bool netns_cookie,
-		      const union lb4_affinity_client_id *id)
-{
-	struct lb4_affinity_key key = {
-		.rev_nat_id	= svc->rev_nat_index,
-		.netns_cookie	= netns_cookie,
-		.client_id	= *id,
-	};
-
-	map_delete_elem(&LB4_AFFINITY_MAP, &key);
-}
-
-static __always_inline void
-lb4_delete_affinity_by_addr(const struct lb4_service *svc,
-			    union lb4_affinity_client_id *id)
-{
-	__lb4_delete_affinity(svc, false, id);
-}
 #endif /* ENABLE_SESSION_AFFINITY */
 
 static __always_inline __u32
@@ -1132,15 +1073,6 @@ lb4_update_affinity_by_netns(const struct lb4_service *svc __maybe_unused,
 #endif
 }
 
-static __always_inline void
-lb4_delete_affinity_by_netns(const struct lb4_service *svc __maybe_unused,
-			     union lb4_affinity_client_id *id __maybe_unused)
-{
-#if defined(ENABLE_SESSION_AFFINITY)
-	__lb4_delete_affinity(svc, true, id);
-#endif
-}
-
 static __always_inline int lb4_local(const void *map, struct __ctx_buff *ctx,
 				     int l3_off, int l4_off,
 				     struct csum_offset *csum_off,
@@ -1173,10 +1105,8 @@ static __always_inline int lb4_local(const void *map, struct __ctx_buff *ctx,
 				backend_from_affinity = true;
 
 				backend = lb4_lookup_backend(ctx, backend_id);
-				if (backend == NULL) {
-					lb4_delete_affinity_by_addr(svc, &client_id);
+				if (backend == NULL)
 					backend_id = 0;
-				}
 			}
 		}
 #endif
@@ -1254,10 +1184,6 @@ static __always_inline int lb4_local(const void *map, struct __ctx_buff *ctx,
 	 * session we are likely to get a TCP RST.
 	 */
 	if (!(backend = lb4_lookup_backend(ctx, state->backend_id))) {
-#ifdef ENABLE_SESSION_AFFINITY
-		if (backend_from_affinity)
-			lb4_delete_affinity_by_addr(svc, &client_id);
-#endif
 		key->slave = 0;
 		if (!(svc = lb4_lookup_service(key))) {
 			goto drop_no_service;