Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

datapath: Support NodePort BPF on L2-less devices #14858

Merged
merged 5 commits into from
Mar 5, 2021
Merged

datapath: Support NodePort BPF on L2-less devices #14858

merged 5 commits into from
Mar 5, 2021

Conversation

brb
Copy link
Member

@brb brb commented Feb 4, 2021
edited

See commit msgs.

I haven't added IPv6 tests, as I'd need to extend https://github.com/cilium/kube-wireguarder to support it. At this point, it would be a waste of time, as we are planning to add the native Wireguard support in this release cycle. So we can add the tests once #15075 has been resolved.

To fix L2-less with the fast redirect I've opened #15075.

Fix #12317

Add NodePort BPF support to L2-less devices (wireguard, tun, etc)

@brb brb added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/major This PR introduces major new functionality to Cilium. sig/loadbalancing labels Feb 4, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Feb 4, 2021
@brb brb force-pushed the pr/brb/no-l2-addr branch 2 times, most recently from c3d8dc4 to 32c5872 Compare February 5, 2021 05:36
@brb
Copy link
Member Author

brb commented Feb 5, 2021

test-net-next

@joestringer joestringer moved this from In progress to Merged Features in 1.10.0 Feb 12, 2021
@brb brb force-pushed the pr/brb/no-l2-addr branch 3 times, most recently from 2d803c0 to 250a8d7 Compare February 22, 2021 15:54
@joestringer joestringer moved this from Merged Features to Feature candidates in 1.10.0 Feb 22, 2021
@joestringer joestringer moved this from Feature candidates (best effort) to Must have in 1.10.0 Feb 22, 2021
@brb
Copy link
Member Author

brb commented Feb 22, 2021

test-net-next

2 similar comments
@brb
Copy link
Member Author

brb commented Feb 23, 2021

test-net-next

@brb
Copy link
Member Author

brb commented Feb 23, 2021

test-net-next

@brb brb force-pushed the pr/brb/no-l2-addr branch 2 times, most recently from 23b7b27 to fc8fc37 Compare February 23, 2021 14:05
@brb brb mentioned this pull request Feb 23, 2021
Closed
@brb brb requested a review from borkmann February 23, 2021 15:02
@brb brb marked this pull request as ready for review February 23, 2021 15:05
@brb brb requested review from a team February 23, 2021 15:05
@brb brb requested a review from a team as a code owner February 23, 2021 15:05
@brb brb requested review from a team and nbusseneau February 23, 2021 15:05
borkmann
borkmann reviewed Mar 3, 2021
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modulo the minor bits, lgtm!

christarazi
christarazi reviewed Mar 3, 2021
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Awesome! Just a few comments below

pkg/datapath/linux/config/config.go Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
brb added 2 commits March 5, 2021 11:14
@brb
datapath: Support NodePort BPF on L2-less devices
7766714 
This commit extends NodePort BPF by making it possible to run it on
L3 network devices (without L2 addr). One prominent case is the
Wireguard tunnel device (wg0).

The main idea of the change is to make ETH_HLEN configurable via ELF
templating (on L2-less devices we set it to 0 during the load time),
and to craft an L2 hdr when forwarding from L2-less to L2 device.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
daemon: Do not ignore L2-less devices in dev auto detection
5cb5a5b 
The previous commit added a support for L2-less devices.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added 2 commits March 5, 2021 11:30
@brb
daemon: Fix ordering of BPF host routing detection
5b07a6d 
Fix a bug when NodePort BPF is disabled after the device
detection, and BPF host routing is kept enabled.

Fixes: 7e0cb33 ("bpf: do not enable host routing when kpr is disabled")
Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
datapath: Only make ETH_HLEN as static data if L3 dev exist
65a1aff 
This should eliminate a datapath perf penalty introduced by the L2-less
changes when running on systems which all involved devices have L2
addrs.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
daemon: Disable BPF host routing when L2-less detected
440480b 
Until #15075 has been resolved.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb
Copy link
Member Author

brb commented Mar 5, 2021

test-me-please

@brb brb requested review from borkmann and christarazi March 5, 2021 12:11
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 5, 2021
@nbusseneau nbusseneau removed their assignment Mar 5, 2021
@borkmann borkmann merged commit db2ad2a into master Mar 5, 2021
1.10.0 automation moved this from Must have to Done Mar 5, 2021
@borkmann borkmann deleted the pr/brb/no-l2-addr branch March 5, 2021 22:54
pchaigno
pchaigno reviewed Mar 9, 2021
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple comments which we'll require follow ups if I didn't miss something.

bpf/lib/nodeport.h Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
brb added a commit that referenced this pull request Mar 15, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
5565d72 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity.

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
@brb brb mentioned this pull request Mar 15, 2021
Merged
brb added a commit that referenced this pull request Apr 2, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
9578e89 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added a commit that referenced this pull request Apr 6, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
f502b3f 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added a commit that referenced this pull request Apr 9, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
0502034 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
brb added a commit that referenced this pull request Apr 13, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
1a699db 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
qmonnet pushed a commit that referenced this pull request Apr 13, 2021
@brb @qmonnet
bpf: Add ETH_HLEN=0 to stress test complexity
51834ca 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Martynas Pumputis <m@lambda.lt>
@eyanulis eyanulis mentioned this pull request May 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno left review comments

@borkmann borkmann borkmann approved these changes

@christarazi christarazi christarazi approved these changes

@nbusseneau nbusseneau nbusseneau approved these changes

@aanm aanm aanm approved these changes

Assignees

@borkmann borkmann

@christarazi christarazi

@aanm aanm

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.10.0
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NodePort fails when using IP attached to interface without HW address
6 participants
@brb @borkmann @pchaigno @christarazi @nbusseneau @aanm