Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: Derive host netns cookie via SO_NETNS_COOKIE #17018

Merged
merged 1 commit into from
Aug 3, 2021
Merged

bpf: Derive host netns cookie via SO_NETNS_COOKIE #17018

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 5 additions & 1 deletion bpf/bpf_sock.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@
#define SYS_REJECT 0
#define SYS_PROCEED 1

#ifndef HOST_NETNS_COOKIE
# define HOST_NETNS_COOKIE get_netns_cookie(NULL)
#endif

static __always_inline __maybe_unused bool is_v4_loopback(__be32 daddr)
{
/* Check for 127.0.0.0/8 range, RFC3330. */
Expand Down Expand Up @@ -87,7 +91,7 @@ ctx_in_hostns(void *ctx __maybe_unused, __net_cookie *cookie)

if (cookie)
*cookie = own_cookie;
return own_cookie == get_netns_cookie(NULL);
return own_cookie == HOST_NETNS_COOKIE;
#else
if (cookie)
*cookie = 0;
Expand Down
13 changes: 13 additions & 0 deletions pkg/datapath/linux/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ import (
"github.com/cilium/cilium/pkg/maps/signalmap"
"github.com/cilium/cilium/pkg/maps/sockmap"
"github.com/cilium/cilium/pkg/maps/tunnel"
"github.com/cilium/cilium/pkg/netns"
"github.com/cilium/cilium/pkg/node"
"github.com/cilium/cilium/pkg/option"

Expand Down Expand Up @@ -253,6 +254,18 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
if option.Config.EnableHostServicesPeer {
cDefinesMap["ENABLE_HOST_SERVICES_PEER"] = "1"
}
if cookie, err := netns.GetNetNSCookie(); err == nil {
// When running in nested environments (e.g. Kind), cilium-agent does
// not run in the host netns. So, in such cases the cookie comparison
// based on bpf_get_netns_cookie(NULL) for checking whether a socket
// belongs to a host netns does not work.
//
// To fix this, we derive the cookie of the netns in which cilium-agent
// runs via getsockopt(...SO_NETNS_COOKIE...) and then use it in the
// check above. This is based on an assumption that cilium-agent
// always runs with "hostNetwork: true".
cDefinesMap["HOST_NETNS_COOKIE"] = fmt.Sprintf("%d", cookie)
}
}

if option.Config.EnableNodePort {
Expand Down
22 changes: 22 additions & 0 deletions pkg/netns/cookie.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
package netns

import (
"golang.org/x/sys/unix"
)

const SO_NETNS_COOKIE = 71

// GetNetNSCookie tries to retrieve the cookie of the host netns.
func GetNetNSCookie() (uint64, error) {
s, err := unix.Socket(unix.AF_INET, unix.SOCK_STREAM, 0)
if err != nil {
return 0, err
}

cookie, err := unix.GetsockoptUint64(s, unix.SOL_SOCKET, SO_NETNS_COOKIE)
if err != nil {
return 0, err
}

return cookie, nil
}