-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Additional tail calls for IPvX-only setups #17573
bpf: Additional tail calls for IPvX-only setups #17573
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I think OR-ing ENABLE_IPV4
and ENABLE_IPV6
is a good idea even if it will always be true to maintain the structure of the original code in case we want to revisit this.
For some additional context, we have done something similar in 1.8 only: #16965. Should we be proactive and backport this to 1.9 and 1.10?
I agree. I'll backport the test first. If it fails in v1.9/1.10, then we know we need to backport and mark as a bugfix in release notes. If it doesn't fail, then I'll backport anyway but it's not a bugfix in release notes. I've set a reminder to not forget. |
When both IPv4 and IPv6 are enabled, we split the to/from-container BPF programs into two code paths, one for each IP family, to reduce program size and complexity. Because our existing K8sVerifier test only covers the IPv4+IPv6 configuration, new complexity and program size issues sneaked in for the IPvX-only setups. These new issues occur when to/from-container contain both the initial IP parsing code and the IPv4 (resp. IPv6---we have one issue per family) code path. Splitting these programs such that they only contain the initial IP parsing code is enough to fix these issues. Signed-off-by: Paul Chaignon <paul@cilium.io>
0448385
to
eee61b9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good
Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment |
When both IPv4 and IPv6 are enabled, we split the
{to/from}-container
BPF programs into two code paths, one for each IP family, to reduce program size and complexity. Because our existing K8sVerifier test only covers the IPv4+IPv6 configuration, new complexity and program size issues sneaked in for the IPvX-only setups.These new issues occur when
{to/from}-container
contain both the initial IP parsing code and the IPv4 (resp. IPv6---we have one issue per family) code path. Splitting these programs such that they only contain the initial IP parsing code is enough to fix these issues.These complexity and program issues were found by ongoing work at #17470. That same PR was also used to validate the fix.
Fixes: #17486.
Fixes: #17490.
Fixes: #17491.