Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: avoid encrypt_key map lookup if IPsec is disabled #17840

Merged
merged 2 commits into from
Nov 12, 2021
Merged

bpf: avoid encrypt_key map lookup if IPsec is disabled #17840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cdc51f9
bpf: fix -Wunused-but-set-variable errors when building with LLVM 14
tklauser Nov 10, 2021
fb2510f
bpf: avoid encrypt_key map lookup if IPsec is disabled
tklauser Nov 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 6 additions & 6 deletions bpf/bpf_lxc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,9 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
struct ct_state ct_state_new = {};
struct ct_state ct_state = {};
void *data, *data_end;
union v6addr *daddr, orig_dip;
__u32 tunnel_endpoint = 0;
__u8 encrypt_key = 0;
union v6addr *daddr __maybe_unused, orig_dip;
__u32 __maybe_unused tunnel_endpoint = 0;
__u8 __maybe_unused encrypt_key = 0;
__u32 monitor = 0;
__u8 reason;
bool hairpin_flow = false; /* endpoint wants to access itself via service IP */
Expand Down Expand Up @@ -522,8 +522,8 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
struct ct_state ct_state_new = {};
struct ct_state ct_state = {};
__be32 orig_dip;
__u32 tunnel_endpoint = 0;
__u8 encrypt_key = 0;
__u32 __maybe_unused tunnel_endpoint = 0;
__u8 __maybe_unused encrypt_key = 0;
__u32 monitor = 0;
__u8 reason;
bool hairpin_flow = false; /* endpoint wants to access itself via service IP */
Expand Down Expand Up @@ -843,7 +843,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
key.family = ENDPOINT_KEY_IPV4;

ret = encap_and_redirect_lxc(ctx, tunnel_endpoint, encrypt_key,
&key, SECLABEL, monitor);
&key, SECLABEL, monitor);
if (ret == DROP_NO_TUNNEL_ENDPOINT)
goto pass_to_stack;
/* If not redirected noteably due to IPSEC then pass up to stack
Expand Down
17 changes: 8 additions & 9 deletions bpf/lib/l3.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,21 +154,17 @@ static __always_inline int ipv4_local_delivery(struct __ctx_buff *ctx, int l3_of
}
#endif /* SKIP_POLICY_MAP */

static __always_inline __u8 get_encrypt_key(void)
static __always_inline __u8 get_min_encrypt_key(__u8 peer_key __maybe_unused)
{
#ifdef ENABLE_IPSEC
__u8 local_key = 0;
__u32 encrypt_key = 0;
struct encrypt_config *cfg;

cfg = map_lookup_elem(&ENCRYPT_MAP, &encrypt_key);
/* Having no key info for a context is the same as no encryption */
if (!cfg)
return 0;
return cfg->encrypt_key;
}

static __always_inline __u8 get_min_encrypt_key(__u8 peer_key)
{
__u8 local_key = get_encrypt_key();
if (cfg)
local_key = cfg->encrypt_key;

/* If both ends can encrypt/decrypt use smaller of the two this
* way both ends will have keys installed assuming key IDs are
Expand All @@ -183,6 +179,9 @@ static __always_inline __u8 get_min_encrypt_key(__u8 peer_key)
if (local_key == MAX_KEY_INDEX)
return peer_key == 1 ? local_key : peer_key;
return local_key < peer_key ? local_key : peer_key;
#else
return 0;
#endif /* ENABLE_IPSEC */
}

#endif