-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Refactoring egress gateway datapath #17868
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
/* SPDX-License-Identifier: GPL-2.0 */ | ||
/* Copyright (C) 2021 Authors of Cilium */ | ||
|
||
#ifndef __LIB_EGRESS_POLICIES_H_ | ||
#define __LIB_EGRESS_POLICIES_H_ | ||
|
||
#ifdef ENABLE_EGRESS_GATEWAY | ||
/* is_cluster_destination returns true if the given destination is part of the | ||
* cluster. It uses the ipcache and endpoint maps information. | ||
*/ | ||
static __always_inline bool | ||
is_cluster_destination(struct iphdr *ip4, __u32 dst_id, __u32 tunnel_endpoint) | ||
{ | ||
/* If tunnel endpoint is found in ipcache, it means the remote endpoint | ||
* is in cluster. | ||
*/ | ||
if (tunnel_endpoint != 0) | ||
return true; | ||
|
||
/* If the destination is a Cilium-managed node (remote or local), it's | ||
* part of the cluster. | ||
*/ | ||
if (dst_id == REMOTE_NODE_ID || dst_id == HOST_ID) | ||
return true; | ||
|
||
/* Use the endpoint map to know if the destination is a local endpoint. | ||
*/ | ||
if (lookup_ip4_endpoint(ip4)) | ||
return true; | ||
|
||
/* Everything else is outside the cluster. */ | ||
return false; | ||
} | ||
|
||
/* EGRESS_STATIC_PREFIX gets sizeof non-IP, non-prefix part of egress_key */ | ||
# define EGRESS_STATIC_PREFIX \ | ||
(8 * (sizeof(struct egress_key) - sizeof(struct bpf_lpm_trie_key) \ | ||
- 4)) | ||
# define EGRESS_PREFIX_LEN(PREFIX) (EGRESS_STATIC_PREFIX + (PREFIX)) | ||
# define EGRESS_IPV4_PREFIX EGRESS_PREFIX_LEN(32) | ||
|
||
static __always_inline __maybe_unused struct egress_info * | ||
egress_lookup4(const void *map, __be32 sip, __be32 dip) | ||
{ | ||
struct egress_key key = { | ||
.lpm_key = { EGRESS_IPV4_PREFIX, {} }, | ||
.sip = sip, | ||
.dip = dip, | ||
}; | ||
return map_lookup_elem(map, &key); | ||
} | ||
|
||
# define lookup_ip4_egress_endpoint(sip, dip) \ | ||
egress_lookup4(&EGRESS_MAP, sip, dip) | ||
#endif /* ENABLE_EGRESS_GATEWAY */ | ||
#endif /* __LIB_EGRESS_POLICIES_H_ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: are there any policies that are not egress gw policies, that could be characterized as egress policies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SRv6 egress policies are coming 😃