Extend ipcache key with ClusterID

bpf/bpf_host.c

@@ -123,7 +123,7 @@ ipcache_lookup_srcid6(struct __ctx_buff *ctx)
 	if (!revalidate_data(ctx, &data, &data_end, &ip6))
 		return DROP_INVALID;
 
-	info = lookup_ip6_remote_endpoint((union v6addr *) &ip6->saddr);
+	info = lookup_ip6_remote_endpoint((union v6addr *)&ip6->saddr, 0);
 	if (info != NULL)
 		srcid = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
@@ -159,7 +159,7 @@ resolve_srcid_ipv6(struct __ctx_buff *ctx, __u32 srcid_from_proxy,
 	/* Packets from the proxy will already have a real identity. */
 	if (identity_is_reserved(srcid_from_ipcache)) {
 		src = (union v6addr *) &ip6->saddr;
-		info = lookup_ip6_remote_endpoint(src);
+		info = lookup_ip6_remote_endpoint(src, 0);
 		if (info != NULL && info->sec_label)
 			srcid_from_ipcache = info->sec_label;
 		cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
@@ -293,7 +293,7 @@ handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, const bool from_host,
 
 #ifdef TUNNEL_MODE
 	dst = (union v6addr *) &ip6->daddr;
-	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN, 0);
 	if (info != NULL && info->tunnel_endpoint != 0) {
 		/* If IPSEC is needed recirc through ingress to use xfrm stack
 		 * and then result will routed back through bpf_netdev on egress
@@ -320,7 +320,7 @@ handle_ipv6(struct __ctx_buff *ctx, __u32 secctx, const bool from_host,
 #endif
 
 	dst = (union v6addr *) &ip6->daddr;
-	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN, 0);
 	if (info == NULL || info->sec_label == WORLD_ID) {
 		/* See IPv4 comment. */
 		return DROP_UNROUTABLE;
@@ -422,7 +422,7 @@ resolve_srcid_ipv4(struct __ctx_buff *ctx, __u32 srcid_from_proxy,
 
 	/* Packets from the proxy will already have a real identity. */
 	if (identity_is_reserved(srcid_from_ipcache)) {
-		info = lookup_ip4_remote_endpoint(ip4->saddr);
+		info = lookup_ip4_remote_endpoint(ip4->saddr, 0);
 		if (info != NULL) {
 			*sec_label = info->sec_label;
 
@@ -595,7 +595,7 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx,
 #endif
 
 #ifdef TUNNEL_MODE
-	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0);
 	if (info != NULL && info->tunnel_endpoint != 0) {
 		return encap_and_redirect_with_nodeid(ctx, info->tunnel_endpoint,
 						      info->key, secctx, info->sec_label,
@@ -614,7 +614,7 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx,
 	}
 #endif
 
-	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0);
 	if (info == NULL || info->sec_label == WORLD_ID) {
 		/* We have received a packet for which no ipcache entry exists,
 		 * we do not know what to do with this packet, drop it.
@@ -968,7 +968,7 @@ handle_srv6(struct __ctx_buff *ctx)
 			return DROP_MISSED_TAIL_CALL;
 		}
 
-		ep = lookup_ip6_remote_endpoint((union v6addr *)&ip6->daddr);
+		ep = lookup_ip6_remote_endpoint((union v6addr *)&ip6->daddr, 0);
 		if (ep) {
 			dst_id = ep->sec_label;
 		} else {
@@ -1001,7 +1001,7 @@ handle_srv6(struct __ctx_buff *ctx)
 			return DROP_MISSED_TAIL_CALL;
 		}
 
-		ep = lookup_ip4_remote_endpoint(ip4->daddr);
+		ep = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 		if (ep) {
 			dst_id = ep->sec_label;
 		} else {

bpf/bpf_lxc.c

@@ -236,7 +236,7 @@ static __always_inline int handle_ipv6_from_lxc(struct __ctx_buff *ctx, __u32 *d
 		const union v6addr *daddr = (union v6addr *)&ip6->daddr;
 		struct remote_endpoint_info *info;
 
-		info = lookup_ip6_remote_endpoint(daddr);
+		info = lookup_ip6_remote_endpoint(daddr, 0);
 		if (info && info->sec_label) {
 			*dst_id = info->sec_label;
 			tunnel_endpoint = info->tunnel_endpoint;
@@ -760,7 +760,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, __u32 *d
 	if (1) {
 		struct remote_endpoint_info *info;
 
-		info = lookup_ip4_remote_endpoint(ip4->daddr);
+		info = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 		if (info && info->sec_label) {
 			*dst_id = info->sec_label;
 			tunnel_endpoint = info->tunnel_endpoint;
@@ -1602,7 +1602,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx)
 		union v6addr *src = (union v6addr *)&ip6->saddr;
 		struct remote_endpoint_info *info;
 
-		info = lookup_ip6_remote_endpoint(src);
+		info = lookup_ip6_remote_endpoint(src, 0);
 		if (info != NULL) {
 			__u32 sec_label = info->sec_label;
 
@@ -1942,7 +1942,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx)
 	if (identity_is_reserved(src_identity)) {
 		struct remote_endpoint_info *info;
 
-		info = lookup_ip4_remote_endpoint(ip4->saddr);
+		info = lookup_ip4_remote_endpoint(ip4->saddr, 0);
 		if (info != NULL) {
 			__u32 sec_label = info->sec_label;
 

bpf/bpf_overlay.c

@@ -97,7 +97,7 @@ static __always_inline int handle_ipv6(struct __ctx_buff *ctx,
 			 */
 			info = ipcache_lookup6(&IPCACHE_MAP,
 					       (union v6addr *)&ip6->saddr,
-					       V6_CACHE_KEY_LEN);
+					       V6_CACHE_KEY_LEN, 0);
 			if (info)
 				*identity = info->sec_label;
 		}
@@ -257,7 +257,7 @@ static __always_inline int handle_ipv4(struct __ctx_buff *ctx, __u32 *identity)
 			struct remote_endpoint_info *info;
 
 			info = ipcache_lookup4(&IPCACHE_MAP, ip4->saddr,
-					       V4_CACHE_KEY_LEN);
+					       V4_CACHE_KEY_LEN, 0);
 			if (info)
 				*identity = info->sec_label;
 		}

bpf/bpf_sock.c

@@ -165,7 +165,7 @@ sock4_skip_xlate(struct lb4_service *svc, __be32 address)
 		struct remote_endpoint_info *info;
 
 		info = ipcache_lookup4(&IPCACHE_MAP, address,
-				       V4_CACHE_KEY_LEN);
+				       V4_CACHE_KEY_LEN, 0);
 		if (info == NULL || info->sec_label != HOST_ID)
 			return true;
 	}
@@ -195,7 +195,7 @@ sock4_wildcard_lookup(struct lb4_key *key __maybe_unused,
 	if (in_hostns && is_v4_loopback(key->address))
 		goto wildcard_lookup;
 
-	info = ipcache_lookup4(&IPCACHE_MAP, key->address, V4_CACHE_KEY_LEN);
+	info = ipcache_lookup4(&IPCACHE_MAP, key->address, V4_CACHE_KEY_LEN, 0);
 	if (info != NULL && (info->sec_label == HOST_ID ||
 	    (include_remote_hosts && identity_is_remote_node(info->sec_label))))
 		goto wildcard_lookup;
@@ -718,7 +718,7 @@ sock6_skip_xlate(struct lb6_service *svc, const union v6addr *address)
 		struct remote_endpoint_info *info;
 
 		info = ipcache_lookup6(&IPCACHE_MAP, address,
-				       V6_CACHE_KEY_LEN);
+				       V6_CACHE_KEY_LEN, 0);
 		if (info == NULL || info->sec_label != HOST_ID)
 			return true;
 	}
@@ -748,7 +748,7 @@ sock6_wildcard_lookup(struct lb6_key *key __maybe_unused,
 	if (in_hostns && is_v6_loopback(&key->address))
 		goto wildcard_lookup;
 
-	info = ipcache_lookup6(&IPCACHE_MAP, &key->address, V6_CACHE_KEY_LEN);
+	info = ipcache_lookup6(&IPCACHE_MAP, &key->address, V6_CACHE_KEY_LEN, 0);
 	if (info != NULL && (info->sec_label == HOST_ID ||
 	    (include_remote_hosts && identity_is_remote_node(info->sec_label))))
 		goto wildcard_lookup;

bpf/lib/egress_policies.h

@@ -75,7 +75,7 @@ bool egress_gw_reply_needs_redirect(struct iphdr *ip4, __u32 *tunnel_endpoint,
 	if (!egress_policy)
 		return false;
 
-	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0);
 	if (!info || info->tunnel_endpoint == 0)
 		return false;
 

bpf/lib/eps.h

@@ -66,12 +66,13 @@ lookup_ip4_endpoint_policy_map(__u32 ip)
 
 static __always_inline __maybe_unused struct remote_endpoint_info *
 ipcache_lookup6(const void *map, const union v6addr *addr,
-		__u32 prefix)
+		__u32 prefix, __u8 cluster_id)
 {
 	struct ipcache_key key = {
 		.lpm_key = { IPCACHE_PREFIX_LEN(prefix), {} },
 		.family = ENDPOINT_KEY_IPV6,
 		.ip6 = *addr,
+		.cluster_id = cluster_id,
 	};
 	ipv6_addr_clear_suffix(&key.ip6, prefix);
 	return map_lookup_elem(map, &key);
@@ -80,12 +81,13 @@ ipcache_lookup6(const void *map, const union v6addr *addr,
 #define V4_CACHE_KEY_LEN (sizeof(__u32)*8)
 
 static __always_inline __maybe_unused struct remote_endpoint_info *
-ipcache_lookup4(const void *map, __be32 addr, __u32 prefix)
+ipcache_lookup4(const void *map, __be32 addr, __u32 prefix, __u8 cluster_id)
 {
 	struct ipcache_key key = {
 		.lpm_key = { IPCACHE_PREFIX_LEN(prefix), {} },
 		.family = ENDPOINT_KEY_IPV4,
 		.ip4 = addr,
+		.cluster_id = cluster_id,
 	};
 	key.ip4 &= GET_PREFIX(prefix);
 	return map_lookup_elem(map, &key);
@@ -99,7 +101,7 @@ ipcache_lookup4(const void *map, __be32 addr, __u32 prefix)
  */
 #define LPM_LOOKUP_FN(NAME, IPTYPE, PREFIXES, MAP, LOOKUP_FN)		\
 static __always_inline __maybe_unused struct remote_endpoint_info *	\
-NAME(IPTYPE addr)							\
+NAME(IPTYPE addr, __u8 cluster_id)							\
 {									\
 	int prefixes[] = { PREFIXES };					\
 	const int size = ARRAY_SIZE(prefixes);				\
@@ -108,7 +110,7 @@ NAME(IPTYPE addr)							\
 									\
 _Pragma("unroll")							\
 	for (i = 0; i < size; i++) {					\
-		info = LOOKUP_FN(&MAP, addr, prefixes[i]);		\
+		info = LOOKUP_FN(&MAP, addr, prefixes[i], cluster_id);	\
 		if (info != NULL)					\
 			return info;					\
 	}								\
@@ -125,9 +127,9 @@ LPM_LOOKUP_FN(lookup_ip4_remote_endpoint, __be32, IPCACHE4_PREFIXES,
 #endif
 #undef LPM_LOOKUP_FN
 #else /* HAVE_LPM_TRIE_MAP_TYPE */
-#define lookup_ip6_remote_endpoint(addr) \
-	ipcache_lookup6(&IPCACHE_MAP, addr, V6_CACHE_KEY_LEN)
-#define lookup_ip4_remote_endpoint(addr) \
-	ipcache_lookup4(&IPCACHE_MAP, addr, V4_CACHE_KEY_LEN)
+#define lookup_ip6_remote_endpoint(addr, cluster_id) \
+	ipcache_lookup6(&IPCACHE_MAP, addr, V6_CACHE_KEY_LEN, cluster_id)
+#define lookup_ip4_remote_endpoint(addr, cluster_id) \
+	ipcache_lookup4(&IPCACHE_MAP, addr, V4_CACHE_KEY_LEN, cluster_id)
 #endif /* HAVE_LPM_TRIE_MAP_TYPE */
 #endif /* __LIB_EPS_H_ */

bpf/lib/host_firewall.h

@@ -54,7 +54,7 @@ ipv6_host_policy_egress(struct __ctx_buff *ctx, __u32 src_id,
 	trace->reason = (enum trace_reason)ret;
 
 	/* Retrieve destination identity. */
-	info = lookup_ip6_remote_endpoint(&orig_dip);
+	info = lookup_ip6_remote_endpoint(&orig_dip, 0);
 	if (info && info->sec_label)
 		dst_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
@@ -110,7 +110,7 @@ ipv6_host_policy_ingress(struct __ctx_buff *ctx, __u32 *src_id,
 
 	/* Retrieve destination identity. */
 	ipv6_addr_copy(&tuple.daddr, (union v6addr *)&ip6->daddr);
-	info = lookup_ip6_remote_endpoint(&tuple.daddr);
+	info = lookup_ip6_remote_endpoint(&tuple.daddr, 0);
 	if (info && info->sec_label)
 		dst_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
@@ -136,7 +136,7 @@ ipv6_host_policy_ingress(struct __ctx_buff *ctx, __u32 *src_id,
 	trace->reason = (enum trace_reason)ret;
 
 	/* Retrieve source identity. */
-	info = lookup_ip6_remote_endpoint(&orig_sip);
+	info = lookup_ip6_remote_endpoint(&orig_sip, 0);
 	if (info && info->sec_label)
 		*src_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED6 : DBG_IP_ID_MAP_FAILED6,
@@ -272,7 +272,7 @@ ipv4_host_policy_egress(struct __ctx_buff *ctx, __u32 src_id,
 	trace->reason = (enum trace_reason)ret;
 
 	/* Retrieve destination identity. */
-	info = lookup_ip4_remote_endpoint(ip4->daddr);
+	info = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 	if (info && info->sec_label)
 		dst_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED4 : DBG_IP_ID_MAP_FAILED4,
@@ -327,7 +327,7 @@ ipv4_host_policy_ingress(struct __ctx_buff *ctx, __u32 *src_id,
 		return DROP_INVALID;
 
 	/* Retrieve destination identity. */
-	info = lookup_ip4_remote_endpoint(ip4->daddr);
+	info = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 	if (info && info->sec_label)
 		dst_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED4 : DBG_IP_ID_MAP_FAILED4,
@@ -356,7 +356,7 @@ ipv4_host_policy_ingress(struct __ctx_buff *ctx, __u32 *src_id,
 	trace->reason = (enum trace_reason)ret;
 
 	/* Retrieve source identity. */
-	info = lookup_ip4_remote_endpoint(ip4->saddr);
+	info = lookup_ip4_remote_endpoint(ip4->saddr, 0);
 	if (info && info->sec_label)
 		*src_id = info->sec_label;
 	cilium_dbg(ctx, info ? DBG_IP_ID_MAP_SUCCEED4 : DBG_IP_ID_MAP_FAILED4,

bpf/lib/maps.h

@@ -168,7 +168,7 @@ _Pragma("unroll")							\
 struct ipcache_key {
 	struct bpf_lpm_trie_key lpm_key;
 	__u16 pad1;
-	__u8 pad2;
+	__u8 cluster_id;
 	__u8 family;
 	union {
 		struct {

bpf/lib/nat.h

@@ -620,7 +620,7 @@ static __always_inline bool snat_v4_prepare_state(struct __ctx_buff *ctx,
 #endif /* defined(TUNNEL_MODE) && defined(IS_BPF_OVERLAY) */
 
 	local_ep = __lookup_ip4_endpoint(ip4->saddr);
-	remote_ep = lookup_ip4_remote_endpoint(ip4->daddr);
+	remote_ep = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 
 	/* Check if this packet belongs to reply traffic coming from a
 	 * local endpoint.

bpf/lib/nodeport.h

@@ -730,7 +730,7 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx)
 	}
 
 	dst = (union v6addr *)&ip6->daddr;
-	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN, 0);
 	if (info && info->tunnel_endpoint != 0) {
 		ret = __encap_with_nodeid(ctx, info->tunnel_endpoint,
 					  WORLD_ID,
@@ -1029,7 +1029,7 @@ static __always_inline int rev_nodeport_lb6(struct __ctx_buff *ctx, __u32 *ifind
 			union v6addr *dst = (union v6addr *)&ip6->daddr;
 			struct remote_endpoint_info *info;
 
-			info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+			info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN, 0);
 			if (info != NULL && info->tunnel_endpoint != 0) {
 				return __encap_with_nodeid(ctx, info->tunnel_endpoint,
 							   SECLABEL, info->sec_label,
@@ -1690,7 +1690,7 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
 		goto drop_err;
 	}
 
-	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0);
 	if (info && info->tunnel_endpoint != 0) {
 		/* The dir == NAT_DIR_EGRESS branch is executed for
 		 * N/S LB requests which needs to be fwd-ed to a remote
@@ -2010,7 +2010,7 @@ static __always_inline int rev_nodeport_lb4(struct __ctx_buff *ctx, __u32 *ifind
 		{
 			struct remote_endpoint_info *info;
 
-			info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+			info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN, 0);
 			if (info != NULL && info->tunnel_endpoint != 0) {
 				tunnel_endpoint = info->tunnel_endpoint;
 				dst_id = info->sec_label;

bpf/sockops/bpf_redir.c

@@ -54,7 +54,7 @@ int cil_redir_proxy(struct sk_msg_md *msg)
 	 * socket to avoid extra overhead. This would require the agent though
 	 * to flush the sock ops map on policy changes.
 	 */
-	info = lookup_ip4_remote_endpoint(key.dip4);
+	info = lookup_ip4_remote_endpoint(key.dip4, 0);
 	if (info != NULL && info->sec_label)
 		dst_id = info->sec_label;
 	else

bpf/sockops/bpf_sockops.c

@@ -75,7 +75,7 @@ static inline void bpf_sock_ops_ipv4(struct bpf_sock_ops *skops)
 	if (1) {
 		struct remote_endpoint_info *info;
 
-		info = lookup_ip4_remote_endpoint(key.dip4);
+		info = lookup_ip4_remote_endpoint(key.dip4, 0);
 		if (info != NULL && info->sec_label)
 			dst_id = info->sec_label;
 		else

bpf/tests/nat_test.c

@@ -88,7 +88,8 @@ static __always_inline struct endpoint_info *mock__lookup_ip4_endpoint(__maybe_u
 	return NULL;
 }
 
-static __always_inline struct remote_endpoint_info *mock_lookup_ip4_remote_endpoint(__maybe_unused __u32 ip)
+static __always_inline struct remote_endpoint_info *
+mock_lookup_ip4_remote_endpoint(__maybe_unused __u32 ip, __maybe_unused __u8 cluster_id)
 {
 	return NULL;
 }

bpf/tests/wildcard_lookup.c

@@ -123,7 +123,7 @@ int test_v4_check(__maybe_unused struct xdp_md *ctx)
 	test_init();
 
 	TEST("setup", {
-		info = ipcache_lookup4(&IPCACHE_MAP, bpf_htonl(HOST_IP), V4_CACHE_KEY_LEN);
+		info = ipcache_lookup4(&IPCACHE_MAP, bpf_htonl(HOST_IP), V4_CACHE_KEY_LEN, 0);
 		assert(info);
 	});
 
@@ -348,7 +348,7 @@ int test_v6_check(__maybe_unused struct xdp_md *ctx)
 	test_init();
 
 	TEST("setup", {
-		info = ipcache_lookup6(&IPCACHE_MAP, &HOST_IP6, V6_CACHE_KEY_LEN);
+		info = ipcache_lookup6(&IPCACHE_MAP, &HOST_IP6, V6_CACHE_KEY_LEN, 0);
 		assert(info);
 	});