New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: lb: introduce an optimized CT lookup #22936
Conversation
584c46c
to
43efdc5
Compare
/test |
43efdc5
to
e249360
Compare
/test |
e249360
to
1a998bd
Compare
/test |
1a998bd
to
9234027
Compare
/test |
9234027
to
2ae5571
Compare
/test |
2ae5571
to
341a6e4
Compare
/test |
341a6e4
to
904b1ed
Compare
/test |
904b1ed
to
10c86a3
Compare
/test |
10c86a3
to
f629ba6
Compare
/test |
/test-1.16-4.19 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Last comment is mixing a small logic change with a fair amount of refactoring; probably would have been easier to review if the two were separate. That said, the rest of the commit history is 👌
I see this is labelled |
yep, must have fat-fingered. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, couple questions.
As part of the nodeport SVC lookup, lb6_extract_key() currently extracts the packet's destination port. Refactor this code path to use lb6_extract_tuple() instead, thus loading _both_ L4 ports. We can use this in a subsequent patch to slim down the CT lookup code. lb6_extract_key() turns into a much simpler helper that only fills the lb6_key. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This helper is now only used for IPv4 packets. Remove the IPv6-specific parts. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
We already have a validated IPv4 header, so avoid jumping through ipv4_ct_extract_l4_ports() for loading the ports. Stick close to how lb4_extract_l4_port() lays out the code, as we want to start using lb4_extract_tuple() in more places and the 4.19 verifier is very picky about it. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Same as for lb6_extract_tuple(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Trust that earlier stages have already checked the L4 protocol, and we're not suddenly processing a request with non-SVC protocol. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
The SVC-to-backend DNAT code already updates the .daddr in the CT tuple. Also update the backend port, so that the nodeport code can use this tuple as-is to create an CT entry for RevDNAT of non-DSR connections. Slightly pull down the .daddr update in lb6_local(), to keep the code in sync with lb4_local() and have the whole tuple update in one place. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Enforce proper types. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Allow the LB paths to perform a CT lookup without validating the L3 protocol or extracting the L4 ports. This helps to reduce instruction count in the nodeport code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
As the LB paths are doing their own L3 protocol checks and also extract the L4 ports on their own, we can switch lb_local() and all the nodeport code to use the optimized CT lookup helpers. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
f629ba6
to
287f1c3
Compare
/test |
Yeah, that's fair - probably a bit too big to refactor + introduce the new usage in the same commit. Split it up now. |
This splits off the CT improvements from #22978 for easier reviewing (ie no need to follow all the DSR changes in that PR). They are needed to slim down the instruction count in the nodeport path.
The main idea is to extract a fully populated CT tuple in the service lookup path once, and thus avoid multiple L4 port extractions in the
ct_lookup()
calls. As we need to extract thedest
port for the Service lookup anyway, we can also extract thesource
port at this time without extra cost.I expect that we can use the new
ct_lb_lookup()
helpers in more locations over time, and presumably also rename it at that point.