cilium: fib lookup consolidation #23139
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
borkmann
added
sig/datapath
borkmann
force-pushed
the
pr/nat46x64-batch
branch
9 times, most recently
from
1be1cd4
to
f084edc
Compare
borkmann
force-pushed
the
pr/nat46x64-batch
branch
2 times, most recently
from
4ba56f7
to
511d55f
Compare
The NAT4->6 via services should only have the IPv6 entry, the NAT6->4 via services should only have the IPv4 entry. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Remove for now to simplify later refactoring. Later commits add a reworked version for single-node devices. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add a neigh_resolver_available() helper which is true for skb and false for XDP. For XDP we need to reuse the BPF neighbor map. Add logic in here, so we have everything in a single location. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Small rename into fib_redirect_v{4,6}, no change in functionality.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Pass in iif as a parameter for fib_redirect_v{4,6}.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
For stateless NAT46x64, reuse the fib_redirect_v{4,6} code. Now the
tc BPF layer is actually able to resolve neighbors on demand.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Pull in the needs_l2_check functionality into fib_redirect_v{4,6} and
control this via const bool needs_l2_check given not all call-sites
need this. Mainly only when we push from bpf_lxc to an L3 device to
outside world such as wireguard.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
As next step, move all the DSR fib_lookup() open coding to reuse the
fib_redirect_v{4,6} helpers. This now enables tc BPF layer to resolve
neighbors on demand which it was previously not able to do.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
To allow for visibility, pass in ext_err and propagate fib lookup error codes to call-sites, so that they are able to pass these to send_drop_notify*(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
…elpers
Rework fib_redirect_v{4,6} to not return CTX_ACT_* but actual DROP_* errors
instead. Also, add a new fib_err for the BPF map, namely BPF_FIB_MAP_NO_NEIGH
when no neighbor could be found.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Provide more fib visibility for BPF host routing, and pass in ext_err to
fib_redirect_v{4,6} so that drop notifications will see them. Before that
we've ignored more fine-grained errors.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Since we removed ENABLE_SKIP_FIB. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Get rid of code duplication in fib_redirect_v{4,6} helpers, we only really
need to prep fib_params and common code can reside in fib_redirect(). This
is also needed for some call-sites for NAT46x64 which prep fib_params and
should not use fib_redirect_v{4,6} to avoid verifier complexity.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Switch to bpf_fib_lookup_padded version given some call-sites need this for calling into fib_redirect(). The padded one helps on older kernels when some of the fib_params are passed to helpers such as key for map lookup on neighbor table. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Convert tail_nodeport_nat_egress_ipv{4,6} to use common fib_redirect() code.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/nat46x64-batch
branch
from
6498bd6
to
6b1b80c
Compare
|
/test |
1 similar comment
|
/test |
borkmann
force-pushed
the
pr/nat46x64-batch
branch
from
203128b
to
5a6bcff
Compare
|
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
|
/test-1.16-4.9 |
|
/test-runtime |
|
/test-1.26-net-next |
|
/test-1.25-4.19 |
|
/test-1.24-5.4 |
|
/test-1.26-net-next |
|
/test-1.25-4.19 |
|
@borkmann Please triage the CI failures instead of restarting until it passes. We have a bunch of recurring failures for which nobody opened an issue because everyone is just restarting. |
|
/test |
I did look at the sysdumps to see if there is some correlation with the patch series and whether the errors are persistent in the first place. Given L7 related, my thinking was that it might have been due to the passed fib_lookup params. |
|
Superseeded by #23884 . |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This series reworks and consolidates all fib lookups in our BPF code to utilize common functionality.
For tc BPF, this means that redirect_neigh code can be used whenever neighbors cannot be resolved. XDP utilizes the BPF neighbor map as we cannot do this ad-hoc in this layer.
This affects KPR, standalone LB, NAT46x64 GW, DSR code.
Fixes: #22782
Out of scope in here: EDT fix