Remove sockops-enable and friends

.github/workflows/tests-datapath-verifier.yaml

@@ -205,7 +205,6 @@ jobs:
           provision: 'false'
           cmd: |
             cd /host/
-            make -C tools/maptool/
             # Run with cgo disabled, LVH images don't ship with gcc.
             CGO_ENABLED=0 go test -c ./test/verifier
             docker run -t --privileged \

CODEOWNERS

@@ -245,7 +245,6 @@ Makefile* @cilium/build
 /bpf/init.sh @cilium/loader
 /bpf/custom/Makefile* @cilium/build @cilium/loader
 /bpf/lib/encrypt.h @cilium/ipsec
-/bpf/sockops/Makefile* @cilium/build @cilium/loader
 /bugtool/ @cilium/tophat
 /bugtool/cmd/ @cilium/cli
 /cilium/ @cilium/cli
@@ -465,7 +464,6 @@ jenkinsfiles @cilium/ci-structure
 /pkg/safeio @cilium/sig-agent
 /pkg/serializer @cilium/sig-agent
 /pkg/service @cilium/sig-lb
-/pkg/sockops/ @cilium/sig-datapath @cilium/loader
 /pkg/status/ @cilium/sig-agent
 /pkg/sysctl @cilium/sig-datapath
 /pkg/testutils/ @cilium/ci-structure

Documentation/network/ebpf/intro.rst

@@ -106,11 +106,9 @@ a userspace proxy (Envoy) Cilium creates the following networking objects.
   will identify candidate sockets for accelerating. These include all local node connections
   (endpoint to endpoint) and any connection to a Cilium proxy.
   These identified connections will then have all messages handled by the socket
-  send/recv hook and will be accelerated using sockmap fast redirects. The fast
-  redirect ensures all policies implemented in Cilium are valid for the associated
+  send/recv hook. The fast redirect ensures all policies implemented in Cilium are valid for the associated
   socket/endpoint mapping and assuming they are sends the message directly to the
-  peer socket. This is allowed because the sockmap send/recv hooks ensures the message
-  will not need to be processed by any of the objects above.
+  peer socket.
 
 * **L7 Policy:** The L7 Policy object redirects proxy traffic to a Cilium userspace
   proxy instance. Cilium uses an Envoy instance as its userspace proxy. Envoy will

Documentation/operations/upgrade.rst

@@ -318,6 +318,11 @@ Annotations:
   applications create new connections after the TTL specified by the upstream
   DNS server is expired.
 
+Removed Options
+~~~~~~~~~~~~~~~
+
+The ``sockops-enable`` option is removed
+
 Added Metrics
 ~~~~~~~~~~~~~
 

Documentation/spelling_wordlist.txt

@@ -953,8 +953,6 @@ sleepAfterInit
 snat
 socketLB
 socketPath
-sockmap
-sockops
 sortBufferDrainTimeout
 sortBufferLenMax
 sourceContext

bpf/Makefile

@@ -5,8 +5,7 @@ include ../Makefile.defs
 
 .PHONY: all bpf_all build_all subdirs install clean gen_compile_commands
 
-SUBDIRS = sockops custom
-
+SUBDIRS = custom
 BPF_SIMPLE = bpf_network.o bpf_alignchecker.o
 BPF_SIMPLE_C = $(patsubst %.o,%.c,${BPF_SIMPLE})
 BPF_SIMPLE_LL = $(patsubst %.o,%.ll,${BPF_SIMPLE})

bpf/bpf_alignchecker.c

@@ -13,7 +13,6 @@
 #include "node_config.h"
 #include "lib/common.h"
 #include "lib/maps.h"
-#include "sockops/bpf_sockops.h"
 #include "lib/nat.h"
 #include "lib/trace.h"
 #include "lib/policy_log.h"
@@ -35,7 +34,6 @@ struct endpoint_key _12;
 struct endpoint_info _13;
 struct metrics_key _14;
 struct metrics_value _15;
-struct sock_key _16;
 struct policy_key _17;
 struct policy_entry _18;
 struct ipv4_nat_entry _19;

bpf/include/bpf/helpers.h

@@ -80,14 +80,6 @@ struct bpf_fib_lookup_padded {
 static int BPF_FUNC(fib_lookup, void *ctx, struct bpf_fib_lookup *params,
 		    __u32 plen, __u32 flags);
 
-/* Sockops and SK_MSG helpers */
-static int BPF_FUNC(sock_map_update, struct bpf_sock_ops *skops, void *map,
-		    __u32 key,  __u64 flags);
-static int BPF_FUNC(sock_hash_update, struct bpf_sock_ops *skops, void *map,
-		    void *key,  __u64 flags);
-static int BPF_FUNC(msg_redirect_hash, struct sk_msg_md *md, void *map,
-		    void *key, __u64 flags);
-
 /* Socket lookup helpers */
 static struct bpf_sock *BPF_FUNC(sk_lookup_tcp, void *ctx,
 				 struct bpf_sock_tuple *tuple, __u32 tuple_size,

bpf/lib/eps.h

@@ -43,19 +43,6 @@ lookup_ip4_endpoint(const struct iphdr *ip4)
 	return __lookup_ip4_endpoint(ip4->daddr);
 }
 
-#ifdef SOCKMAP
-static __always_inline void *
-lookup_ip4_endpoint_policy_map(__u32 ip)
-{
-	struct endpoint_key key = {};
-
-	key.ip4 = ip;
-	key.family = ENDPOINT_KEY_IPV4;
-
-	return map_lookup_elem(&EP_POLICY_MAP, &key);
-}
-#endif
-
 /* IPCACHE_STATIC_PREFIX gets sizeof non-IP, non-prefix part of ipcache_key */
 #define IPCACHE_STATIC_PREFIX							\
 	(8 * (sizeof(struct ipcache_key) - sizeof(struct bpf_lpm_trie_key)	\

bpf/lib/maps.h

@@ -64,17 +64,6 @@ struct {
 } THROTTLE_MAP __section_maps_btf;
 #endif /* ENABLE_BANDWIDTH_MANAGER */
 
-/* Map to link endpoint id to per endpoint cilium_policy map */
-#ifdef SOCKMAP
-struct {
-	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
-	__type(key, struct endpoint_key);
-	__type(value, int);
-	__uint(pinning, LIBBPF_PIN_BY_NAME);
-	__uint(max_entries, ENDPOINTS_MAP_SIZE);
-} EP_POLICY_MAP __section_maps_btf;
-#endif
-
 #ifdef POLICY_MAP
 /* Per-endpoint policy enforcement map */
 struct {

bpf/lib/policy.h

@@ -11,86 +11,6 @@
 #include "eps.h"
 #include "maps.h"
 
-#ifdef SOCKMAP
-static __always_inline int
-policy_sk_egress(__u32 identity, __u32 ip,  __u16 dport)
-{
-	void *map = lookup_ip4_endpoint_policy_map(ip);
-	int dir = CT_EGRESS;
-	__u8 proto = IPPROTO_TCP;
-	struct policy_entry *policy;
-	struct policy_key key = {
-		.sec_label = identity,
-		.dport = dport,
-		.protocol = proto,
-		.egress = !dir,
-		.pad = 0,
-	};
-
-	if (!map)
-		return CTX_ACT_OK;
-
-	/* Policy match precedence:
-	 * 1. id/proto/port  (L3/L4)
-	 * 2. ANY/proto/port (L4-only)
-	 * 3. id/proto/ANY   (L3-proto)
-	 * 4. ANY/proto/ANY  (Proto-only)
-	 * 5. id/ANY/ANY     (L3-only)
-	 * 6. ANY/ANY/ANY    (All)
-	 */
-	/* Start with L3/L4 lookup. */
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 1. id/proto/port */
-		goto policy_check_entry;
-	}
-
-	/* L4-only lookup. */
-	key.sec_label = 0;
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 2. ANY/proto/port */
-		goto policy_check_entry;
-	}
-
-	/* Check L3-proto policy */
-	key.sec_label = identity;
-	key.dport = 0;
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 3. id/proto/ANY */
-		goto policy_check_entry;
-	}
-
-	/* Check Proto-only policy */
-	key.sec_label = 0;
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 4. ANY/proto/ANY */
-		goto policy_check_entry;
-	}
-
-	/* If L4 policy check misses, fall back to L3-only. */
-	key.sec_label = identity;
-	key.protocol = 0;
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 5. id/ANY/ANY */
-		goto policy_check_entry;
-	}
-
-	/* Final fallback if allow-all policy is in place. */
-	key.sec_label = 0;
-	policy = map_lookup_elem(map, &key);
-	if (likely(policy)) {					/* 6. ANY/ANY/ANY */
-		goto policy_check_entry;
-	}
-
-	return DROP_POLICY;
-
-policy_check_entry:
-	/* FIXME: Need byte counter */
-	__sync_fetch_and_add(&policy->packets, 1);
-	if (unlikely(policy->deny))
-		return DROP_POLICY_DENY;
-	return policy->proxy_port;
-}
-#else
 static __always_inline void
 account(struct __ctx_buff *ctx, struct policy_entry *policy)
 {
@@ -377,5 +297,4 @@ static __always_inline void policy_clear_mark(struct __ctx_buff *ctx)
 {
 	ctx_store_meta(ctx, CB_POLICY, 0);
 }
-#endif /* SOCKMAP */
 #endif

bpf/node_config.h

@@ -121,14 +121,12 @@ DEFINE_IPV6(HOST_IP, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x
 #define SIGNAL_MAP test_cilium_signals
 #define METRICS_MAP test_cilium_metrics
 #define POLICY_CALL_MAP test_cilium_policy
-#define SOCK_OPS_MAP test_sock_ops_map
 #define AUTH_MAP test_cilium_auth
 #define IPCACHE_MAP test_cilium_ipcache
 #define NODE_MAP test_cilium_node_map
 #define ENCRYPT_MAP test_cilium_encrypt_state
 #define TUNNEL_MAP test_cilium_tunnel_map
 #define VTEP_MAP test_cilium_vtep_map
-#define EP_POLICY_MAP test_cilium_ep_to_policy
 #define LB6_REVERSE_NAT_MAP test_cilium_lb6_reverse_nat
 #define LB6_SERVICES_MAP_V2 test_cilium_lb6_services
 #define LB6_BACKEND_MAP test_cilium_lb6_backends