bpf: Remove flowlabel optimization for identity

bpf/bpf_host.c

@@ -94,24 +94,6 @@ static __always_inline bool identity_from_ipcache_ok(void)
 #endif
 
 #ifdef ENABLE_IPV6
-static __always_inline __u32
-derive_src_id(const union v6addr *node_ip, struct ipv6hdr *ip6, __u32 *identity)
-{
-	if (ipv6_match_prefix_64((union v6addr *) &ip6->saddr, node_ip)) {
-		/* Read initial 4 bytes of header and then extract flowlabel */
-		__u32 *tmp = (__u32 *) ip6;
-		*identity = bpf_ntohl(*tmp & IPV6_FLOWLABEL_MASK);
-
-		/* A remote node will map any HOST_ID source to be presented as
-		 * REMOTE_NODE_ID, therefore any attempt to signal HOST_ID as
-		 * source from a remote node can be dropped.
-		 */
-		if (*identity == HOST_ID)
-			return DROP_INVALID_IDENTITY;
-	}
-	return 0;
-}
-
 # ifdef ENABLE_HOST_FIREWALL
 static __always_inline __u32
 ipcache_lookup_srcid6(struct __ctx_buff *ctx)
@@ -143,20 +125,10 @@ resolve_srcid_ipv6(struct __ctx_buff *ctx, __u32 srcid_from_proxy,
 	void *data, *data_end;
 	struct ipv6hdr *ip6;
 	union v6addr *src;
-	int ret;
 
 	if (!revalidate_data_maybe_pull(ctx, &data, &data_end, &ip6, !from_host))
 		return DROP_INVALID;
 
-	if (!from_host) {
-		union v6addr node_ip = {};
-
-		BPF_V6(node_ip, ROUTER_IP);
-		ret = derive_src_id(&node_ip, ip6, &src_id);
-		if (IS_ERR(ret))
-			return ret;
-	}
-
 	/* Packets from the proxy will already have a real identity. */
 	if (identity_is_reserved(srcid_from_ipcache)) {
 		src = (union v6addr *) &ip6->saddr;

bpf/bpf_lxc.c

@@ -521,9 +521,6 @@ static __always_inline int handle_ipv6_from_lxc(struct __ctx_buff *ctx, __u32 *d
 		return ret;
 #endif
 
-	if (ipv6_store_flowlabel(ctx, ETH_HLEN, SECLABEL_NB) < 0)
-		return DROP_WRITE_ERROR;
-
 #ifndef TUNNEL_MODE
 # ifdef ENABLE_IPSEC
 	if (encrypt_key && tunnel_endpoint) {

bpf/lib/ipv6.h

@@ -8,13 +8,6 @@
 
 #include "dbg.h"
 
-#define IPV6_FLOWINFO_MASK              bpf_htonl(0x0FFFFFFF)
-#define IPV6_FLOWLABEL_MASK             bpf_htonl(0x000FFFFF)
-#define IPV6_FLOWLABEL_STATELESS_FLAG   bpf_htonl(0x00080000)
-
-#define IPV6_TCLASS_MASK (IPV6_FLOWINFO_MASK & ~IPV6_FLOWLABEL_MASK)
-#define IPV6_TCLASS_SHIFT       20
-
 /* Number of extension headers that can be skipped */
 #define IPV6_MAX_HEADERS 4
 
@@ -131,18 +124,6 @@ static __always_inline void ipv6_addr_clear_suffix(union v6addr *addr,
 	addr->p4 &= GET_PREFIX(prefix);
 }
 
-static __always_inline int ipv6_match_prefix_64(const union v6addr *addr,
-						const union v6addr *prefix)
-{
-	int tmp;
-
-	tmp = addr->p1 - prefix->p1;
-	if (!tmp)
-		tmp = addr->p2 - prefix->p2;
-
-	return !tmp;
-}
-
 static __always_inline int ipv6_dec_hoplimit(struct __ctx_buff *ctx, int off)
 {
 	__u8 hl;
@@ -218,24 +199,6 @@ static __always_inline int ipv6_store_paylen(struct __ctx_buff *ctx, int off,
 			       len, sizeof(*len), 0);
 }
 
-static __always_inline int ipv6_store_flowlabel(struct __ctx_buff *ctx, int off,
-						__be32 label)
-{
-	__be32 old;
-
-	/* use traffic class from packet */
-	if (ctx_load_bytes(ctx, off, &old, 4) < 0)
-		return DROP_INVALID;
-
-	old &= IPV6_TCLASS_MASK;
-	old = bpf_htonl(0x60000000) | label | old;
-
-	if (ctx_store_bytes(ctx, off, &old, 4, BPF_F_RECOMPUTE_CSUM) < 0)
-		return DROP_WRITE_ERROR;
-
-	return 0;
-}
-
 static __always_inline __be32 ipv6_pseudohdr_checksum(struct ipv6hdr *hdr,
 						      __u8 next_hdr,
 						      __u16 payload_len, __be32 sum)