Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.13] bpf: use skb->ifindex for FIB lookup in handle_*_from_lxc() #24195

Merged
merged 1 commit into from
Mar 10, 2023
Merged

[v1.13] bpf: use skb->ifindex for FIB lookup in handle_*_from_lxc() #24195

merged 1 commit into from
Mar 10, 2023

Conversation

julianwiedmann
Copy link
Member

Once this PR is merged, you can update the PR labels via:

for pr in 24182; do contrib/backporting/set-labels.py $pr done 1.13; done

or with

make add-labels BRANCH=v1.13 ISSUES=24182

@julianwiedmann
bpf: use skb->ifindex for FIB lookup in handle_*_from_lxc()
adc2f33 
[ upstream commit db5211f ]

[ Backporter's notes: introduce a `iif` parameter for redirect_direct_* ]

L7 LB traffic is first redirected to envoy for load-balancing. The
corresponding local packet by envoy is then sent back to
handle_policy_egress() by the cilium_from_host program via tail-call.

In a config with ENABLE_HOST_ROUTING and multiple devices, it then
potentially requires a in-BPF FIB lookup. For this lookup, we currently
use ctx->ingress_ifindex (aka skb->skb_iif).

For the normal veth->veth transition, the skb->skb_iif would be set by the
__netif_receive_skb() in process_backlog(). But for a local packet (as
generated by envoy for L7 LB) skb->skb_iif is not set. Consequently such a
FIB lookup for ctx->ingress_ifindex 0 will fail, and the packet gets
dropped with DROP_NO_FIB.

Use ctx->ifindex instead. This changes nothing for normal from-pod traffic,
but allows L7 LB traffic to perform a FIB lookup.

Note that for the L7 LB case, ctx->ifindex will point at cilium_host
(rather than the pod's veth interface).

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann requested a review from a team as a code owner March 6, 2023 14:29
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 6, 2023
@julianwiedmann
Copy link
Member Author

julianwiedmann commented Mar 6, 2023
edited by maintainer-s-little-helper bot

/test-backport-1.13

Job 'Cilium-PR-K8s-1.24-kernel-4.9' failed:

Click to show.

Test Name

K8sDatapathVerifier Runs the kernel verifier against Cilium's BPF datapath

Failure Output

FAIL: terminating containers are not deleted after timeout

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-4.9 so I can create one.

Job 'Cilium-PR-K8s-1.21-kernel-4.9' failed:

Click to show.

Test Name

K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy) with the host firewall and externalTrafficPolicy=Local

Failure Output

FAIL: Request from k8s1 to service tftp://[fd04::12]:30698/hello failed

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-4.9 so I can create one.

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathVerifier Runs the kernel verifier against Cilium's BPF datapath

Failure Output

FAIL: terminating containers are not deleted after timeout

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

sayboras
sayboras reviewed Mar 6, 2023
View reviewed changes
bpf/lib/fib.h Show resolved Hide resolved
@julianwiedmann
Copy link
Member Author

/test-1.25-4.19

@julianwiedmann
Copy link
Member Author

I believe kernel-4.9 errors are no longer relevant for v1.13 -> ready for merge.

@julianwiedmann julianwiedmann added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 7, 2023
@jrajahalme jrajahalme merged commit 6487298 into cilium:v1.13 Mar 10, 2023
@julianwiedmann julianwiedmann deleted the v1.13-fib-fix branch March 10, 2023 10:58
@nebril nebril mentioned this pull request Mar 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@julianwiedmann @borkmann @jrajahalme @sayboras