bpf: Handle fragments in SNAT flows #25340
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
fb0577d
to
cfbb5ec
Compare
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
cfbb5ec
to
debc63c
Compare
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
debc63c
to
7c88238
Compare
|
/test |
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
gentoo-root
removed
the
stale
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
7c88238
to
fed40e5
Compare
|
/test |
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
fed40e5
to
e33a839
Compare
|
/test |
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
gentoo-root
removed
the
stale
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
e33a839
to
3d7e806
Compare
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
3d7e806
to
e5fef4b
Compare
gentoo-root
removed
the
stale
gentoo-root
force-pushed
the
nat-fragments-fix
branch
3 times, most recently
from
b4f954d
to
e2ac9d1
Compare
|
/test |
gentoo-root
added
the
release-note/misc
julianwiedmann
added
the
release-note/minor
julianwiedmann
requested changes
Oct 2, 2023
There was a problem hiding this comment.
Thanks for tackling this! It's been a long time coming :).
A few smaller notes, but the only thing that really needs addressing is how ct_lazy_lookup4() obtains the is_fragment variable. Happy to brain-storm further if passing around an additional parameter is too much hassle.
gentoo-root
force-pushed
the
nat-fragments-fix
branch
2 times, most recently
from
8b83858
to
595f9e3
Compare
|
/test |
1 similar comment
|
/test |
julianwiedmann
requested changes
Oct 18, 2023
Separated to another PR: #28768 |
gentoo-root
force-pushed
the
nat-fragments-fix
branch
3 times, most recently
from
3f6a6b7
to
4e5ca0a
Compare
The code that extracts ports in snat_v4_nat and snat_v4_rev_nat doesn't take into account that the packet may be a second or further fragment. In this case, garbage will be read instead of the real port numbers. Fix this by using the existing ipv4_ct_extract_l4_ports that takes into account fragmentation. This change makes the behavior of the switch inside the aforementioned functions closer to ct_extract_ports4. Consider fragments in snat_v4_rewrite_ingress, avoid rewriting ports if it's not the first fragment. Fixes: 14a653a ("bpf/nat: introduce snat_v4_nat() and snat_v4_rev_nat functions") Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
gentoo-root
force-pushed
the
nat-fragments-fix
branch
3 times, most recently
from
a0c1f0f
to
00a25b7
Compare
The next commit will use it to update metrics. Note that revalidate_data shouldn't be done in place, because the L3 header offset may be not equal to ETH_HLEN in XDP flows. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
The previous commit ("bpf: Handle fragments in SNAT flows") added an
extra call to ipv4_ct_extract_l4_ports into the SNAT paths. It can lead
to double-accounting of the same fragments, failing the "Supports IPv4
fragments" test, because ipv4_handle_fragmentation is called one more
time in those flows.
Fix it by moving the metric update out of ipv4_handle_fragmentation
directly to __ct_lookup4.
Suggested-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Replace snat_v4_rewrite_ingress by a generic snat_v4_rewrite_headers for better code reuse. This change should not change the behavior, the new code should be functionally equivalent to the old one. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
gentoo-root
force-pushed
the
nat-fragments-fix
branch
from
00a25b7
to
4906275
Compare
|
/test |
julianwiedmann
added
the
kind/enhancement
julianwiedmann
approved these changes
Nov 13, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The code that extracts ports in snat_v4_nat and snat_v4_rev_nat doesn't take into account that the packet may be a second or further fragment. In this case, garbage will be read instead of the real port numbers. Fix this by using the existing ipv4_ct_extract_l4_ports that takes into account fragmentation.
This change makes the behavior of the switch inside the aforementioned functions closer to ct_extract_ports4.
Consider fragments in snat_v4_rewrite_ingress, avoid rewriting ports if it's not the first fragment.
Fixes: 14a653a ("bpf/nat: introduce snat_v4_nat() and snat_v4_rev_nat functions")
This should be applied on top of #25112.