Replaced declare_tailcall_if with logic in the loader
#30467
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dylandreimerink
added
the
release-note/misc
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
627c9e9
to
7395b27
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
2 times, most recently
from
cb91cd0
to
8e7864f
Compare
|
/test |
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
9cf79de
to
dc51a32
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
dc51a32
to
00386a4
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
00386a4
to
ac1568b
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
ac1568b
to
1f52b46
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
1f52b46
to
42e1c41
Compare
|
/test |
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
3 times, most recently
from
d02e4fc
to
a0e3c11
Compare
|
/test |
dylandreimerink
changed the title
declare_tailcall_if with logic in the loader
dylandreimerink
force-pushed
the
feature/replace-declare-tailcall-if
branch
from
a0e3c11
to
b2c0343
Compare
|
/test |
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 1, 2024
SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 1, 2024
SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by #28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by #30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 5, 2024
[ upstream commit: 60c5e76 ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 5, 2024
[ upstream commit: 60c5e76 ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 5, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 in v1.15 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
joestringer
pushed a commit
that referenced
this pull request
Mar 5, 2024
[ upstream commit: 60c5e76 ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by #28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by #30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
joestringer
pushed a commit
that referenced
this pull request
Mar 5, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of #30467 in v1.15 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid #30926. for case 2, it must return the NS to stack to address #14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
[ upstream commit: 60c5e76 ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 6, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
Comment on lines
+37
to
+40
| #ifndef SKIP_ICMPV6_HOPLIMIT_HANDLING | ||
| if (ret == DROP_TTL_EXCEEDED) | ||
| return icmp6_send_time_exceeded(ctx, l3_off, direction); | ||
|
|
||
| #endif |
There was a problem hiding this comment.
Oh nice catch, thank you! I think we'll need to wire that up properly at some point for XDP.
There was a problem hiding this comment.
That is what this is doing. The only place where we ever declare this macro is in bpf_xdp.c. https://github.com/cilium/cilium/blob/main/bpf/bpf_xdp.c#L22
There was a problem hiding this comment.
I meant that one day we should actually implement the hoplimit handling for XDP :).
Comment on lines
+598
to
+604
| #ifdef ENABLE_IPV6 | ||
| if (ret == NAT_46X64_RECIRC) { | ||
| ctx_store_meta(ctx, CB_SRC_LABEL, secctx); | ||
| return tail_call_internal(ctx, CILIUM_CALL_IPV6_FROM_NETDEV, | ||
| ext_err); | ||
| } | ||
|
|
||
| #endif |
There was a problem hiding this comment.
Curious, why didn't we catch the same case in bpf_xdp?
(I would hope that the agent enforces IPv6=true when using the NAT46x64 gateway, so this is probably harmless for real deployments)
There was a problem hiding this comment.
Curious, why didn't we catch the same case in bpf_xdp?
It could just be that we are not testing an instance where we have IPv4=true, IPv6=false, NodeportAcceleration=true ?
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 7, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 7, 2024
[ upstream commit: 60c5e76 ] [ backporter's notes: adds tc_nodeport_l3_dev.o into NOCOVER_PATTERN to avoid verifier issue as v1.14 still has bpf coverage test. ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 7, 2024
[ upstream commit: 60c5e76 ] [ backporter's notes: adds tc_nodeport_l3_dev.o into NOCOVER_PATTERN to avoid verifier issue as v1.14 still has bpf coverage test. ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
jschwinger233
added a commit
to jschwinger233/cilium
that referenced
this pull request
Mar 7, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
julianwiedmann
pushed a commit
that referenced
this pull request
Mar 8, 2024
[ upstream commit: 60c5e76 ] [ backporter's notes: adds tc_nodeport_l3_dev.o into NOCOVER_PATTERN to avoid verifier issue as v1.14 still has bpf coverage test. ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by #28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by #30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
julianwiedmann
pushed a commit
that referenced
this pull request
Mar 8, 2024
[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of #30467 and #27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid #30926. for case 2, it must return the NS to stack to address #14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
This was referenced Mar 15, 2024
2 tasks
ti-mo
added
the
backport-pending/1.15
github-actions
bot
added
backport-done/1.15
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR replaces the
declare_tailcall_ifmacro with loader logic in Go. Before this we had thedeclare_tailcall_ifandinvoke_tailcall_if. These were used together to determine if a function should be inlined or be emitted and called as a tailcall. For this to work, both the declare and invoke side needed to have the same condition or risk a missed tailcall.This change simplifies the datapath code a bit without performance regressions. We now always emit all tailcalls into the ELF, but we use logic in the loader to see if any
invoke_tailcall_ifor any non-conditionaltail_call_staticreferences a given tailcall. If a tailcall is unreachable it will not be loaded, saving us load time.This is part of a larger movement from compile time logic to load time logic to enable clang-free in the future, and to make the datapath code easier today.