Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.14] bpf: improve trace events in SNAT path #30835

Merged
merged 2 commits into from
Feb 22, 2024
Merged

[v1.14] bpf: improve trace events in SNAT path #30835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4eeb0f4
bpf: nat: report pre-SNAT address in trace event
julianwiedmann Oct 23, 2023
cc81114
bpf: nodeport: populate ifindex in NAT trace event
julianwiedmann Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions bpf/lib/nat.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -968,7 +968,7 @@ __snat_v4_nat(struct __ctx_buff *ctx, struct ipv4_ct_tuple *tuple,

static __always_inline __maybe_unused int
snat_v4_nat(struct __ctx_buff *ctx, const struct ipv4_nat_target *target,
struct trace_ctx *trace, __s8 *ext_err)
__be32 *saddr, struct trace_ctx *trace, __s8 *ext_err)
{
struct icmphdr icmphdr __align_stack_8;
struct ipv4_ct_tuple tuple = {};
Expand All @@ -988,6 +988,7 @@ snat_v4_nat(struct __ctx_buff *ctx, const struct ipv4_nat_target *target,
return DROP_INVALID;

snat_v4_init_tuple(ip4, NAT_DIR_EGRESS, &tuple);
*saddr = tuple.saddr;
has_l4_header = ipv4_has_l4_header(ip4);

off = ((void *)ip4 - data) + ipv4_hdrlen(ip4);
Expand Down Expand Up @@ -1825,7 +1826,7 @@ __snat_v6_nat(struct __ctx_buff *ctx, struct ipv6_ct_tuple *tuple,

static __always_inline __maybe_unused int
snat_v6_nat(struct __ctx_buff *ctx, const struct ipv6_nat_target *target,
struct trace_ctx *trace, __s8 *ext_err)
union v6addr *saddr, struct trace_ctx *trace, __s8 *ext_err)
{
struct icmp6hdr icmp6hdr __align_stack_8;
struct ipv6_ct_tuple tuple = {};
Expand All @@ -1850,6 +1851,7 @@ snat_v6_nat(struct __ctx_buff *ctx, const struct ipv6_nat_target *target,
return hdrlen;

snat_v6_init_tuple(ip6, NAT_DIR_EGRESS, &tuple);
ipv6_addr_copy(saddr, &tuple.saddr);

off = ((void *)ip6 - data) + hdrlen;
switch (tuple.nexthdr) {
Expand Down
18 changes: 12 additions & 6 deletions bpf/lib/nodeport.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ static __always_inline bool nodeport_uses_dsr6(const struct ipv6_ct_tuple *tuple
}

static __always_inline int nodeport_snat_fwd_ipv6(struct __ctx_buff *ctx,
union v6addr *saddr,
struct trace_ctx *trace,
__s8 *ext_err)
{
Expand All @@ -166,7 +167,7 @@ static __always_inline int nodeport_snat_fwd_ipv6(struct __ctx_buff *ctx,

snat_needed = snat_v6_prepare_state(ctx, &target);
if (snat_needed) {
ret = snat_v6_nat(ctx, &target, trace, ext_err);
ret = snat_v6_nat(ctx, &target, saddr, trace, ext_err);

/* See the equivalent v4 path for comment */
if (!IS_ERR(ret))
Expand Down Expand Up @@ -1434,6 +1435,7 @@ int tail_handle_snat_fwd_ipv6(struct __ctx_buff *ctx)
.monitor = 0,
};
enum trace_point obs_point;
union v6addr saddr = {};
int ret;
__s8 ext_err = 0;

Expand All @@ -1443,12 +1445,13 @@ int tail_handle_snat_fwd_ipv6(struct __ctx_buff *ctx)
obs_point = TRACE_TO_NETWORK;
#endif

ret = nodeport_snat_fwd_ipv6(ctx, &trace, &ext_err);
ret = nodeport_snat_fwd_ipv6(ctx, &saddr, &trace, &ext_err);
if (IS_ERR(ret))
return send_drop_notify_error_ext(ctx, 0, ret, ext_err,
CTX_ACT_DROP, METRIC_EGRESS);

send_trace_notify(ctx, obs_point, 0, 0, 0, 0, trace.reason, trace.monitor);
send_trace_notify6(ctx, obs_point, 0, 0, &saddr, 0, NATIVE_DEV_IFINDEX,
trace.reason, trace.monitor);

return ret;
}
Expand Down Expand Up @@ -1525,6 +1528,7 @@ static __always_inline bool nodeport_uses_dsr4(const struct ipv4_ct_tuple *tuple

static __always_inline int nodeport_snat_fwd_ipv4(struct __ctx_buff *ctx,
__u32 cluster_id __maybe_unused,
__be32 *saddr,
struct trace_ctx *trace,
__s8 *ext_err)
{
Expand All @@ -1542,7 +1546,7 @@ static __always_inline int nodeport_snat_fwd_ipv4(struct __ctx_buff *ctx,

snat_needed = snat_v4_prepare_state(ctx, &target);
if (snat_needed) {
ret = snat_v4_nat(ctx, &target, trace, ext_err);
ret = snat_v4_nat(ctx, &target, saddr, trace, ext_err);

/* If multiple netdevs process an outgoing packet, then this packets will
* be handled multiple times by the "to-netdev" section. This can lead
Expand Down Expand Up @@ -2873,6 +2877,7 @@ int tail_handle_snat_fwd_ipv4(struct __ctx_buff *ctx)
};
__u32 cluster_id = ctx_load_meta(ctx, CB_CLUSTER_ID_EGRESS);
enum trace_point obs_point;
__be32 saddr = 0;
int ret;
__s8 ext_err = 0;

Expand All @@ -2884,12 +2889,13 @@ int tail_handle_snat_fwd_ipv4(struct __ctx_buff *ctx)
obs_point = TRACE_TO_NETWORK;
#endif

ret = nodeport_snat_fwd_ipv4(ctx, cluster_id, &trace, &ext_err);
ret = nodeport_snat_fwd_ipv4(ctx, cluster_id, &saddr, &trace, &ext_err);
if (IS_ERR(ret))
return send_drop_notify_error_ext(ctx, 0, ret, ext_err,
CTX_ACT_DROP, METRIC_EGRESS);

send_trace_notify(ctx, obs_point, 0, 0, 0, 0, trace.reason, trace.monitor);
send_trace_notify4(ctx, obs_point, 0, 0, saddr, 0, NATIVE_DEV_IFINDEX,
trace.reason, trace.monitor);

return ret;
}
Expand Down
12 changes: 8 additions & 4 deletions bpf/tests/bpf_nat_tests.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,7 @@ int test_nat4_icmp_error_tcp_egress(__maybe_unused struct __ctx_buff *ctx)
};
struct ipv4_nat_entry state;
struct trace_ctx trace;
__be32 saddr = 0;

ret = snat_v4_new_mapping(ctx, &tuple, &state, &target,
false, NULL);
Expand All @@ -571,7 +572,7 @@ int test_nat4_icmp_error_tcp_egress(__maybe_unused struct __ctx_buff *ctx)
/* This is the entry-point of the test, calling
* snat_v4_nat().
*/
ret = snat_v4_nat(ctx, &target, &trace, NULL);
ret = snat_v4_nat(ctx, &target, &saddr, &trace, NULL);
assert(ret == 0);

__u16 proto;
Expand Down Expand Up @@ -673,6 +674,7 @@ int test_nat4_icmp_error_udp_egress(__maybe_unused struct __ctx_buff *ctx)
};
struct ipv4_nat_entry state;
struct trace_ctx trace;
__be32 saddr = 0;

ret = snat_v4_new_mapping(ctx, &tuple, &state, &target,
false, NULL);
Expand All @@ -681,7 +683,7 @@ int test_nat4_icmp_error_udp_egress(__maybe_unused struct __ctx_buff *ctx)
/* This is the entry-point of the test, calling
* snat_v4_nat().
*/
ret = snat_v4_nat(ctx, &target, &trace, NULL);
ret = snat_v4_nat(ctx, &target, &saddr, &trace, NULL);
assert(ret == 0);

__u16 proto;
Expand Down Expand Up @@ -782,6 +784,7 @@ int test_nat4_icmp_error_icmp_egress(__maybe_unused struct __ctx_buff *ctx)
};
struct ipv4_nat_entry state;
struct trace_ctx trace;
__be32 saddr = 0;

ret = snat_v4_new_mapping(ctx, &tuple, &state, &target,
false, NULL);
Expand All @@ -790,7 +793,7 @@ int test_nat4_icmp_error_icmp_egress(__maybe_unused struct __ctx_buff *ctx)
/* This is the entry-point of the test, calling
* snat_v4_nat().
*/
ret = snat_v4_nat(ctx, &target, &trace, NULL);
ret = snat_v4_nat(ctx, &target, &saddr, &trace, NULL);
assert(ret == 0);

__u16 proto;
Expand Down Expand Up @@ -880,6 +883,7 @@ int test_nat4_icmp_error_sctp_egress(__maybe_unused struct __ctx_buff *ctx)
};
struct ipv4_nat_entry state;
struct trace_ctx trace;
__be32 saddr = 0;

ret = snat_v4_new_mapping(ctx, &tuple, &state, &target,
false, NULL);
Expand All @@ -888,7 +892,7 @@ int test_nat4_icmp_error_sctp_egress(__maybe_unused struct __ctx_buff *ctx)
/* This is the entry-point of the test, calling
* snat_v4_nat().
*/
ret = snat_v4_nat(ctx, &target, &trace, NULL);
ret = snat_v4_nat(ctx, &target, &saddr, &trace, NULL);
assert(ret == 0);

__u16 proto;
Expand Down