[v1.14] re-introduce ICMPv6 NS responder on from-netdev #31186

[ upstream commit: 283b8b7 ] [ backporter's notes: minor conflicts in wireguard.h ] Under the hood this uses ctx_load_bytes(), which can fail. Return such an error to the caller. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: ffbd7af ] Right now the helper takes a L3 offset, and assumes a packet without extension headers. Change it to a L4 offset, so that callers can pass this when available. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: a28f0fc ] Replace open-coded variants of the helper. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: 60c5e76 ] [ backporter's notes: adds tc_nodeport_l3_dev.o into NOCOVER_PATTERN to avoid verifier issue as v1.14 still has bpf coverage test. ] SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by cilium#28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by cilium#30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: dc9dfd7 ] [ backporter's notes: in v1.14 icmp6_handle_ns() doesn't have ext_err parameter, so icmp6_host_handle() doesn't need to accept it either. ] This reverts commit 6580714, to fix the breakage of "IPv6 NS responder for pod" introduced by cilium#12086 (bpf: Reply NA when recv ND for local IPv6 endpoints). 6580714 was merged to solve cilium#14509. To not revive cilium#14509, this commit also passes through ICMPv6 NS if the target is native node IP (eth0's addr). By letting stack take care of those NS-for-node-IP packets, we managed to: 1. Solve cilium#14509 again, but in a way keeping NS responder. The cause of cilium#14509 was NS responder always generates ND whose source IP is "router_ip" (cilium_internal_ip) rather than "node_ip". Once we pass those NS-for-node-IP packets to stack, the ND response would naturally have "node_ip" as source. 2. Avoid the fib_lookup failure mentioned at cilium#30837 (comment). icmp6_host_handle() also has a new parameter `handle_ns` to control if we want NS responder to be active. If it is called from `to-netdev` code path, handle_ns is set to false. This is suggested by julianwiedmann. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: 8d4db89 ] [ backporter's notes: minor changes due to lack of cilium#30467 and cilium#27134 ] This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid cilium#30926. for case 2, it must return the NS to stack to address cilium#14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

[ upstream commit: 475a194 ] [ backporter's notes: minor conflict due to v1.15 icmp6_host_handle() doesn't have ext_err parameter. ] The ICMPv6 handling in handle_ipv6() is only required for the HostFW or by from-netdev. Exclude it otherwise. This is a minor optimization for dc9dfd7 ("bpf: Re-introduce ICMPv6 NS responder on from-netdev"). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v1.14] re-introduce ICMPv6 NS responder on from-netdev #31186

[v1.14] re-introduce ICMPv6 NS responder on from-netdev #31186

Commits on Mar 7, 2024