backport: 1.4 backports 18-12-19

Documentation/cmdref/cilium-agent.md

@@ -37,9 +37,10 @@ cilium-agent
   -d, --device string                               Device facing cluster/external network for direct L3 (non-overlay mode) (default "undefined")
       --disable-conntrack                           Disable connection tracking
       --disable-endpoint-crd                        Disable use of CiliumEndpoint CRD
-      --disable-ipv4                                Disable IPv4 mode
       --disable-k8s-services                        Disable east-west K8s load balancing by cilium
   -e, --docker string                               Path to docker runtime socket (DEPRECATED: use container-runtime-endpoint instead) (default "unix:///var/run/docker.sock")
+      --enable-ipv4                                 Enable IPv4 support (default true)
+      --enable-ipv6                                 Enable IPv6 support (default true)
       --enable-policy string                        Enable policy enforcement (default "default")
       --enable-tracing                              Enable tracing while determining policy (debugging)
       --envoy-log string                            Path to a separate Envoy log file, if any
@@ -77,6 +78,7 @@ cilium-agent
       --logstash-probe-timer uint32                 Logstash probe timer (seconds) (default 10)
       --masquerade                                  Masquerade packets from endpoints leaving the host (default true)
       --monitor-aggregation string                  Level of monitor aggregation for traces from the datapath (default "None")
+      --monitor-queue-size int                      Size of the event queue when reading monitor events (default 32768)
       --mtu int                                     Overwrite auto-detected MTU of underlying network (default 1500)
       --nat46-range string                          IPv6 prefix to map IPv4 addresses to (default "0:0:0:0:0:FFFF::/96")
       --pprof                                       Enable serving the pprof debugging API

Documentation/concepts.rst

@@ -265,7 +265,7 @@ without causing any conflicts.
 
 The default behavior of Cilium is to assign both an IPv6 and IPv4 address to
 every endpoint. However, this behavior can be configured to only allocate an
-IPv6 address with the ``--disable-ipv4`` option. If both an IPv6 and IPv4
+IPv6 address with the ``--enable-ipv4=false`` option. If both an IPv6 and IPv4
 address are assigned, either address can be used to reach the endpoint. The
 same behavior will apply with regard to policy rules, load-balancing, etc. See
 :ref:`address_management` for more details.

Documentation/conf.py

@@ -37,8 +37,8 @@
     'sphinx.ext.extlinks',
     'sphinxcontrib.openapi',
     'sphinx_tabs.tabs',
-    'sphinxcontrib.spelling',
-    'versionwarning.extension' ]
+    'sphinxcontrib.spelling']
+#    'versionwarning.extension' ] <--- build is currently broken, see GH-6460
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']

Documentation/kubernetes/install/standard.rst

@@ -234,7 +234,9 @@ accordingly with your changes.
 * ``debug`` - Sets to run Cilium in full debug mode, it can be changed at
   runtime;
 
-* ``disable-ipv4`` - Disables IPv4 in Cilium and endpoints managed by Cilium;
+* ``enable-ipv4`` - Enable IPv4 addressing support
+
+* ``enable-ipv6`` - Enable IPv6 addressing support
 
 * ``clean-cilium-state`` - Removes any Cilium state, e.g. BPF policy maps,
   before starting the Cilium agent;
@@ -279,7 +281,7 @@ enabled.
 
       # If you want to run cilium in debug mode change this value to true
       debug: "false"
-      disable-ipv4: "false"
+      enable-ipv4: "true"
       # If you want to clean cilium state; change this value to true
       clean-cilium-state: "false"
       legacy-host-allows-world: "false"

bpf/Makefile

@@ -23,7 +23,11 @@ LB_OPTIONS = \
 	-DSKIP_DEBUG \
 	-DLB_L3 \
 	-DLB_L4 \
-	-DLB_L3 -DLB_L4
+	"-DLB_L3 -DLB_L4" \
+	"-DENABLE_IPV4 -DLB_L3 -DLB_L4" \
+	"-DENABLE_IPV6 -DLB_L3 -DLB_L4" \
+	"-DENABLE_IPV4 -DENABLE_IPV6 -DLB_L3 -DLB_L4"
+
 
 bpf_lb.ll: bpf_lb.c $(LIB)
 	$(QUIET) set -e; \
@@ -41,7 +45,11 @@ bpf_lb.o: bpf_lb.ll
 LXC_OPTIONS = \
 	 -DSKIP_DEBUG \
 	 -DHAVE_LPM_MAP_TYPE \
-	 -DHAVE_LRU_MAP_TYPE
+	 -DHAVE_LRU_MAP_TYPE \
+	 -DENABLE_IPV4 \
+	 -DENABLE_IPV6 \
+	 "-DENABLE_IPV6 -DENABLE_IPV4" \
+	 "-DENABLE_IPV4 -DENABLE_NAT46"
 
 bpf_lxc.ll: bpf_lxc.c $(LIB)
 	$(QUIET) set -e; \

bpf/bpf_lb.c

@@ -27,8 +27,6 @@
  *              then passed back to the stack.
  *
  * Configuration:
- *  - LB_DISABLE_IPV4 - Ignore IPv4 packets
- *  - LB_DISABLE_IPV6 - Ignore IPv6 packets
  *  - LB_REDIRECT     - Redirect to an ifindex
  *  - LB_L4           - Enable L4 matching and mapping
  */
@@ -54,7 +52,7 @@
 #include "lib/drop.h"
 #include "lib/lb.h"
 
-#ifndef LB_DISABLE_IPV6
+#ifdef ENABLE_IPV6
 static inline int handle_ipv6(struct __sk_buff *skb)
 {
 	void *data, *data_end;
@@ -113,9 +111,9 @@ static inline int handle_ipv6(struct __sk_buff *skb)
 
 	return TC_ACT_REDIRECT;
 }
-#endif
+#endif /* ENABLE_IPV6 */
 
-#ifndef LB_DISABLE_IPV4
+#ifdef ENABLE_IPV4
 static inline int handle_ipv4(struct __sk_buff *skb)
 {
 	void *data;
@@ -168,7 +166,7 @@ static inline int handle_ipv4(struct __sk_buff *skb)
 
 	return TC_ACT_REDIRECT;
 }
-#endif
+#endif /* ENABLE_IPV4 */
 
 __section("from-netdev")
 int from_netdev(struct __sk_buff *skb)
@@ -178,13 +176,13 @@ int from_netdev(struct __sk_buff *skb)
 	bpf_clear_cb(skb);
 
 	switch (skb->protocol) {
-#ifndef LB_DISABLE_IPV6
+#ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
 		ret = handle_ipv6(skb);
 		break;
 #endif
 
-#ifndef LB_DISABLE_IPV4
+#ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
 		ret = handle_ipv4(skb);
 		break;

bpf/bpf_lxc.c

@@ -56,6 +56,7 @@
 #define CT_MAP_TYPE BPF_MAP_TYPE_HASH
 #endif
 
+#ifdef ENABLE_IPV6
 struct bpf_elf_map __section_maps CT_MAP_TCP6 = {
 	.type		= CT_MAP_TYPE,
 	.size_key	= sizeof(struct ipv6_ct_tuple),
@@ -72,6 +73,17 @@ struct bpf_elf_map __section_maps CT_MAP_ANY6 = {
 	.max_elem	= CT_MAP_SIZE_ANY,
 };
 
+static inline struct bpf_elf_map *
+get_ct_map6(struct ipv6_ct_tuple *tuple)
+{
+	if (tuple->nexthdr == IPPROTO_TCP) {
+		return &CT_MAP_TCP6;
+	}
+	return &CT_MAP_ANY6;
+}
+#endif
+
+#ifdef ENABLE_IPV4
 struct bpf_elf_map __section_maps CT_MAP_TCP4 = {
 	.type		= CT_MAP_TYPE,
 	.size_key	= sizeof(struct ipv4_ct_tuple),
@@ -88,15 +100,6 @@ struct bpf_elf_map __section_maps CT_MAP_ANY4 = {
 	.max_elem	= CT_MAP_SIZE_ANY,
 };
 
-static inline struct bpf_elf_map *
-get_ct_map6(struct ipv6_ct_tuple *tuple)
-{
-	if (tuple->nexthdr == IPPROTO_TCP) {
-		return &CT_MAP_TCP6;
-	}
-	return &CT_MAP_ANY6;
-}
-
 static inline struct bpf_elf_map *
 get_ct_map4(struct ipv4_ct_tuple *tuple)
 {
@@ -105,12 +108,16 @@ get_ct_map4(struct ipv4_ct_tuple *tuple)
 	}
 	return &CT_MAP_ANY4;
 }
+#endif
 
+#if defined ENABLE_IPV4 || defined ENABLE_IPV6
 static inline bool redirect_to_proxy(int verdict, int dir)
 {
 	return verdict > 0 && (dir == CT_NEW || dir == CT_ESTABLISHED);
 }
+#endif
 
+#ifdef ENABLE_IPV6
 static inline int ipv6_l3_from_lxc(struct __sk_buff *skb,
 				   struct ipv6_ct_tuple *tuple, int l3_off,
 				   struct ipv6hdr *ip6, __u32 *dstID)
@@ -339,7 +346,7 @@ static inline int ipv6_l3_from_lxc(struct __sk_buff *skb,
 	}
 #endif
 
-#ifdef LXC_NAT46
+#ifdef ENABLE_NAT46
 	if (unlikely(ipv6_addr_is_mapped(daddr))) {
 		ep_tail_call(skb, CILIUM_CALL_NAT64);
 		return DROP_MISSED_TAIL_CALL;
@@ -423,9 +430,9 @@ __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV6_FROM_LXC) int tail_handle_ipv6
 
 	return ret;
 }
+#endif /* ENABLE_IPV6 */
 
-#ifdef LXC_IPV4
-
+#ifdef ENABLE_IPV4
 static inline int handle_ipv4_from_lxc(struct __sk_buff *skb, __u32 *dstID)
 {
 	struct ipv4_ct_tuple tuple = {};
@@ -465,14 +472,13 @@ static inline int handle_ipv4_from_lxc(struct __sk_buff *skb, __u32 *dstID)
 	}
 
 	ct_state_new.orig_dport = key.dport;
-#ifdef ENABLE_IPV4
 	if ((svc = lb4_lookup_service(skb, &key)) != NULL) {
 		ret = lb4_local(get_ct_map4(&tuple), skb, l3_off, l4_off, &csum_off,
 				&key, &tuple, svc, &ct_state_new, ip4->saddr);
 		if (IS_ERR(ret))
 			return ret;
 	}
-#endif
+
 skip_service_lookup:
 	/* The verifier wants to see this assignment here in case the above goto
 	 * skip_service_lookup is hit. However, in the case the packet
@@ -684,8 +690,6 @@ __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV4_FROM_LXC) int tail_handle_ipv4
 	return ret;
 }
 
-#endif
-
 /*
  * ARP responder for ARP requests from container
  * Respond to IPV4_GATEWAY with NODE_MAC
@@ -695,6 +699,7 @@ __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_ARP) int tail_handle_arp(struct __s
 	union macaddr mac = NODE_MAC;
 	return arp_respond(skb, &mac);
 }
+#endif /* ENABLE_IPV4 */
 
 __section("from-container")
 int handle_ingress(struct __sk_buff *skb)
@@ -707,11 +712,14 @@ int handle_ingress(struct __sk_buff *skb)
 			  TRACE_PAYLOAD_LEN);
 
 	switch (skb->protocol) {
+#ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
 		ep_tail_call(skb, CILIUM_CALL_IPV6_FROM_LXC);
 		ret = DROP_MISSED_TAIL_CALL;
 		break;
+#endif
 
+#ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
 		ep_tail_call(skb, CILIUM_CALL_IPV4_FROM_LXC);
 		ret = DROP_MISSED_TAIL_CALL;
@@ -721,6 +729,7 @@ int handle_ingress(struct __sk_buff *skb)
 		ep_tail_call(skb, CILIUM_CALL_ARP);
 		ret = DROP_MISSED_TAIL_CALL;
 		break;
+#endif
 
 	default:
 		ret = DROP_UNKNOWN_L3;
@@ -732,6 +741,7 @@ int handle_ingress(struct __sk_buff *skb)
 	return ret;
 }
 
+#ifdef ENABLE_IPV6
 static inline int __inline__
 ipv6_policy(struct __sk_buff *skb, int ifindex, __u32 src_label, int *forwarding_reason, struct ep_config *cfg)
 {
@@ -884,8 +894,9 @@ __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV6_TO_LXC) int tail_ipv6_policy(s
 
 	return ret;
 }
+#endif /* ENABLE_IPV6 */
 
-#ifdef LXC_IPV4
+#ifdef ENABLE_IPV4
 static inline int __inline__
 ipv4_policy(struct __sk_buff *skb, int ifindex, __u32 src_label, int *forwarding_reason, struct ep_config *cfg)
 {
@@ -927,7 +938,7 @@ ipv4_policy(struct __sk_buff *skb, int ifindex, __u32 src_label, int *forwarding
 
 	*forwarding_reason = ret;
 
-#ifdef LXC_NAT46
+#ifdef ENABLE_NAT46
 	if (skb->cb[CB_NAT46_STATE] == NAT46) {
 		ep_tail_call(skb, CILIUM_CALL_NAT46);
 		return DROP_MISSED_TAIL_CALL;
@@ -1025,8 +1036,7 @@ __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV4_TO_LXC) int tail_ipv4_policy(s
 
 	return ret;
 }
-
-#endif
+#endif /* ENABLE_IPV4 */
 
 /* Handle policy decisions as the packet makes its way towards the endpoint.
  * Previously, the packet may have come from another local endpoint, another
@@ -1041,17 +1051,19 @@ __section_tail(CILIUM_MAP_POLICY, LXC_ID) int handle_policy(struct __sk_buff *sk
 	__u32 src_label = skb->cb[CB_SRC_LABEL];
 
 	switch (skb->protocol) {
+#ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
 		ep_tail_call(skb, CILIUM_CALL_IPV6_TO_LXC);
 		ret = DROP_MISSED_TAIL_CALL;
 		break;
+#endif /* ENABLE_IPV6 */
 
-#ifdef LXC_IPV4
+#ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
 		ep_tail_call(skb, CILIUM_CALL_IPV4_TO_LXC);
 		ret = DROP_MISSED_TAIL_CALL;
 		break;
-#endif
+#endif /* ENABLE_IPV4 */
 
 	default:
 		ret = DROP_UNKNOWN_L3;
@@ -1065,7 +1077,7 @@ __section_tail(CILIUM_MAP_POLICY, LXC_ID) int handle_policy(struct __sk_buff *sk
 	return ret;
 }
 
-#ifdef LXC_NAT46
+#ifdef ENABLE_NAT46
 __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_NAT64) int tail_ipv6_to_ipv4(struct __sk_buff *skb)
 {
 	int ret = ipv6_to_ipv4(skb, 14, LXC_IPV4);