Add ebpf map cilium_egress_v4 for egress gateway

The map is of type lpm_trie, so that it supports range query for destination CIDR. A packet that matches an entry in the map will return an egress_info which contains the IP address of a gateway node and an egress IP address. Gateway node IP represents the next hop for this packet, while the egress IP represents the masqueraded source IP address when the packet leaves the gateway node. The commit contains a set of util subcommands for cilium, which provides CRUD operations to the ebpf map: ``` cilium bpf egress {list,update,lookup,delete} ``` Signed-off-by: Yongkun Gui <ygui@google.com>
pchaigno · Feb 5, 2021 · a9374b5 · a9374b5
1 parent 90c1aca
commit a9374b5
Show file tree

Hide file tree

Showing 23 changed files with 721 additions and 12 deletions.
diff --git a/Documentation/cmdref/cilium_bpf.md b/Documentation/cmdref/cilium_bpf.md
diff --git a/Documentation/cmdref/cilium_bpf_egress.md b/Documentation/cmdref/cilium_bpf_egress.md
diff --git a/Documentation/cmdref/cilium_bpf_egress_delete.md b/Documentation/cmdref/cilium_bpf_egress_delete.md
diff --git a/Documentation/cmdref/cilium_bpf_egress_get.md b/Documentation/cmdref/cilium_bpf_egress_get.md
diff --git a/Documentation/cmdref/cilium_bpf_egress_list.md b/Documentation/cmdref/cilium_bpf_egress_list.md
diff --git a/Documentation/cmdref/cilium_bpf_egress_update.md b/Documentation/cmdref/cilium_bpf_egress_update.md
diff --git a/Documentation/cmdref/cilium_bpf_ipcache_list.md b/Documentation/cmdref/cilium_bpf_ipcache_list.md
diff --git a/bpf/bpf_alignchecker.c b/bpf/bpf_alignchecker.c
@@ -83,6 +83,8 @@ int main(void)
 	DECLARE(struct, lb6_src_range_key, iter);
 	DECLARE(struct, edt_id, iter);
 	DECLARE(struct, edt_info, iter);
+	DECLARE(struct, egress_key, iter);
+	DECLARE(struct, egress_info, iter);
 
 	return 0;
 }
diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -210,6 +210,11 @@ struct endpoint_info {
 	__u32		pad[4];
 };
 
+struct egress_info {
+	__u32 egress_ip;
+	__u32 tunnel_endpoint;
+};
+
 struct edt_id {
 	__u64		id;
 };

diff --git a/bpf/lib/maps.h b/bpf/lib/maps.h
@@ -165,6 +165,23 @@ struct bpf_elf_map __section_maps ENCRYPT_MAP = {
 	.max_elem	= 1,
 };
 
+struct egress_key {
+	struct bpf_lpm_trie_key lpm_key;
+	__u32 sip;
+	__u32 dip;
+};
+
+#ifdef ENABLE_EGRESS_GATEWAY
+struct bpf_elf_map __section_maps EGRESS_MAP = {
+	.type		= LPM_MAP_TYPE,
+	.size_key	= sizeof(struct egress_key),
+	.size_value	= sizeof(struct egress_info),
+	.pinning	= PIN_GLOBAL_NS,
+	.max_elem	= EGRESS_MAP_SIZE,
+	.flags		= BPF_F_NO_PREALLOC,
+};
+#endif /* ENABLE_EGRESS_GATEWAY */
+
 #ifndef SKIP_CALLS_MAP
 static __always_inline void ep_tail_call(struct __ctx_buff *ctx,
 					 const __u32 index)

diff --git a/bpf/node_config.h b/bpf/node_config.h
@@ -111,6 +111,7 @@ DEFINE_IPV6(HOST_IP, 0xbe, 0xef, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x
 #define CILIUM_LB_MAP_MAX_ENTRIES	65536
 #define POLICY_MAP_SIZE 16384
 #define IPCACHE_MAP_SIZE 512000
+#define EGRESS_MAP_SIZE 16384
 #define POLICY_PROG_MAP_SIZE ENDPOINTS_MAP_SIZE
 #define IPV4_FRAG_DATAGRAMS_MAP test_cilium_ipv4_frag_datagrams
 #define CILIUM_IPV4_FRAG_MAP_MAX_ENTRIES 8192

diff --git a/cilium/cmd/bpf_egress.go b/cilium/cmd/bpf_egress.go
@@ -0,0 +1,29 @@
+// Copyright 2021 Authors of Cilium
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// bpfEgressCmd represents the bpf command
+var bpfEgressCmd = &cobra.Command{
+	Use:   "egress",
+	Short: "Manage the egress routing rules",
+}
+
+func init() {
+	bpfCmd.AddCommand(bpfEgressCmd)
+}
diff --git a/cilium/cmd/bpf_egress_delete.go b/cilium/cmd/bpf_egress_delete.go
@@ -0,0 +1,58 @@
+// Copyright 2021 Authors of Cilium
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"net"
+
+	"github.com/cilium/cilium/pkg/common"
+	"github.com/cilium/cilium/pkg/maps/egressmap"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	egressDeleteUsage = "Delete egress entries using source IP and destination CIDR.\n"
+)
+
+var bpfEgressDeleteCmd = &cobra.Command{
+	Args:  cobra.ExactArgs(2),
+	Use:   "delete",
+	Short: "Delete egress entries",
+	Long:  egressDeleteUsage,
+	Run: func(cmd *cobra.Command, args []string) {
+		common.RequireRootPrivilege("cilium bpf egress delete <src_ip> <dest_cidr>")
+
+		sip := net.ParseIP(args[0]).To4()
+		if sip == nil {
+			Fatalf("Unable to parse IP '%s'", args[0])
+		}
+
+		_, cidr, err := net.ParseCIDR(args[1])
+		if err != nil {
+			Fatalf("error parsing cidr %s: %s", args[1], err)
+		}
+
+		key := egressmap.NewKey(sip, cidr.IP, cidr.Mask)
+
+		if err := egressmap.EgressMap.Delete(&key); err != nil {
+			Fatalf("error deleting contents of map: %s\n", err)
+		}
+	},
+}
+
+func init() {
+	bpfEgressCmd.AddCommand(bpfEgressDeleteCmd)
+}
diff --git a/cilium/cmd/bpf_egress_get.go b/cilium/cmd/bpf_egress_get.go
@@ -0,0 +1,69 @@
+// Copyright 2021 Authors of Cilium
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/cilium/cilium/pkg/bpf"
+	"github.com/cilium/cilium/pkg/common"
+	"github.com/cilium/cilium/pkg/maps/egressmap"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	egressGetUsage = "Get egress entries using source and destination IPs.\n"
+)
+
+var bpfEgressGetCmd = &cobra.Command{
+	Args:    cobra.ExactArgs(2),
+	Use:     "get",
+	Short:   "Get egress entries",
+	Aliases: []string{"lookup"},
+	Long:    egressGetUsage,
+	Run: func(cmd *cobra.Command, args []string) {
+		common.RequireRootPrivilege("cilium bpf egress get <src_ip> <dest_ip>")
+
+		var (
+			ipv4Mask = net.IPv4Mask(255, 255, 255, 255)
+			err      error
+			value    bpf.MapValue
+		)
+
+		sip := net.ParseIP(args[0]).To4()
+		if sip == nil {
+			Fatalf("Unable to parse IP '%s'", args[0])
+		}
+
+		dip := net.ParseIP(args[1]).To4()
+		if dip == nil {
+			Fatalf("Unable to parse IP '%s'", args[1])
+		}
+
+		key := egressmap.NewKey(sip, dip, ipv4Mask)
+
+		if value, err = egressmap.EgressMap.Lookup(&key); err != nil {
+			Fatalf("error lookup contents of map: %s\n", err)
+		}
+
+		fmt.Println(value.String())
+	},
+}
+
+func init() {
+	bpfEgressCmd.AddCommand(bpfEgressGetCmd)
+}