Skip to content

Commit

Permalink
Merge eb44d2f into 329502f
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomastigera
tomastigera committed Apr 23, 2024
2 parents 329502f + eb44d2f commit 099634b
Show file tree
Hide file tree
Showing 7 changed files with 108 additions and 87 deletions.
1 change: 1 addition & 0 deletions felix/bpf/libbpf/libbpf.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,7 @@ func TcSetGlobals(
(*C.char)(unsafe.Pointer(&globalData.HostTunnelIPv6[0])),
C.uint(globalData.Flags),
C.ushort(globalData.WgPort),
C.ushort(globalData.Wg6Port),
C.uint(globalData.NatIn),
C.uint(globalData.NatOut),
C.uint(globalData.LogFilterJmp),
Expand Down
3 changes: 3 additions & 0 deletions felix/bpf/libbpf/libbpf_api.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ void bpf_tc_set_globals(struct bpf_map *map,
char* host_tunnel_ip6,
uint flags,
ushort wg_port,
ushort wg6_port,
uint natin,
uint natout,
uint log_filter_jmp,
Expand Down Expand Up @@ -195,6 +196,8 @@ void bpf_tc_set_globals(struct bpf_map *map,
v6.jumps[i] = jumps6[i];
}

v6.wg_port = wg6_port;

data.v4 = v4;
data.v6 = v6;
set_errno(bpf_map__set_initial_value(map, (void*)(&data), sizeof(data)));
Expand Down
1 change: 1 addition & 0 deletions felix/bpf/libbpf/libbpf_common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ type TcGlobalData struct {
HostTunnelIPv4 [16]byte
Flags uint32
WgPort uint16
Wg6Port uint16
NatIn uint32
NatOut uint32
LogFilterJmp uint32
Expand Down
2 changes: 2 additions & 0 deletions felix/bpf/tc/attach.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ type AttachPoint struct {
TunnelMTU uint16
VXLANPort uint16
WgPort uint16
Wg6Port uint16
ExtToServiceConnmark uint32
PSNATStart uint16
PSNATEnd uint16
Expand Down Expand Up @@ -389,6 +390,7 @@ func (ap *AttachPoint) ConfigureProgram(m *libbpf.Map) error {
PSNatStart: ap.PSNATStart,
PSNatLen: ap.PSNATEnd,
WgPort: ap.WgPort,
Wg6Port: ap.Wg6Port,
NatIn: ap.NATin,
NatOut: ap.NATout,
LogFilterJmp: uint32(ap.LogFilterIdx),
Expand Down
3 changes: 3 additions & 0 deletions felix/dataplane/linux/bpf_ep_mgr.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,7 @@ type bpfEndpointManager struct {
vxlanMTU int
vxlanPort uint16
wgPort uint16
wg6Port uint16
dsrEnabled bool
dsrOptoutCidrs bool
bpfExtToServiceConnmark int
Expand Down Expand Up @@ -465,6 +466,7 @@ func newBPFEndpointManager(
vxlanMTU: config.VXLANMTU,
vxlanPort: uint16(config.VXLANPort),
wgPort: uint16(config.Wireguard.ListeningPort),
wg6Port: uint16(config.Wireguard.ListeningPortV6),
dsrEnabled: config.BPFNodePortDSREnabled,
dsrOptoutCidrs: len(config.BPFDSROptoutCIDRs) > 0,
bpfExtToServiceConnmark: config.BPFExtToServiceConnmark,
Expand Down Expand Up @@ -2657,6 +2659,7 @@ func (m *bpfEndpointManager) calculateTCAttachPoint(ifaceName string) *tc.Attach
ap.Type = endpointType
if ap.Type != tcdefs.EpTypeWorkload {
ap.WgPort = m.wgPort
ap.Wg6Port = m.wg6Port
ap.NATin = uint32(m.natInIdx)
ap.NATout = uint32(m.natOutIdx)
} else {
Expand Down
2 changes: 1 addition & 1 deletion felix/dataplane/linux/int_dataplane.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1511,7 +1511,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
// only go to the host. Make sure that they are not forwarded.
fwdRules = append(fwdRules, rules.ICMPv6Filter(d.ruleRenderer.IptablesFilterDenyAction())...)
}
} else if (t.IPVersion == 6) == (d.config.BPFIpv6Enabled) /* XXX remove condition for dual stack */ {
} else {
// Let the BPF programs know if Linux conntrack knows about the flow.
fwdRules = append(fwdRules, bpfMarkPreestablishedFlowsRules()...)
// The packet may be about to go to a local workload. However, the local workload may not have a BPF
Expand Down
183 changes: 97 additions & 86 deletions felix/fv/wireguard_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,6 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
Skip("Skipping Wireguard supported tests.")
}

// IPv6 Wireguard is not supported on BPF dataplane, so skip in this case
if wireguardEnabledV6 && os.Getenv("FELIX_FV_ENABLE_BPF") == "true" {
Skip("Skipping IPv6 Wireguard testing on BPF dataplane")
}

// Enable Wireguard module debugging.
utils.Run("sudo", "sh", "-c", "echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control")

Expand All @@ -123,8 +118,9 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
log.Info("Started dmesg log capture")

infra = getInfra()
ipipEnabled := !BPFMode() || !wireguardEnabledV6
topologyOptions := wireguardTopologyOptions(
"CalicoIPAM", true, wireguardEnabledV4, wireguardEnabledV6,
"CalicoIPAM", ipipEnabled, wireguardEnabledV4, wireguardEnabledV6,
map[string]string{
"FELIX_DebugDisableLogDropping": "true",
"FELIX_DBG_WGBOOTSTRAP": "true",
Expand Down Expand Up @@ -197,12 +193,17 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api

if CurrentGinkgoTestDescription().Failed {
for _, felix := range topologyContainers.Felixes {
felix.Exec("ip", "link")
felix.Exec("ip", "addr")
felix.Exec("ip", "rule", "list")
felix.Exec("ip", "route", "show", "table", "all")
felix.Exec("ip", "route", "show", "cached")
felix.Exec("wg")
felix.Exec("wg", "show", "all", "private-key")
if BPFMode() {
felix.Exec("calico-bpf", "policy", "dump", "eth0", "all", "--asm")
felix.Exec("calico-bpf", "policy", "-6", "dump", "eth0", "all", "--asm")
}
}
}

Expand All @@ -229,33 +230,26 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api

Context("with Wireguard enabled", func() {
BeforeEach(func() {
for i, felix := range topologyContainers.Felixes {
// Check the Wireguard device exists.
if wireguardEnabledV4 {
Eventually(func() error {
out, err := felix.ExecOutput("ip", "link", "show", wireguardInterfaceNameDefault)
if err != nil {
return err
}
if strings.Contains(out, wireguardInterfaceNameDefault) {
return nil
}
return fmt.Errorf("felix %d has no IPv4 Wireguard device", i)
}, "10s", "100ms").ShouldNot(HaveOccurred())
}
if wireguardEnabledV6 {
Eventually(func() error {
out, err := felix.ExecOutput("ip", "link", "show", wireguardInterfaceNameV6Default)
if err != nil {
return err
// Check the Wireguard device exists.
Eventually(func() error {
for i, felix := range topologyContainers.Felixes {
out, err := felix.ExecOutput("ip", "link", "show")
if err != nil {
return err
}
if wireguardEnabledV4 {
if !strings.Contains(out, wireguardInterfaceNameDefault) {
return fmt.Errorf("felix %d has no IPv4 Wireguard device", i)
}
if strings.Contains(out, wireguardInterfaceNameV6Default) {
return nil
}
if wireguardEnabledV6 {
if !strings.Contains(out, wireguardInterfaceNameV6Default) {
return fmt.Errorf("felix %d has no IPv6 Wireguard device", i)
}
return fmt.Errorf("felix %d has no IPv6 Wireguard device", i)
}, "10s", "100ms").ShouldNot(HaveOccurred())
}
}
}
return nil
}, "30s", "330ms").ShouldNot(HaveOccurred())
})

It("should have called bootstrap", func() {
Expand Down Expand Up @@ -296,23 +290,34 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
disableWireguard(client)

// Old configuration should disappear.
Eventually(func() error {
for i, felix := range topologyContainers.Felixes {
out, err := felix.ExecOutput("ip", "link", "-d", "show")
if err != nil {
return err
}
if wireguardEnabledV4 {
if !strings.Contains(out, wireguardInterfaceNameDefault) {
return fmt.Errorf("felix %d has no IPv4 Wireguard device", i)
}
}
if wireguardEnabledV6 {
if !strings.Contains(out, wireguardInterfaceNameV6Default) {
return fmt.Errorf("felix %d has no IPv6 Wireguard device", i)
}
}
}
return nil
}, "30s", "330ms").ShouldNot(HaveOccurred())
for _, felix := range topologyContainers.Felixes {
if wireguardEnabledV4 {
Eventually(func() string {
out, _ := felix.ExecOutput("ip", "-d", "link", "show", wireguardInterfaceNameDefault)
return out
}, "10s", "100ms").Should(BeEmpty())
Eventually(func() string {
out, err := felix.ExecOutput("ip", "rule", "show", "pref", wireguardRoutingRulePriorityDefault)
Expect(err).NotTo(HaveOccurred())
return out
}, "10s", "100ms").Should(BeEmpty())
}
if wireguardEnabledV6 {
Eventually(func() string {
out, _ := felix.ExecOutput("ip", "-d", "link", "show", wireguardInterfaceNameV6Default)
return out
}, "10s", "100ms").Should(BeEmpty())
Eventually(func() string {
out, err := felix.ExecOutput("ip", "-6", "rule", "show", "pref", wireguardRoutingRulePriorityDefault)
Expect(err).NotTo(HaveOccurred())
Expand Down Expand Up @@ -606,28 +611,26 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api

BeforeEach(func() {
// Tunnel readiness checks.
for i, felix := range topologyContainers.Felixes {
// Check the Wireguard device exists.
deviceNames := []string{}
if wireguardEnabledV4 {
deviceNames = append(deviceNames, wireguardInterfaceNameDefault)
}
if wireguardEnabledV6 {
deviceNames = append(deviceNames, wireguardInterfaceNameV6Default)
}
for _, device := range deviceNames {
Eventually(func() error {
out, err := felix.ExecOutput("ip", "link", "show", device)
if err != nil {
return err
// Check the Wireguard device exists.
Eventually(func() error {
for i, felix := range topologyContainers.Felixes {
out, err := felix.ExecOutput("ip", "link", "show")
if err != nil {
return err
}
if wireguardEnabledV4 {
if !strings.Contains(out, wireguardInterfaceNameDefault) {
return fmt.Errorf("felix %d has no IPv4 Wireguard device", i)
}
if strings.Contains(out, device) {
return nil
}
if wireguardEnabledV6 {
if !strings.Contains(out, wireguardInterfaceNameV6Default) {
return fmt.Errorf("felix %d has no IPv6 Wireguard device", i)
}
return fmt.Errorf("felix %d has no Wireguard device named %s", i, device)
}, "10s", "100ms").ShouldNot(HaveOccurred())
}
}
}
return nil
}, "30s", "330ms").ShouldNot(HaveOccurred())

for _, felix := range topologyContainers.Felixes {
// Check the rule exists.
Expand Down Expand Up @@ -949,20 +952,25 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
disableWireguard(client)

// Check Wireguard device doesn't exist.
for _, felix := range topologyContainers.Felixes {
if wireguardEnabledV4 {
Eventually(func() string {
out, _ := felix.ExecOutput("ip", "link", "show", wireguardInterfaceNameDefault)
return out
}, "10s", "100ms").Should(BeEmpty())
}
if wireguardEnabledV6 {
Eventually(func() string {
out, _ := felix.ExecOutput("ip", "link", "show", wireguardInterfaceNameV6Default)
return out
}, "10s", "100ms").Should(BeEmpty())
Eventually(func() error {
for i, felix := range topologyContainers.Felixes {
out, err := felix.ExecOutput("ip", "link", "show")
if err != nil {
return err
}
if wireguardEnabledV4 {
if strings.Contains(out, wireguardInterfaceNameDefault) {
return fmt.Errorf("felix %d has no IPv4 Wireguard device", i)
}
}
if wireguardEnabledV6 {
if strings.Contains(out, wireguardInterfaceNameV6Default) {
return fmt.Errorf("felix %d has no IPv6 Wireguard device", i)
}
}
}
}
return nil
}, "30s", "330ms").ShouldNot(HaveOccurred())

// Check that Wireguard routing rule doesn't exist.
for _, felix := range topologyContainers.Felixes {
Expand Down Expand Up @@ -1062,16 +1070,12 @@ var _ = infrastructure.DatastoreDescribe("WireGuard-Unsupported", []apiconfig.Da
Skip("Skipping Wireguard unsupported tests.")
}

// IPv6 Wireguard is not supported on BPF dataplane, so skip in this case
if wireguardEnabledV6 && os.Getenv("FELIX_FV_ENABLE_BPF") == "true" {
Skip("Skipping IPv6 Wireguard testing on BPF dataplane")
}

// Setup a single node cluster.
const nodeCount = 1

infra = getInfra()
tc, _ = infrastructure.StartNNodeTopology(nodeCount, wireguardTopologyOptions("CalicoIPAM", true, wireguardEnabledV4, wireguardEnabledV6), infra)
ipipEnabled := !BPFMode() || !wireguardEnabledV6
tc, _ = infrastructure.StartNNodeTopology(nodeCount, wireguardTopologyOptions("CalicoIPAM", ipipEnabled, wireguardEnabledV4, wireguardEnabledV6), infra)

// Install a default profile that allows all ingress and egress, in the absence of any Policy.
infra.AddDefaultAllow()
Expand All @@ -1094,16 +1098,23 @@ var _ = infrastructure.DatastoreDescribe("WireGuard-Unsupported", []apiconfig.Da
})

It("no Wireguard device exists", func() {
Eventually(func() string {
out, err := tc.Felixes[0].ExecOutput("ip", "link", "show", wireguardInterfaceNameDefault)
Expect(err).To(HaveOccurred())
return out
}, "10s", "100ms").Should(BeEmpty())
Eventually(func() string {
out, err := tc.Felixes[0].ExecOutput("ip", "link", "show", wireguardInterfaceNameV6Default)
Expect(err).To(HaveOccurred())
return out
}, "10s", "100ms").Should(BeEmpty())
Eventually(func() error {
out, err := tc.Felixes[0].ExecOutput("ip", "link", "show")
if err != nil {
return err
}
if wireguardEnabledV4 {
if !strings.Contains(out, wireguardInterfaceNameDefault) {
return fmt.Errorf("felix 0 has no IPv4 Wireguard device")
}
}
if wireguardEnabledV6 {
if !strings.Contains(out, wireguardInterfaceNameV6Default) {
return fmt.Errorf("felix 0 has no IPv6 Wireguard device")
}
}
return nil
}, "30s", "330ms").ShouldNot(HaveOccurred())
})

It("no wg tool info exists", func() {
Expand Down

0 comments on commit 099634b

Please sign in to comment.