Allow IPv6 packets to v4 programs if v6 programs are not loaded (#8556)

* Allow IPv6 packets to v4 programs if v6 programs are not loaded
projectcalico · Feb 27, 2024 · 222bb27 · 222bb27
1 parent dc5c0cc
commit 222bb27
Show file tree

Hide file tree

Showing 8 changed files with 195 additions and 136 deletions.
diff --git a/felix/bpf-gpl/globals.h b/felix/bpf-gpl/globals.h
@@ -44,8 +44,6 @@ struct cali_tc_preamble_globals {
 };
 
 enum cali_globals_flags {
-	/* CALI_GLOBALS_IPV6_ENABLED is set when IPv6 is enabled by Felix */
-	CALI_GLOBALS_IPV6_ENABLED		= 0x00000001,
 	CALI_GLOBALS_RESERVED1			= 0x00000002,
 	CALI_GLOBALS_RESERVED2			= 0x00000004,
 	CALI_GLOBALS_RESERVED3			= 0x00000008,

diff --git a/felix/bpf-gpl/parsing4.h b/felix/bpf-gpl/parsing4.h
@@ -35,14 +35,9 @@ static CALI_BPF_INLINE int parse_packet_ip_v4(struct cali_tc_ctx *ctx)
 		CALI_DEBUG("ARP: allowing packet\n");
 		goto allow_no_fib;
 	case ETH_P_IPV6:
-		// If IPv6 is supported and enabled, handle the packet
-		if (GLOBAL_FLAGS & CALI_GLOBALS_IPV6_ENABLED) {
-			CALI_DEBUG("IPv6 packet, continue with parsing it.\n");
-			goto ipv6_packet;
-		}
-		// otherwise, drop if the packet is from workload
+		// Drop if the packet is to/from workload
 		if (CALI_F_WEP) {
-			CALI_DEBUG("IPv6 from workload: drop\n");
+			CALI_DEBUG("IPv6 to/from workload: drop\n");
 			goto deny;
 		} else { // or allow, it the packet is on host interface
 			CALI_DEBUG("IPv6 on host interface: allow\n");
@@ -80,10 +75,6 @@ static CALI_BPF_INLINE int parse_packet_ip_v4(struct cali_tc_ctx *ctx)
 
 	return PARSING_OK;
 
-ipv6_packet:
-	// Parse IPv6 header, and perform necessary checks here
-	return PARSING_OK_V6;
-
 allow_no_fib:
 	return PARSING_ALLOW_WITHOUT_ENFORCING_POLICY;
 

diff --git a/felix/bpf-gpl/tc_preamble.c b/felix/bpf-gpl/tc_preamble.c
@@ -32,7 +32,7 @@ int  cali_tc_preamble(struct __sk_buff *skb)
 
 	__u16 protocol = bpf_ntohs(skb->protocol);
 	/* Set the globals for the rest of the prog chain. */
-	if (protocol == ETH_P_IPV6) {
+	if (protocol == ETH_P_IPV6 && (__globals.v6.jumps[PROG_INDEX_MAIN] != (__u32)-1)) {
 		globals->data = __globals.v6;
 	} else {
 		globals->data = __globals.v4;

diff --git a/felix/bpf/libbpf/libbpf.go b/felix/bpf/libbpf/libbpf.go
@@ -377,7 +377,6 @@ func (o *Obj) AttachCGroup(cgroup, progName string) (*Link, error) {
 
 const (
 	// Set when IPv6 is enabled to configure bpf dataplane accordingly
-	GlobalsIPv6Enabled      uint32 = C.CALI_GLOBALS_IPV6_ENABLED
 	GlobalsRPFOptionEnabled uint32 = C.CALI_GLOBALS_RPF_OPTION_ENABLED
 	GlobalsRPFOptionStrict  uint32 = C.CALI_GLOBALS_RPF_OPTION_STRICT
 	GlobalsNoDSRCidrs       uint32 = C.CALI_GLOBALS_NO_DSR_CIDRS

diff --git a/felix/bpf/tc/attach.go b/felix/bpf/tc/attach.go
@@ -58,7 +58,6 @@ type AttachPoint struct {
 	ExtToServiceConnmark uint32
 	PSNATStart           uint16
 	PSNATEnd             uint16
-	IPv6Enabled          bool
 	RPFEnforceOption     uint8
 	NATin                uint32
 	NATout               uint32
@@ -405,10 +404,6 @@ func (ap *AttachPoint) ConfigureProgram(m *libbpf.Map) error {
 		globalData.VxlanPort = 4789
 	}
 
-	if ap.IPv6Enabled {
-		globalData.Flags |= libbpf.GlobalsIPv6Enabled
-	}
-
 	if ap.DSROptoutCIDRs {
 		globalData.Flags |= libbpf.GlobalsNoDSRCidrs
 	}

diff --git a/felix/bpf/ut/bpf_prog_test.go b/felix/bpf/ut/bpf_prog_test.go
@@ -735,7 +735,7 @@ func objLoad(fname, bpfFsDir, ipFamily string, topts testOpts, polProg, hasHostC
 					VxlanPort:    testVxlanPort,
 					PSNatStart:   uint16(topts.psnaStart),
 					PSNatLen:     uint16(topts.psnatEnd-topts.psnaStart) + 1,
-					Flags:        libbpf.GlobalsIPv6Enabled | libbpf.GlobalsNoDSRCidrs,
+					Flags:        libbpf.GlobalsNoDSRCidrs,
 					LogFilterJmp: 0xffffffff,
 				}
 
@@ -760,7 +760,7 @@ func objLoad(fname, bpfFsDir, ipFamily string, topts testOpts, polProg, hasHostC
 					VxlanPort:    testVxlanPort,
 					PSNatStart:   uint16(topts.psnaStart),
 					PSNatLen:     uint16(topts.psnatEnd-topts.psnaStart) + 1,
-					Flags:        libbpf.GlobalsIPv6Enabled | libbpf.GlobalsNoDSRCidrs,
+					Flags:        libbpf.GlobalsNoDSRCidrs,
 					LogFilterJmp: 0xffffffff,
 				}
 
@@ -873,7 +873,7 @@ func objUTLoad(fname, bpfFsDir, ipFamily string, topts testOpts, polProg, hasHos
 					VxlanPort:  testVxlanPort,
 					PSNatStart: uint16(topts.psnaStart),
 					PSNatLen:   uint16(topts.psnatEnd-topts.psnaStart) + 1,
-					Flags:      libbpf.GlobalsIPv6Enabled | libbpf.GlobalsNoDSRCidrs,
+					Flags:      libbpf.GlobalsNoDSRCidrs,
 				}
 
 				copy(globals.HostTunnelIPv6[:], node1tunIPV6.To16())
@@ -889,7 +889,7 @@ func objUTLoad(fname, bpfFsDir, ipFamily string, topts testOpts, polProg, hasHos
 					VxlanPort:  testVxlanPort,
 					PSNatStart: uint16(topts.psnaStart),
 					PSNatLen:   uint16(topts.psnatEnd-topts.psnaStart) + 1,
-					Flags:      libbpf.GlobalsIPv6Enabled | libbpf.GlobalsNoDSRCidrs,
+					Flags:      libbpf.GlobalsNoDSRCidrs,
 				}
 				copy(globals.HostTunnelIPv4[0:4], node1tunIP.To4())
 				copy(globals.HostIPv4[0:4], hostIP.To4())

diff --git a/felix/dataplane/linux/bpf_ep_mgr.go b/felix/dataplane/linux/bpf_ep_mgr.go
@@ -2642,7 +2642,6 @@ func (d *bpfEndpointManagerDataplane) configureTCAttachPoint(policyDirection Pol
 	}
 
 	ap.ToOrFrom = toOrFrom
-	ap.IPv6Enabled = (d.ipFamily == proto.IPVersion_IPV6)
 	return ap
 }