Fix tracking packets that host forwards to devices not managed by cal…

…ico when BPF enabled
projectcalico · May 5, 2023 · 49120fc · 49120fc
1 parent 1b3ecf5
commit 49120fc
Show file tree

Hide file tree

Showing 104 changed files with 3,872 additions and 1,946 deletions.
diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go
@@ -442,9 +442,12 @@ type FelixConfigurationSpec struct {
 	// BPFPolicyDebugEnabled when true, Felix records detailed information
 	// about the BPF policy programs, which can be examined with the calico-bpf command-line tool.
 	BPFPolicyDebugEnabled *bool `json:"bpfPolicyDebugEnabled,omitempty"`
-	// BPFForceTrackPacketsFromIfaces forces BPF to track packets from a list of specified interfaces.
-	// Essentially this excludes the specified list of interfaces from being NOTRACKed in IP Tables.
-	BPFForceTrackPacketsFromIfaces *[]string `json:"bpfForceTrackPacketsFromIfaces,omitempty"`
+	// BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces
+	// to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be
+	// tracked by Linux conntrack.  Should only be used for interfaces that are not used for
+	// the Calico fabric.  For example, a docker bridge device for non-Calico-networked
+	// containers. [Default: docker+]
+	BPFForceTrackPacketsFromIfaces *[]string `json:"bpfForceTrackPacketsFromIfaces,omitempty" validate:"omitempty,ifaceFilterSlice"`
 
 	// RouteSource configures where Felix gets its routing information.
 	// - WorkloadIPs: use workload endpoints to construct routes.

diff --git a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
diff --git a/api/pkg/openapi/openapi_generated.go b/api/pkg/openapi/openapi_generated.go
diff --git a/calicoctl/calicoctl/commands/crds/crds.go b/calicoctl/calicoctl/commands/crds/crds.go
diff --git a/cni-plugin/Makefile b/cni-plugin/Makefile
@@ -28,7 +28,7 @@ WINFV_SRCFILES=$(shell find win_tests -name '*.go')
 CURL=curl -C - -sSf
 
 # Use forked CNI plugin URL and corresponding tagged artifacts.
-CNI_VERSION=v1.1.1-calico+go-1.20.3
+CNI_VERSION=v1.1.1-calico+go-1.20.4
 CNI_ARTIFACTS_URL=https://github.com/projectcalico/containernetworking-plugins/releases/download
 FLANNEL_VERSION=v1.1.2
 

diff --git a/felix/Makefile b/felix/Makefile
@@ -194,6 +194,7 @@ protobuf proto/felixbackend.pb.go: proto/felixbackend.proto
 
 # We pre-build lots of different variants of the TC programs, defer to the script.
 BPF_GPL_O_FILES:=$(addprefix bpf-gpl/,$(shell bpf-gpl/list-objs))
+BPF_GPL_O_FILES+=bpf-gpl/bin/tc_preamble.o bpf-gpl/bin/xdp_preamble.o bpf-gpl/bin/policy_default.o
 
 # There's a one-to-one mapping from UT C files to objects and the same for the apache programs..
 BPF_GPL_UT_O_FILES:=$(BPF_GPL_UT_C_FILES:.c=.o) $(addprefix bpf-gpl/,$(shell bpf-gpl/list-ut-objs))
@@ -532,6 +533,18 @@ ut-bpf: $(LIBBPF_A) bin/bpf_ut.test bin/bpf.test build-bpf
 		cd /go/src/$(PACKAGE_NAME)/bpf/ut && \
 		../../bin/bpf_ut.test -test.v -test.run "$(FOCUS)"'
 
+.PHONY: bench-bpf
+bench-bpf: $(LIBBPF_A) bin/bpf_ut.test bin/bpf.test build-bpf
+	$(DOCKER_RUN) \
+		--privileged \
+		-e RUN_AS_ROOT=true \
+		-v `pwd`:/code \
+		-v `pwd`/bpf-gpl/bin:/usr/lib/calico/bpf \
+		$(CALICO_BUILD) sh -c ' \
+		mount bpffs /sys/fs/bpf -t bpf && \
+		cd /go/src/$(PACKAGE_NAME)/bpf/ut && \
+		../../bin/bpf_ut.test -test.v -test.bench="$(FOCUS)" -test.run "$(FOCUS)"'
+
 ## Launch a browser with Go coverage stats for the whole project.
 .PHONY: cover-browser
 cover-browser: combined.coverprofile

diff --git a/felix/bpf-gpl/Makefile b/felix/bpf-gpl/Makefile
@@ -50,7 +50,10 @@ UT_C_FILES:=$(shell find ut -name '*.c')
 UT_OBJS:=$(UT_C_FILES:.c=.o) $(shell ./list-ut-objs)
 
 OBJS:=$(shell ./list-objs)
-C_FILES:=tc.c tc6.c connect_balancer.c connect_balancer_v6.c xdp.c
+OBJS+=bin/tc_preamble.o
+OBJS+=bin/xdp_preamble.o
+OBJS+=bin/policy_default.o
+C_FILES:=tc_preamble.c tc.c tc6.c connect_balancer.c connect_balancer_v6.c xdp_preamble.c xdp.c policy_default.c
 
 all: $(OBJS)
 ut-objs: $(UT_OBJS)
@@ -72,6 +75,15 @@ UT_CFLAGS=\
 ut/%.ll: ut/%.c ut/ut.h tc.c tc.d
 	$(CC) $(UT_CFLAGS) $(CFLAGS) -c $< -o $@
 
+tc_preamble.ll: tc_preamble.c tc_preamble.d
+	$(CC) $(CFLAGS) -c $< -o $@
+
+xdp_preamble.ll: xdp_preamble.c xdp_preamble.d
+	$(CC) $(CFLAGS) -DCALI_COMPILE_FLAGS=64 -c $< -o $@
+
+policy_default.ll: policy_default.c policy_default.d
+	$(CC) $(CFLAGS) -c $< -o $@
+
 # Production and UT versions of the main binaries.
 # Combining the targets into one rule causes make to fail to rebuild the .ll files.  Not sure why.
 to%.ll: tc.c tc.d calculate-flags
@@ -92,6 +104,12 @@ test_xdp%.ll: xdp.c xdp.d calculate-flags
 	$(COMPILE)
 
 LINK=$(LD) -march=bpf -filetype=obj -o $@ $<
+bin/tc_preamble.o: tc_preamble.ll | bin
+	$(LINK)
+bin/xdp_preamble.o: xdp_preamble.ll | bin
+	$(LINK)
+bin/policy_default.o: policy_default.ll | bin
+	$(LINK)
 bin/to%.o: to%.ll | bin
 	$(LINK)
 bin/from%.o: from%.ll | bin

diff --git a/felix/bpf-gpl/bpf.h b/felix/bpf-gpl/bpf.h
@@ -250,7 +250,7 @@ extern const volatile struct cali_xdp_globals __globals;
 #elif (!CALI_F_CGROUP) || defined(UNITTEST)
 
 extern const volatile struct cali_tc_globals __globals;
-#define CALI_CONFIGURABLE(name)  __globals.name
+#define CALI_CONFIGURABLE(name) ctx->globals->name
 
 #else
 

diff --git a/felix/bpf-gpl/calculate-flags b/felix/bpf-gpl/calculate-flags
@@ -57,41 +57,34 @@ flags=0
 if [[ "${filename}" =~ .*hep.* ]]; then
   # Host endpoint.
   ((flags |= CALI_TC_HOST_EP))
-  args+=("-DCALI_NO_DEFAULT_POLICY_PROG")
   ep_type="host"
 elif [[ "${filename}" =~ .*tnl.* ]]; then
   # Tunnel.
   ((flags |= CALI_TC_TUNNEL | CALI_TC_HOST_EP))
-  args+=("-DCALI_DEBUG_ALLOW_ALL")
   ep_type="tunnel"
 elif [[ "${filename}" =~ .*l3.* ]]; then
   # Any l3 device.
   ((flags |= CALI_TC_L3_DEV | CALI_TC_HOST_EP))
-  args+=("-DCALI_DEBUG_ALLOW_ALL")
   ep_type="l3dev"
 elif [[ "${filename}" =~ .*connect.* ]]; then
   # Connect-time load balancer (CGROUP attached).
   ((flags |= CALI_CGROUP))
-  args+=("-DCALI_DEBUG_ALLOW_ALL")
 elif [[ "${filename}" =~ .*wep.* ]]; then
   # Workload endpoint; recognised by CALI_TC_HOST_EP bit being 0.
   ep_type="workload"
 elif [[ "${filename}" =~ .*xdp.* ]]; then
   # XDP, so host endpoint.
   ((flags |= CALI_TC_HOST_EP))
   ((flags |= CALI_XDP_PROG))
-  args+=("-DCALI_NO_DEFAULT_POLICY_PROG")
   ep_type="host"
 elif [[ "${filename}" =~ .*nat.* ]]; then
   ((flags |= CALI_TC_HOST_EP))
   ((flags |= CALI_TC_NAT_IF))
-  args+=("-DCALI_NO_DEFAULT_POLICY_PROG")
   ep_type="nat"
 elif [[ "${filename}" =~ .*lo.* ]]; then
   # loopback, so host endpoint.
   ((flags |= CALI_TC_HOST_EP))
   ((flags |= CALI_TC_LO))
-  args+=("-DCALI_NO_DEFAULT_POLICY_PROG")
   ep_type="lo"
 else
   echo "Can't recognise endpoint type"
@@ -117,7 +110,6 @@ if [[ "${filename}" =~ _dsr.* ]]; then
 fi
 
 args+=("-DCALI_COMPILE_FLAGS=${flags}")
-args+=("-DCALI_ENTRYPOINT_NAME=calico_${from_or_to}_${ep_type}_ep")
 
 echo "Flags: ${args[*]}" 1>&2
 echo "${args[*]}"