Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf: Fix broken remote-node identity classification
When Cilium resolves a src ID from ipcache with a remote node IP, the resolved ID is ignored and returns the world ID. This is because the resolve_srcid_ipv[4,6] function checks if the resolved src ID is a reserved ID, which includes the remote node ID, and if it's true, then returns the world ID. This PR fixes this problem by removing !identity_is_reserved check. This issue occurs if BPF host routing is in use because Cilium stores the src ID resolved by resolve_srcid_ipv[4,6] in ipv[4,6]_local_delivery and enforces the policy using the stored src id. While Cilium uses the src ID resolved in bpx_lxc tail_ipv4_to_endpoint if the legacy routing mode is enabled. There's no corresponding !identity_is_reserved check in bpf_lxc side. Therefore it works with the legacy routing mode. According to cilium#4874 cilium#6703, this check was added when those introduced the fallback to use the ipcache data if the packet info does not contain any useful information. As far as I look it into those PR, there's no solid reason to keep the !identity_is_reserved check, because resolve_srcid_ipv[4,6] works as follows without the check which is the same as bpx_lxc tail_ipv4_to_endpoint side. 1. the packet info, ctx->mark, cotaints the identity, then return it 2. the packet info does not contain any useful information, then resolved from ipcache and return it 3. the identity is not resolved from both the packet info and ipcache then return the world ID Fixes: cilium#18042 Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp>
- Loading branch information