[v1.14] bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic #27381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
backport/1.14
julianwiedmann
changed the title
|
/test-backport-1.14 |
2 tasks
|
Any chances to have this merged soon in 14.x ? |
julianwiedmann
force-pushed
the
v1.14-nodeport-rednat-fib
branch
from
b2569fc
to
b3481bc
Compare
|
/test-backport-1.14 |
youngnick
approved these changes
Sep 5, 2023
[ upstream commit a0f3085 ] In a following patch, we need easy access to the RevDNAT info for replies by a local backend (from the LB*_REVERSE_NAT_MAP) and by a DSR backend (from the SNAT_MAPPING_IPV* map). For this we slightly rework the existing ct_has_nodeport_egress_entry*() helpers, so that they return the rev_nat_index for non-DSR entries. Then add a nodeport_rev_dnat_get_info_ipv*() helper that wraps the map lookups for both cases, and returns the info as lb*_reverse_nat struct. No functional change intended, the new helpers are not used yet. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 9efa9b9 ] Align with lb6_rev_nat() and just pass in the needed parameters from the ct_state struct. This enables a subsequent patch that wants to call __lb4_rev_nat() without a ct_state struct. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 719be68 ] The RevDNAT path currently uses __lb*_rev_nat() for rewriting replies by local backends, and snat_v*_rewrite_egress() for rewriting DSR replies. Both end up doing pretty much the same thing (we currently don't need the ICMP support in the snat_* version), so switch the DSR path to also use __lb*_rev_nat(). For this we employ the new nodeport_rev_dnat_get_info_*() helpers that convert the DSR SNAT entry to lb*_reverse_nat struct. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit e909425 ] Now that we have access to the SNAT info which was used to rewrite the inner packet, we no longer need to peek into the L3 header to obtain the new source IP. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 3cfe559 ] [ backporter's notes: the tests needed adjustments, v1.14 doesn't have the helpers from cilium#27134 ] When replies by local / DSR backends enter to-netdev, they have been routed to the interface using the backend IP as source IP. But depending on what routing rules are installed on the system, the routing for the RevDNATed packet is different. Improve the RevDNAT code in to-netdev to first perform a FIB lookup (based on the src IP from the RevDNAT info), and if needed redirect the packet to the correct egress interface. This requires that bpf_host is also attached to the chosen egress iface, so that the actual RevDNAT rewrite gets performed there. Also update some of the tests to cover this scenario. [Note: ideally we would have this check much earlier in to-netdev, before even going through the HostFW code. But that requires shrinking the program size first, so postponing that to a follow-on PR] Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
force-pushed
the
v1.14-nodeport-rednat-fib
branch
from
b3481bc
to
68909c3
Compare
|
/test-backport-1.14 |
|
(rebase to pick up the CI renames) |
maintainer-s-little-helper
bot
added
the
ready-to-merge
1 task
This was referenced Sep 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport due to smaller conflicts / missing test infrastructure of
Once this PR is merged, you can update the PR labels via:
or with