Commit 8544737
committed
bpf: Workaround for netkit + L7 policy redirect failure
The previous changed our local delivery logic to only enforce policies
at the source if we also do a bpf_redirect_peer. If we're not doing a
bpf_redirect_peer to send the packet to its destination pod (and
endpoint routes are enabled), then there's no need to enforce policies
at the source: the packet will already go through ingress policy
enforcement at the bpf_lxc program.
This change however breaks L7 policy enforcement in case of netkit
devices. In case of L7 policies, we need to redirect packets from the
bpf_lxc ingress program to bpf_host@cilium_net to prepare for a redirect
to the userspace proxy. That redirection to cilium_net fails and the
packet is dropped.
The following pwru trace shows this happening, with the source bpf_lxc
program marked as 'x' and the destination bpf_lxc program marked as '*'.
NETNS MARK/x IFACE FUNC
x 4026535635 0 ~c8d066b3393b5:7 skb_ensure_writable
x 4026535635 0 ~c8d066b3393b5:7 skb_ensure_writable
x 4026535635 0 ~c8d066b3393b5:7 skb_ensure_writable
x 4026535635 0 ~c8d066b3393b5:7 skb_ensure_writable
x 4026535635 0 ~c8d066b3393b5:7 skb_ensure_writable
x 4026535635 1a670f00 ~c8d066b3393b5:7 skb_do_redirect
4026535635 1a670f00 ~c8d066b3393b5:7 __bpf_redirect
4026535635 1a670f00 ~c504d1e733445:9 __dev_queue_xmit
4026535635 1a670f00 ~c504d1e733445:9 qdisc_pkt_len_init
4026535635 1a670f00 ~c504d1e733445:9 netdev_core_pick_tx
4026535635 1a670f00 ~c504d1e733445:9 validate_xmit_skb
4026535635 1a670f00 ~c504d1e733445:9 netif_skb_features
4026535635 1a670f00 ~c504d1e733445:9 passthru_features_check
4026535635 1a670f00 ~c504d1e733445:9 skb_network_protocol
4026535635 1a670f00 ~c504d1e733445:9 skb_csum_hwoffload_help
4026535635 1a670f00 ~c504d1e733445:9 validate_xmit_xfrm
4026535635 1a670f00 ~c504d1e733445:9 dev_hard_start_xmit
4026535635 1a670f00 ~c504d1e733445:9 netkit_xmit
4026535635 1a670f00 ~c504d1e733445:9 skb_scrub_packet
* 4026536207 0 eth0:8 skb_ensure_writable
* 4026536207 0 eth0:8 skb_ensure_writable
* 4026536207 0 eth0:8 skb_ensure_writable
* 4026536207 0 eth0:8 skb_ensure_writable
* 4026536207 1330200 eth0:8 skb_do_redirect
4026536207 1330200 eth0:8 sk_skb_reason_drop(SKB_DROP_REASON_NOT_SPECIFIED)
Because we're using netkit devices, our source bpf_lxc program performs
a normal bpf_redirect to the destination lxc interface. We see the
packet navigate from the source lxc device (~c8d066b3393b5:7) to the
destination one (~c504d1e733445:9). It then traverse to the peer device
in the pod netns (cf. call to netkit_xmit) [1], after which point the
destination bpf_lxc program is executed [2].
We can see the last skb_do_redirect call is for the proxy preparation
because the packet carries the MARK_MAGIC_TO_PROXY mark (0x200). That
redirect fails because we're in the pod netns and the destination
ifindex cannot be found [3].
Preventing this will require a fix upstream to perform the netkit netns
switch after we run the BPF program. In the meantime, we need a
workaround for netkit + L7 policies. This commit simply reverts the
change from the previous commit for the specific case of netkit devices.
1 - https://elixir.bootlin.com/linux/v6.13.4/source/drivers/net/netkit.c#L99
2 - https://elixir.bootlin.com/linux/v6.13.4/source/drivers/net/netkit.c#L102
3 - https://elixir.bootlin.com/linux/v6.13.4/source/net/core/filter.c#L2489
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>1 parent 94fe32e commit 8544737
6 files changed
Lines changed: 33 additions & 5 deletions
File tree
- bpf/lib
- pkg/datapath
- config
- loader
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| 12 | + | |
11 | 13 | | |
12 | 14 | | |
13 | 15 | | |
| |||
146 | 148 | | |
147 | 149 | | |
148 | 150 | | |
149 | | - | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
150 | 157 | | |
151 | 158 | | |
152 | 159 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
| 32 | + | |
32 | 33 | | |
33 | 34 | | |
34 | 35 | | |
| |||
266 | 267 | | |
267 | 268 | | |
268 | 269 | | |
| 270 | + | |
| 271 | + | |
269 | 272 | | |
270 | 273 | | |
271 | 274 | | |
| |||
417 | 420 | | |
418 | 421 | | |
419 | 422 | | |
| 423 | + | |
| 424 | + | |
420 | 425 | | |
421 | 426 | | |
422 | 427 | | |
| |||
501 | 506 | | |
502 | 507 | | |
503 | 508 | | |
| 509 | + | |
| 510 | + | |
504 | 511 | | |
505 | 512 | | |
506 | 513 | | |
| |||
679 | 686 | | |
680 | 687 | | |
681 | 688 | | |
| 689 | + | |
| 690 | + | |
682 | 691 | | |
683 | 692 | | |
684 | 693 | | |
| |||
797 | 806 | | |
798 | 807 | | |
799 | 808 | | |
| 809 | + | |
| 810 | + | |
800 | 811 | | |
801 | 812 | | |
802 | 813 | | |
| |||
852 | 863 | | |
853 | 864 | | |
854 | 865 | | |
| 866 | + | |
| 867 | + | |
855 | 868 | | |
856 | 869 | | |
857 | 870 | | |
| |||
0 commit comments