datapath: template network namespace cookie.

pravk03 · pravk03 · commit ffd7e89506a6 · 2024-07-10T23:26:51.000Z
Since the bpf helper function bpf_get_netns_cookie() is not exposed to the
TC BPF programs, we would need to use ELF substitutions to make the network
namespace cookie of an endpoint available to the BPF program attached.
In a subsequent patch, we would use this in TC BPF program to detect LRP loopback.
diff --git a/bpf/ep_config.h b/bpf/ep_config.h
@@ -37,6 +37,9 @@ DEFINE_U32(POLICY_VERDICT_LOG_FILTER, 0xffff);
 DEFINE_U32(THIS_INTERFACE_IFINDEX, 0);
 #define THIS_INTERFACE_IFINDEX fetch_u32(THIS_INTERFACE_IFINDEX)
 
+DEFINE_U64(ENDPOINT_NETNS_COOKIE, 0);
+#define ENDPOINT_NETNS_COOKIE fetch_u64(ENDPOINT_NETNS_COOKIE)
+
 #define HOST_EP_ID 0x1092
 
 #define POLICY_MAP test_cilium_policy_65535
diff --git a/bpf/lib/static_data.h b/bpf/lib/static_data.h
@@ -78,6 +78,7 @@
 /* Deprecated, use CONFIG instead. */
 #define fetch_u16(x) CONFIG(x)
 #define fetch_u32(x) CONFIG(x)
+#define fetch_u64(x) CONFIG(x)
 #define fetch_ipv6(x) CONFIG(x ## _1), CONFIG(x ## _2)
 #define fetch_mac(x) { { CONFIG(x ## _1), (__u16)CONFIG(x ## _2) } }
 
@@ -88,6 +89,9 @@
 #define DEFINE_U32(name, value) \
 	DECLARE_CONFIG(__u32, name, "Constant " #name " declared using DEFINE_U32") \
 	ASSIGN_CONFIG(__u32, name, value)
+#define DEFINE_U64(name, value) \
+	DECLARE_CONFIG(__u64, name, "Constant " #name " declared using DEFINE_U64") \
+	ASSIGN_CONFIG(__u64, name, value)
 
 /* DEFINE_IPV6 and DEFINE_MAC are used to assign values to global constants from
  * C headers generated at runtime before the datapath is compiled. This data
diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
@@ -1023,6 +1023,7 @@ func (h *HeaderfileWriter) writeStaticData(devices []string, fw io.Writer, e dat
 
 	fmt.Fprint(fw, defineMAC("THIS_INTERFACE_MAC", e.GetNodeMAC()))
 	fmt.Fprint(fw, defineUint32("THIS_INTERFACE_IFINDEX", uint32(e.GetIfIndex())))
+	fmt.Fprint(fw, defineUint64("ENDPOINT_NETNS_COOKIE", uint64(e.GetEndpointNetnsCookieLocked())))
 
 	secID := e.GetIdentityLocked().Uint32()
 	fmt.Fprint(fw, defineUint32("SECLABEL", secID))
diff --git a/pkg/datapath/linux/config/utils.go b/pkg/datapath/linux/config/utils.go
@@ -30,6 +30,12 @@ func defineUint32(name string, value uint32) string {
 		name, value, value, name, name)
 }
 
+// defineUint64 writes the C definition for an unsigned 64-bit value.
+func defineUint64(name string, value uint64) string {
+	return fmt.Sprintf("DEFINE_U64(%s, %#016x);\t/* %d */\n#define %s fetch_u64(%s)\n",
+		name, value, value, name, name)
+}
+
 // defineIPv4 writes the C definition for the given IPv4 address.
 func defineIPv4(name string, addr []byte) string {
 	if len(addr) != net.IPv4len {
diff --git a/pkg/datapath/loader/template.go b/pkg/datapath/loader/template.go
@@ -28,6 +28,7 @@ const (
 	templateLxcID               = uint16(65535)
 	templatePolicyVerdictFilter = uint32(0xffff)
 	templateIfIndex             = math.MaxUint32
+	templateEndpointNetNsCookie = uint64(0)
 )
 
 var (
@@ -101,6 +102,18 @@ func (t *templateCfg) GetIdentityLocked() identity.NumericIdentity {
 	return templateSecurityID
 }
 
+// GetEndpointNetnsCookie returns a invalid (zero) network namespace cookie.
+func (t *templateCfg) GetEndpointNetnsCookie() uint64 {
+	return templateEndpointNetNsCookie
+}
+
+// GetEndpointNetnsCookieLocked is identical to GetEndpointNetnsCookie(). This is a temporary
+// function until WriteEndpointConfig() no longer assumes that the endpoint is
+// locked.
+func (t *templateCfg) GetEndpointNetnsCookieLocked() uint64 {
+	return templateEndpointNetNsCookie
+}
+
 // GetNodeMAC returns a well-known dummy MAC address which may be later
 // substituted in the ELF.
 func (t *templateCfg) GetNodeMAC() mac.MAC {
@@ -262,6 +275,8 @@ func ELFVariableSubstitutions(ep datapath.Endpoint) map[string]uint64 {
 		result["IPV6_MASQUERADE_2"] = 0
 	}
 
+	result["ENDPOINT_NETNS_COOKIE"] = ep.GetEndpointNetnsCookie()
+
 	identity := ep.GetIdentity().Uint32()
 	result["SECLABEL"] = uint64(identity)
 	result["SECLABEL_IPV4"] = uint64(identity)
diff --git a/pkg/datapath/types/config.go b/pkg/datapath/types/config.go
@@ -49,6 +49,8 @@ type LoadTimeConfiguration interface {
 	IPv6Address() netip.Addr
 	GetNodeMAC() mac.MAC
 	GetIfIndex() int
+	GetEndpointNetnsCookie() uint64
+	GetEndpointNetnsCookieLocked() uint64
 }
 
 // CompileTimeConfiguration provides datapath implementations a clean interface
diff --git a/pkg/endpoint/cache.go b/pkg/endpoint/cache.go
@@ -42,6 +42,7 @@ type epInfoCache struct {
 	options                *option.IntOptions
 	lxcMAC                 mac.MAC
 	ifIndex                int
+	netNsCookie            uint64
 
 	// endpoint is used to get the endpoint's logger.
 	//
@@ -73,6 +74,7 @@ func (e *Endpoint) createEpInfoCache(epdir string) *epInfoCache {
 		options:                e.Options.DeepCopy(),
 		lxcMAC:                 e.mac,
 		ifIndex:                e.ifIndex,
+		netNsCookie:            e.NetNsCookie,
 
 		endpoint: e,
 	}
@@ -113,6 +115,16 @@ func (ep *epInfoCache) GetIdentityLocked() identity.NumericIdentity {
 	return ep.identity
 }
 
+// GetEndpointNetnsCookie returns the network namespace cookie for the endpoint
+func (ep *epInfoCache) GetEndpointNetnsCookie() uint64 {
+	return ep.netNsCookie
+}
+
+// GetEndpointNetnsCookieLocked returns the network namespace cookie for the endpoint
+func (ep *epInfoCache) GetEndpointNetnsCookieLocked() uint64 {
+	return ep.netNsCookie
+}
+
 // Logger returns the logger for the endpoint that is being cached.
 func (ep *epInfoCache) Logger(subsystem string) *logrus.Entry {
 	return ep.endpoint.Logger(subsystem)
diff --git a/pkg/endpoint/identifiers.go b/pkg/endpoint/identifiers.go
@@ -168,3 +168,8 @@ func (e *Endpoint) GetEndpointNetnsCookie() uint64 {
 	defer e.runlock()
 	return e.NetNsCookie
 }
+
+// GetEndpointNetnsCookieLocked is identical to GetEndpointNetnsCookie(). This is needed because WriteEndpointConfig() assumes that the endpoint is locked.
+func (e *Endpoint) GetEndpointNetnsCookieLocked() uint64 {
+	return e.NetNsCookie
+}
diff --git a/pkg/testutils/endpoint.go b/pkg/testutils/endpoint.go
@@ -20,25 +20,27 @@ var (
 )
 
 type TestEndpoint struct {
-	Id       uint64
-	Identity *identity.Identity
-	Opts     *option.IntOptions
-	MAC      mac.MAC
-	IfIndex  int
-	IPv6     netip.Addr
-	isHost   bool
-	State    string
+	Id          uint64
+	Identity    *identity.Identity
+	Opts        *option.IntOptions
+	MAC         mac.MAC
+	IfIndex     int
+	IPv6        netip.Addr
+	isHost      bool
+	State       string
+	NetNsCookie uint64
 }
 
 func NewTestEndpoint() TestEndpoint {
 	opts := option.NewIntOptions(&option.OptionLibrary{})
 	opts.SetBool("TEST_OPTION", true)
 	return TestEndpoint{
-		Id:       42,
-		Identity: defaultIdentity,
-		MAC:      mac.MAC([]byte{0x02, 0x00, 0x60, 0x0D, 0xF0, 0x0D}),
-		IfIndex:  0,
-		Opts:     opts,
+		Id:          42,
+		Identity:    defaultIdentity,
+		MAC:         mac.MAC([]byte{0x02, 0x00, 0x60, 0x0D, 0xF0, 0x0D}),
+		IfIndex:     0,
+		Opts:        opts,
+		NetNsCookie: 0,
 	}
 }
 
@@ -66,6 +68,8 @@ func (e *TestEndpoint) GetID() uint64                               { return e.I
 func (e *TestEndpoint) StringID() string                            { return "42" }
 func (e *TestEndpoint) GetIdentity() identity.NumericIdentity       { return e.Identity.ID }
 func (e *TestEndpoint) GetIdentityLocked() identity.NumericIdentity { return e.Identity.ID }
+func (e *TestEndpoint) GetEndpointNetnsCookie() uint64              { return e.NetNsCookie }
+func (e *TestEndpoint) GetEndpointNetnsCookieLocked() uint64        { return e.NetNsCookie }
 func (e *TestEndpoint) GetSecurityIdentity() *identity.Identity     { return e.Identity }
 func (e *TestEndpoint) GetNodeMAC() mac.MAC                         { return e.MAC }
 func (e *TestEndpoint) GetIfIndex() int                             { return e.IfIndex }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,8 @@ type LoadTimeConfiguration interface {`
`49`	`49`	`IPv6Address() netip.Addr`
`50`	`50`	`GetNodeMAC() mac.MAC`
`51`	`51`	`GetIfIndex() int`
	`52`	`+ GetEndpointNetnsCookie() uint64`
	`53`	`+ GetEndpointNetnsCookieLocked() uint64`
`52`	`54`	`}`
`53`	`55`
`54`	`56`	`// CompileTimeConfiguration provides datapath implementations a clean interface`
Original file line number	Diff line number	Diff line change
`@@ -168,3 +168,8 @@ func (e *Endpoint) GetEndpointNetnsCookie() uint64 {`
`168`	`168`	`defer e.runlock()`
`169`	`169`	`return e.NetNsCookie`
`170`	`170`	`}`
	`171`	`+`
	`172`	`+// GetEndpointNetnsCookieLocked is identical to GetEndpointNetnsCookie(). This is needed because WriteEndpointConfig() assumes that the endpoint is locked.`
	`173`	`+func (e *Endpoint) GetEndpointNetnsCookieLocked() uint64 {`
	`174`	`+ return e.NetNsCookie`
	`175`	`+}`