KPR: support RevDNAT for ICMP error messages

[julianwiedmann]

Background
In the LB frontend path, we intentionally ignore ICMP traffic (as services can only be defined for TCP/UDP/SCTP).

But we currently also ignore ICMP traffic in the RevDNAT code path for replies by service backends (eg. the local backend path). This prevents ICMP error messages by the backend from being RevDNATed, and thus from reaching the client with the expected Source IP / Port.

This affects all backend types:

• DSR (where the outbound NAT path would need to look at the ICMP packet's payload, and derive the DSR-SNAT entry from it)
• remote backend (where the LB's inbound RevNAT path would need to look at the ICMP packet's payload, do a CT lookup and obtain the RevNAT-Index from it),
• local backend (same as remote backend)

One special case for "local backend" is that the ICMP packet is currently handled via tail-call from bpf_lxc - and the missing RevDNAT action is unexpected, and thus the packet is dropped.

Proposal
Implement ICMP support in the RevDNAT path for service replies.

[julianwiedmann]

Note that once we have finished #24062, the "local backend" handling actually moves into the current DSR path. And so that path would need to handle RevDNAT driven from either CT entry or SNAT entry.

[julianwiedmann]

One special case for "local backend" is that the ICMP packet is currently handled via tail-call from bpf_lxc - and the missing RevDNAT action is unexpected, and thus the packet is dropped.

This is "addressed" by #32155 for now. Meaning that we no longer attempt to RevDNAT such ICMP replies, but just let them flow through untouched.

[yushoyamaguchi]

May I work on this issue?

[yushoyamaguchi]

type of ICMP error and the packet content:
https://datatracker.ietf.org/doc/html/rfc792
NAT and ICMP:
https://datatracker.ietf.org/doc/html/rfc5508

[ysksuzuki]

Discussion Notes with @yushoyamaguchi, APAC Developer Meeting

Design Overview

• Currently, in the RevDNAT code path, lb4_extract_tuple returns DROP_UNSUPP_SERVICE_PROTO for ICMP errors, so RevDNAT is skipped.
• The proposed approach is to extract the original protocol, source port, and destination port from the inner IP header of the ICMP error, reconstruct the tuple, and process it via the normal RevDNAT path.
• Existing code for parsing ICMP inner headers can be used as a reference.
• For N/S traffic, support may be needed for DSR and SNAT (both remote and local backends), as well as for E/W traffic with per-packet LB, but it seems the same handling can be applied to all of them.

Implementation Plan

• Start with IPv4 support to verify feasibility
• Add a BPF unit test for a scenario where an ICMP error is returned as a reply to service traffic. reference
• Submit a draft PR once the IPv4 implementation is ready.

Open Questions

• For per-packet load balancing, which path handles RevDNAT for replies from service backends? -> To be confirmed (Yamaguchi)
• The IPv6 NAT path might run into verifier complexity issues.

[yushoyamaguchi]

@julianwiedmann
cc @ysksuzuki

In this case, should we rewrite destination IP-address and port of inner header in ICMP error packet payload , which consist of original packet?
I think we should rewrite source IP-address of ICMP error packet (outer) header, but I couldn't judge how about inner header.

[pchaigno]

If I'm reading RFC5508 correctly (REQ 5 in section 4.2.2), we should translate the inner packet as well.

[yushoyamaguchi]

@pchaigno

I found it and I understood it the same way as you did.
https://datatracker.ietf.org/doc/html/rfc5508#section-4.2.2

Thank you.