bpf: Fix program size issue with host firewall in IPv4-only mode#14232
Merged
bpf: Fix program size issue with host firewall in IPv4-only mode#14232
Conversation
291fece to
8795edc
Compare
kkourt
approved these changes
Dec 1, 2020
| #include <node_config.h> | ||
| #include <ep_config.h> | ||
|
|
||
| #define IS_BPF_HOST 1 |
Contributor
There was a problem hiding this comment.
nit: maybe just use #define IS_BPF_HOST here since the check is #if defined(IS_BPF_HOST)
Member
Author
There was a problem hiding this comment.
That change seemed so obvious I didn't retest the patch after it. Bad idea.
Turns out the 1 is needed here because of how we define is_defined. I'll send a fix.
Contributor
There was a problem hiding this comment.
Sorry about that!
It might make sense to replace #if defined(IS_BPF_HOST) with #if IS_BPF_HOST == 1 at some point.
Running Cilium in IPv4-only mode with the host firewall and our
kube-proxy replacement enabled causes program to-netdev from bpf_host to
have an excessive size (>4096 instructions):
level=warning msg="Prog section 'to-netdev' rejected: Argument list too long (7)!" subsys=datapath-loader
level=warning msg=" - Type: 3" subsys=datapath-loader
level=warning msg=" - Attach Type: 0" subsys=datapath-loader
level=warning msg=" - Instructions: 4179 (83 over limit)" subsys=datapath-loader
level=warning msg=" - License: GPL" subsys=datapath-loader
The section in question consists in particular of the host firewall
enforcement and the NAT+service handling via nodeport_nat_fwd(). That
last function is only split into several programs via tail calls when
both IPv4 and IPv6 are enabled.
To reduce the program size, this commit also splits nodeport_nat_fwd()
into several BPF programs via tail calls when the host firewall is
enabled. We also need to check for IS_BPF_HOST to only split if we're
calling nodeport_nat_fwd() from bpf_host.
Signed-off-by: Paul Chaignon <paul@cilium.io>
8795edc to
d19bcd0
Compare
This was referenced Dec 2, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Running Cilium in IPv4-only mode with the host firewall and our kube-proxy replacement enabled causes program
to-netdevfrombpf_hostto have an excessive size (>4096 instructions):The section in question consists in particular of the host firewall enforcement and the NAT+service handling via
nodeport_nat_fwd(). That last function is only split into several programs via tail calls when both IPv4 and IPv6 are enabled.To reduce the program size, this pull request also splits
nodeport_nat_fwd()into several BPF programs via tail calls when the host firewall is enabled. We also need to check forHOST_EP_IDto only split if we're callingnodeport_nat_fwd()frombpf_host.Fixes: #14231