Skip to content

Extend BPF policymap to include proxy_port#2918

Merged
tgraf merged 10 commits intocilium:masterfrom
joestringer:submit/bpf-l4-policy-refactor
Mar 1, 2018
Merged

Extend BPF policymap to include proxy_port#2918
tgraf merged 10 commits intocilium:masterfrom
joestringer:submit/bpf-l4-policy-refactor

Conversation

@joestringer
Copy link
Copy Markdown
Member

@joestringer joestringer commented Feb 23, 2018
edited
Loading

This PR removes the action field from the policy_entry values that are held in POLICY_MAP, as it was not being used (the map is a whitelist and there are no other actions to take other than allow). In its place, it introduces proxy_port. This lays the groundwork for userspace to populate this map instead of writing the BPF_L4_MAP embedded macro to specify proxy ports to redirect traffic towards.

As part of this, the datapath logic is shifted around a bit to push the L4 policy lookup earlier, to occur alongside the Label-based, and Label-dependent L4, and CIDR policy lookups.

The existing BPF_L4_MAP method for fetching the proxy_port will still work for now, so this PR can be merged prior to the userspace work. Once userspace switches over to implementing L4-L7 policy via the POLICY_MAP, all of the BPF_L4_MAP logic can be removed.

Note that this requires the cilium_policy_* maps to be flushed upon cilium upgrade, otherwise all existing policies in the BPF map will cause forwarding to the local port 1 (interpreting the previous action=1 as a proxy_port to redirect to), and the kernel will reset those connections.

This PR also rolls in a few unrelated style / documentation fixes for the datapath.

If you feel that the action field should still exist in this entry, or that this kind of upgrade breakage is unacceptable, please voice your opinions below.

Removed action field from BPF policy map entries

@joestringer joestringer added wip area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. labels Feb 23, 2018
@joestringer joestringer requested a review from a team February 23, 2018 08:03
@joestringer joestringer force-pushed the submit/bpf-l4-policy-refactor branch from 7872866 to 9180cdd Compare February 28, 2018 01:30
@joestringer joestringer changed the title [WIP] BPF L4 policy cleanups [WIP] Extend BPF policymap to include proxy_port Feb 28, 2018
@ianvernon ianvernon mentioned this pull request Feb 28, 2018
Closed
5 tasks
@joestringer joestringer force-pushed the submit/bpf-l4-policy-refactor branch from 9180cdd to 789b41e Compare February 28, 2018 03:58
@joestringer joestringer mentioned this pull request Feb 28, 2018
Merged
@joestringer joestringer force-pushed the submit/bpf-l4-policy-refactor branch from 789b41e to 8f4a7d3 Compare February 28, 2018 07:53
@joestringer
pkg/maps/policymap: Get rid of 'Action' field
f0fdea0 
The 'Action' field of a 'policyEntry' was never used to determine the
action to execute on the datapath, but userspace always populated this
field. Remove the userspace bits which populate the field so it can be
reused in future.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Rename ingress policy lookups
11610a2 
All of the current policy_can_access() calls are for ingress only.
Indicate this and hide the map argument while we're at it.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Make reverse_proxy arguments same for IPv4/6
40f4f19 
Update the reverse_proxy() final argument to pass the only field in the
CT tuple which it uses, the nexthdr. This makes the IPv4 path more
similar to the IPv6 path.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Document proxymap key/value
74df27c 
Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Document policy_can_access()
3e94180 
Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Reuse tuple for dport in ingress l4 policy
009a6af 
Just before this gets hit on the ingress path in ipv4_policy(), the
ct_state's orig_dport field gets updated to be the same as the tuple's
dport. Replacing it here as well makes the code more consistent with the
IPv6 codepath and should have no outward effect.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Refactor l4 policy / proxy_port lookup
a38316a 
Extricate proxy_port determination from conntrack. This will be replaced
by a map lookup in future, so factoring it out helps to move it in that
direction.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Apply L4-only policy in policy_can_access()
85dc1b1 
Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Add proxy_port to POLICY_MAP entries
f62b831 
If userspace populates the 'proxy_port' field of a policy entry, return
it as part of policy_can_access_ingress(). Userspace can now populate
this portion of policy map entries and the proxy port will be respected
by the datapath.

Related: cilium#2904

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer
bpf: Shift l4 policy lookup to __policy_can_access
a7cf33d 
L4 policy will in future be tied in with the standard L3/L4 BPF map
lookup, so shift this logic to there. In the case of egress policy,
there is no blob there yet so just shift the proxy logic out of
conntrack creation, closer to where it will be implemented when
label-based+l4 egress policy is implemented.

Signed-off-by: Joe Stringer <joe@covalent.io>
@joestringer joestringer force-pushed the submit/bpf-l4-policy-refactor branch from 8f4a7d3 to a7cf33d Compare March 1, 2018 00:43
@joestringer joestringer requested a review from a team as a code owner March 1, 2018 00:43
@joestringer joestringer changed the title [WIP] Extend BPF policymap to include proxy_port Extend BPF policymap to include proxy_port Mar 1, 2018
@joestringer joestringer added pending-review release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed wip labels Mar 1, 2018
tgraf
tgraf approved these changes Mar 1, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@tgraf tgraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome cleanup. Does the addition of the L4 policy lookup to the can_access() logic fix a bug or is required for the transition?

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Mar 1, 2018

@tgraf At this point it's only what's required for the transition.

I realised though that one minor tweak on top may fix #2907: With the current state, l4policy via the embedded maps is only triggered if there's an l4-only entry in the l3/l4 policy map. However, today userspace won't generate such entries. I was thinking that some reworking of the userspace would be necessary to fix the above bug, but we could just unconditionally attempt to use the embedded map if all the other cases fall through. I'll look into that, since it's one of the same core problems blocking #2954.

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Mar 1, 2018

Confirmed that userspace changes are necessary to fix #2907 without otherwise breaking Label-dependent L4, so I think that we should go ahead with this PR as-is.

@tgraf tgraf merged commit 5e989eb into cilium:master Mar 1, 2018
@joestringer joestringer deleted the submit/bpf-l4-policy-refactor branch March 1, 2018 20:15
@joestringer joestringer mentioned this pull request Mar 1, 2018
Closed
This was referenced Jul 3, 2018
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tgraf tgraf tgraf approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joestringer @tgraf