LRP: Fix loopback in per packet LB mode#33721
Merged
julianwiedmann merged 5 commits intocilium:mainfrom Aug 4, 2024
Merged
Conversation
|
Commits 20b9898, 91c5e0c do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
Commits 20b9898, 91c5e0c, ccbf71f do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
ccbf71f to
91c5e0c
Compare
|
Commits 20b9898, 91c5e0c do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
91c5e0c to
d4d203e
Compare
|
Commits 20b9898, 91c5e0c do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
d4d203e to
3e552c2
Compare
|
Commits ffd7e89, 3e552c2 do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
Commits ffd7e89, 3e552c2, 2261aae do not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Member
|
@pravk03 thanks for the fix! Please make sure to sign off your commits per the comment from the bot above before marking PRs ready for review. |
2261aae to
94d8013
Compare
|
Commit bc606fe does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
94d8013 to
9f33d2d
Compare
Member
|
/test |
viktor-kurchenko
approved these changes
Jul 29, 2024
Member
|
/test |
Member
|
ci-l4lb is consistently failing. I think 809ce56 fixes this falure. @pravk03 Could you rebase your branch? |
Since the bpf helper function bpf_get_netns_cookie() is not exposed to the TC BPF programs, we would need to use ELF substitutions to make the network namespace cookie of an endpoint available to the BPF program attached. In a subsequent patch, we would use this in TC BPF program to detect LRP loopback. Signed-off-by: Praveen Krishna <pkrishn@google.com>
These functions would also be invoked from bpf_lxc.c in the subsequent commit. Signed-off-by: Praveen Krishna <pkrishn@google.com>
Skip service translation logic for a local-redirect service when the
packet originates from the node local backend. Skip LB only for socket
tuples matching local redirect policy tuples populated in the
cilium_skip_lb{4,6} maps. The maps are populated by the userspace based
on user deployed LRPs.
Signed-off-by: Praveen Krishna <pkrishn@google.com>
Adds test cases to validate lrp loopback fix in per-packet LB mode. Signed-off-by: Praveen Krishna <pkrishn@google.com>
Update the added support for LRP skipRedirectFromBackend with per packet based LB. Signed-off-by: Praveen Krishna <pkrishn@google.com>
0efc431 to
23ca9f7
Compare
Author
|
@ysksuzuki rebased. |
Member
|
/test |
Member
|
I will add e2e test before backporting the PR to v1.16. |
ysksuzuki
approved these changes
Aug 3, 2024
Member
julianwiedmann
left a comment
There was a problem hiding this comment.
Just a few non-blocking comments, maybe you want to address these in a follow-up PR.
Comment on lines
+534
to
535
| The configuration is supported with socket-based load-balancing and per packet based load-balancing, and requires ``SO_NETNS_COOKIE`` feature | ||
| available in Linux kernel version >= 5.8. |
Member
There was a problem hiding this comment.
Suggested change
| The configuration is supported with socket-based load-balancing and per packet based load-balancing, and requires ``SO_NETNS_COOKIE`` feature | |
| available in Linux kernel version >= 5.8. | |
| This configuration requires the ``SO_NETNS_COOKIE`` feature available in Linux kernel version >= 5.8. |
If it now works for either variant of load-balancing, let's not have the user worry about unnecessary details :).
Comment on lines
+57
to
+72
| l2 = pktgen__push_ethhdr(&builder); | ||
| if (!l2) | ||
| return TEST_ERROR; | ||
| ethhdr__set_macs(l2, (__u8 *)src, (__u8 *)dst); | ||
| /* Push IPv4 header */ | ||
| l3 = pktgen__push_default_iphdr(&builder); | ||
| if (!l3) | ||
| return TEST_ERROR; | ||
| l3->saddr = V4_BACKEND_IP; | ||
| l3->daddr = V4_SERVICE_IP; | ||
| /* Push TCP header */ | ||
| l4 = pktgen__push_default_tcphdr(&builder); | ||
| if (!l4) | ||
| return TEST_ERROR; | ||
| l4->source = tcp_src_one; | ||
| l4->dest = SERVICE_PORT; |
Member
There was a problem hiding this comment.
Use pktgen__push_ipv4_tcp_packet() here? (same in the other PKTGEN stage below)
Comment on lines
+94
to
+141
| lb_svc_key.address = V4_SERVICE_IP; | ||
| lb_svc_key.dport = SERVICE_PORT; | ||
| lb_svc_key.scope = LB_LOOKUP_SCOPE_EXT; | ||
| /* Create a LRP service with one backend */ | ||
| lb_svc_value.count = 1; | ||
| lb_svc_value.flags = SVC_FLAG_ROUTABLE; | ||
| lb_svc_value.flags2 = SVC_FLAG_LOCALREDIRECT; | ||
| lb_svc_value.rev_nat_index = revnat_id; | ||
| map_update_elem(&LB4_SERVICES_MAP_V2, &lb_svc_key, &lb_svc_value, BPF_ANY); | ||
| /* Insert a reverse NAT entry for the above service */ | ||
| revnat_value.address = V4_SERVICE_IP; | ||
| revnat_value.port = SERVICE_PORT; | ||
| map_update_elem(&LB4_REVERSE_NAT_MAP, &revnat_id, &revnat_value, BPF_ANY); | ||
| /* A backend between 1 and .count is chosen, since we have only one backend | ||
| * it is always backend_slot 1. Point it to backend_id 124. | ||
| */ | ||
| lb_svc_key.backend_slot = 1; | ||
| lb_svc_value.backend_id = 124; | ||
| map_update_elem(&LB4_SERVICES_MAP_V2, &lb_svc_key, &lb_svc_value, BPF_ANY); | ||
|
|
||
| /* Add the service in LB4_SKIP_MAP to skip service translation for request originating from the local backend */ | ||
| struct skip_lb4_key key = { | ||
| .netns_cookie = ENDPOINT_NETNS_COOKIE, | ||
| .address = V4_SERVICE_IP, | ||
| .port = SERVICE_PORT, | ||
| }; | ||
| __u8 val = 0; | ||
|
|
||
| map_update_elem(&LB4_SKIP_MAP, &key, &val, BPF_ANY); | ||
|
|
||
| /* Create backend id 124 which contains the IP and port to send the | ||
| * packet to. | ||
| */ | ||
| backend.address = V4_BACKEND_IP; | ||
| backend.port = BACKEND_PORT; | ||
| backend.proto = IPPROTO_TCP; | ||
| backend.flags = 0; | ||
| map_update_elem(&LB4_BACKEND_MAP, &lb_svc_value.backend_id, &backend, BPF_ANY); | ||
| /* Add an IPCache entry for pod 1 */ | ||
| cache_key.lpm_key.prefixlen = 32; | ||
| cache_key.family = ENDPOINT_KEY_IPV4; | ||
| cache_key.ip4 = V4_BACKEND_IP; | ||
| /* a random sec id for the pod */ | ||
| cache_value.sec_identity = 112233; | ||
| map_update_elem(&IPCACHE_MAP, &cache_key, &cache_value, BPF_ANY); | ||
| ep_key.ip4 = V4_BACKEND_IP; | ||
| ep_key.family = ENDPOINT_KEY_IPV4; | ||
| map_update_elem(&ENDPOINTS_MAP, &ep_key, &ep_value, BPF_ANY); |
Member
There was a problem hiding this comment.
I want to believe that we have helpers for most of this in bpf/tests/lib/... now. Except the LB4_SKIP_MAP operations, which would be a good addition?
julianwiedmann
added a commit
that referenced
this pull request
Sep 1, 2025
#33721 refactored the LRP code in bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling get_netns_cookie(). When LRP is enabled, this causes the verifier on pre-5.8 kernels (where the helper is not available) to reject the bpf_sock program with "invalid func unknown#122". Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches the IPv6 path. Fixes: 9d8b5f7 ("bpf:move LBx skip map and lookup functions to lb.h") Fixes: #40457 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
3 tasks
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 1, 2025
#33721 refactored the LRP code in bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling get_netns_cookie(). When LRP is enabled, this causes the verifier on pre-5.8 kernels (where the helper is not available) to reject the bpf_sock program with "invalid func unknown#122". Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches the IPv6 path. Fixes: 9d8b5f7 ("bpf:move LBx skip map and lookup functions to lb.h") Fixes: #40457 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
julianwiedmann
added a commit
that referenced
this pull request
Sep 1, 2025
[ upstream commit 5745846 ] #33721 refactored the LRP code in bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling get_netns_cookie(). When LRP is enabled, this causes the verifier on pre-5.8 kernels (where the helper is not available) to reject the bpf_sock program with "invalid func unknown#122". Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches the IPv6 path. Fixes: 9d8b5f7 ("bpf:move LBx skip map and lookup functions to lb.h") Fixes: #40457 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 2, 2025
[ upstream commit 5745846 ] #33721 refactored the LRP code in bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling get_netns_cookie(). When LRP is enabled, this causes the verifier on pre-5.8 kernels (where the helper is not available) to reject the bpf_sock program with "invalid func unknown#122". Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches the IPv6 path. Fixes: 9d8b5f7 ("bpf:move LBx skip map and lookup functions to lb.h") Fixes: #40457 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes cases with the local redirect policy datapath behavior with per-packet LB resulting in loopback. The loopback occurs when the request originates from the node local backend and the local redirect service translation in the bpf program at the LXC interface causes the request to be redirected back to itself. This PR extends the fix in #26144 to work for per-packet LB mode.
Fixes: #30558