Skip to content

[v1.17] bpf: sock: fix LRP for pre-5.7 kernels#41449

Merged
julianwiedmann merged 2 commits intov1.17from
pr/jwi/v1.17/netns-cookie
Sep 1, 2025
Merged

[v1.17] bpf: sock: fix LRP for pre-5.7 kernels#41449
julianwiedmann merged 2 commits intov1.17from
pr/jwi/v1.17/netns-cookie

Conversation

@julianwiedmann
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann commented Sep 1, 2025
edited
Loading 

https://github.com/cilium/cilium/pull/33721 refactored the LRP code in
bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling
get_netns_cookie(). When LRP is enabled, this causes the verifier on
pre-5.8 kernels (where the helper is not available) to reject the bpf_sock
program with "invalid func unknown#122".

Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches
the IPv6 path.

`HAVE_NETNS_COOKIE` was removed in the `v1.18` release, so this fix only applies to older branches.

Fixes: #40457

Fix a bug that caused the kernel verifier on pre-v5.7 kernels to reject the bpf_sock program with "invalid func unknown#122" when the LocalRedirectPolicy feature is enabled.

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Sep 1, 2025
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Sep 1, 2025

/ci-verifier

@julianwiedmann
bpf/complexity-tests: test ENABLE_LOCAL_REDIRECT_POLICY on 5.4 kernel
8638c79 
Extend the LRP load-testing that was introduced with
#35016 and
#35099, so that the 5.4 kernel is
also covered.

This helps to reproduce the bug reported in
#40457.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: sock: fix LRP for pre-5.8 kernels
84532b3 
#33721 refactored the LRP code in
bpf_sock, and dropped the HAVE_NETNS_COOKIE guard when calling
get_netns_cookie(). When LRP is enabled, this causes the verifier on
pre-5.8 kernels (where the helper is not available) to reject the bpf_sock
program with "invalid func unknown#122".

Re-introduce the check for HAVE_NETNS_COOKIE in the IPv4 path. This matches
the IPv6 path.

Fixes: 9d8b5f7 ("bpf:move LBx skip map and lookup functions to lb.h")
Fixes: #40457
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann force-pushed the pr/jwi/v1.17/netns-cookie branch from 7f9daa8 to 84532b3 Compare September 1, 2025 05:49
@julianwiedmann julianwiedmann changed the title bpf/complexity-tests: test ENABLE_LOCAL_REDIRECT_POLICY on 5.4 kernel [v1.17] bpf: sock: fix LRP for pre-5.8 kernels Sep 1, 2025
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Sep 1, 2025

/ci-verifier

@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Sep 1, 2025

/test

@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Sep 1, 2025

Repro without the fix: https://github.com/cilium/cilium/actions/runs/17368289993/job/49299036976

This was referenced Sep 1, 2025
Closed
Merged
@julianwiedmann julianwiedmann marked this pull request as ready for review September 1, 2025 06:10
@julianwiedmann julianwiedmann requested a review from a team as a code owner September 1, 2025 06:10
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Sep 1, 2025

@pravk03 fyi

@julianwiedmann julianwiedmann added this pull request to the merge queue Sep 1, 2025
@julianwiedmann julianwiedmann changed the title [v1.17] bpf: sock: fix LRP for pre-5.8 kernels [v1.17] bpf: sock: fix LRP for pre-5.7 kernels Sep 1, 2025
Merged via the queue into v1.17 with commit 5745846 Sep 1, 2025
347 of 352 checks passed
@julianwiedmann julianwiedmann deleted the pr/jwi/v1.17/netns-cookie branch September 1, 2025 10:39
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Sep 1, 2025
@julianwiedmann julianwiedmann mentioned this pull request Sep 1, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dylandreimerink dylandreimerink dylandreimerink approved these changes

Assignees

No one assigned

Labels

backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@julianwiedmann @dylandreimerink @msune