Skip to content

bpf: lxc: always set identity mark on forwarded egressing traffic#42551

Merged
julianwiedmann merged 1 commit intomainfrom
pr/jwi/main/bpf-identity
Nov 3, 2025
Merged

bpf: lxc: always set identity mark on forwarded egressing traffic#42551
julianwiedmann merged 1 commit intomainfrom
pr/jwi/main/bpf-identity

Conversation

@julianwiedmann
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann commented Nov 2, 2025

Guessing which exact forward paths can benefit from the identity mark is fragile, and it's hard to overlook corner cases. Even when we BPF-redirect a packet to an external interface (with BPF Host Routing) it makes sense to have the mark, so that the cil_to_netdev can retrieve it without relying on endpoint map or ipcache.

So let's always set the mark at the very start of the forwarding path.

@julianwiedmann
bpf: lxc: always set identity mark on forwarded egressing traffic
3560d54 
Guessing which exact forward paths can benefit from the identity mark is
fragile, and it's hard to overlook corner cases. Even when we BPF-redirect
a packet to an external interface (with BPF Host Routing) it makes sense
to have the mark, so that the cil_to_netdev can retrieve it without
relying on endpoint map or ipcache.

So let's always set the mark at the very start of the forwarding path.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Nov 2, 2025
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Nov 2, 2025

/test

@julianwiedmann julianwiedmann marked this pull request as ready for review November 2, 2025 16:50
@julianwiedmann julianwiedmann requested a review from a team as a code owner November 2, 2025 16:50
@julianwiedmann julianwiedmann added this pull request to the merge queue Nov 3, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 3, 2025
Merged via the queue into main with commit 2660242 Nov 3, 2025
366 of 368 checks passed
@julianwiedmann julianwiedmann deleted the pr/jwi/main/bpf-identity branch November 3, 2025 18:29
@rastislavs rastislavs mentioned this pull request Nov 6, 2025
Merged
11 tasks
@rastislavs rastislavs added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Nov 6, 2025
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Nov 6, 2025
This was referenced Dec 5, 2025
Merged
Merged
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@julianwiedmann @YutaroHayakawa @msune @rastislavs