Skip to content

bpf: Fix marker to skip nodeport when punting to proxy#43069

Merged
borkmann merged 3 commits intomainfrom
pr/xfer-marker
Jan 16, 2026
Merged

bpf: Fix marker to skip nodeport when punting to proxy#43069
borkmann merged 3 commits intomainfrom
pr/xfer-marker

Conversation

@borkmann
Copy link
Copy Markdown
Member

@borkmann borkmann commented Dec 1, 2025

(see commit msg)

@borkmann borkmann requested a review from a team as a code owner December 1, 2025 16:25
@borkmann borkmann added release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Dec 1, 2025
@borkmann
Copy link
Copy Markdown
Member Author

borkmann commented Dec 1, 2025

/test

@borkmann borkmann requested a review from mhofstetter December 1, 2025 16:33
julianwiedmann
julianwiedmann approved these changes Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A BPF test for this particular path could be similar as the existing XDP test for a local backend (

cilium/bpf/tests/xdp_nodeport_lb4_nat_lb.c

Line 171 in c625631

assert((*meta & XFER_PKT_NO_SVC) == XFER_PKT_NO_SVC);
).

@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/kpr Anything related to our kube-proxy replacement. labels Dec 2, 2025
@borkmann
Copy link
Copy Markdown
Member Author

borkmann commented Dec 4, 2025

A BPF test for this particular path could be similar as the existing XDP test for a local backend (

cilium/bpf/tests/xdp_nodeport_lb4_nat_lb.c

Line 171 in c625631

assert((*meta & XFER_PKT_NO_SVC) == XFER_PKT_NO_SVC);

).

Yeap agree, I likely won't get to it before LPC, but will look into this afterwards.

@joestringer joestringer added release-note/bug This PR fixes an issue in a previous release of Cilium. dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. and removed release-note/misc This PR makes changes that have no direct user impact. labels Jan 9, 2026
@borkmann
bpf: Fix marker to skip nodeport when punting to proxy
6135a1e 
Julian spotted that setting ctx_skip_nodeport_set(ctx) is not having
the desired effect for the case when there is XDP used on the node.

The ctx_skip_nodeport_set() marker is not transferred to the skb and
as a result the service lookup would happen twice instead of just in
the XDP layer resulting in higher per-packet cost. The latter lookup
in the tcx layer for such packets is unnecessary.

Therefore, use the correct ctx_set_xfer(ctx, XFER_PKT_NO_SVC).

Reported-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann requested a review from a team as a code owner January 12, 2026 14:42
@borkmann borkmann requested a review from ysksuzuki January 12, 2026 14:42
@borkmann borkmann removed the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Jan 12, 2026
@borkmann borkmann force-pushed the pr/xfer-marker branch 5 times, most recently from 1343c59 to d91a30b Compare January 12, 2026 16:48
julianwiedmann
julianwiedmann reviewed Jan 13, 2026
View reviewed changes
@aanm aanm added the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Jan 14, 2026
@borkmann
tests/bpf: Add L7 proxy delegate test with local backend
736edd0 
Add a test where the backend is local with the service L7 proxy delegate.
We expect the service to be passed up the stack unmodified. XFER_PKT_NO_SVC
is set to skip tcx service handling a second time.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann
tests/bpf: Add L7 proxy delegate test with remote backend
a6a4a97 
Add a test where the backend is remote with the service L7 proxy delegate.
We expect the service to be NATed and sent out the node. XFER_PKT_NO_SVC
is /not/ set in this case given the backend is not part of the local
endpoint map.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann
Copy link
Copy Markdown
Member Author

borkmann commented Jan 16, 2026

/test

@borkmann borkmann merged commit 4fe778b into main Jan 16, 2026
401 of 405 checks passed
@borkmann borkmann deleted the pr/xfer-marker branch January 16, 2026 12:20
@yushoyamaguchi yushoyamaguchi mentioned this pull request Jan 18, 2026
Merged
1 task
@giorio94 giorio94 mentioned this pull request Jan 19, 2026
Merged
2 tasks
@giorio94
Copy link
Copy Markdown
Member

giorio94 commented Jan 19, 2026

👋 Backporter here. I've encountered significant conflicts when trying to backport this PR to v1.18, as the target hunks of the first commit seem to have diverged significantly between the two branches. Marking as backport/author, please double check whether it makes sense to backport this PR to v1.18. /cc @borkmann

@giorio94 giorio94 added the backport/author The backport will be carried out by the author of the PR. label Jan 19, 2026
@giorio94 giorio94 mentioned this pull request Jan 19, 2026
Merged
8 tasks
@giorio94 giorio94 added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Jan 19, 2026
@borkmann
Copy link
Copy Markdown
Member Author

borkmann commented Jan 19, 2026

👋 Backporter here. I've encountered significant conflicts when trying to backport this PR to v1.18, as the target hunks of the first commit seem to have diverged significantly between the two branches. Marking as backport/author, please double check whether it makes sense to backport this PR to v1.18. /cc @borkmann

Yep, I'll take care of it.

@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Jan 19, 2026
@borkmann borkmann mentioned this pull request Jan 20, 2026
Merged
@github-actions github-actions bot added the backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. label Jan 20, 2026
@julianwiedmann julianwiedmann removed the needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch label Jan 21, 2026
@julianwiedmann julianwiedmann mentioned this pull request Jan 23, 2026
Merged
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@ysksuzuki ysksuzuki Awaiting requested review from ysksuzuki ysksuzuki is a code owner automatically assigned from cilium/sig-lb

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/kpr Anything related to our kube-proxy replacement. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@borkmann @giorio94 @mhofstetter @julianwiedmann @joestringer @msune @aanm