Skip to content

bpf,endpoint: introduce fib-table-id annotation#44319

Merged
ldelossa merged 3 commits intomainfrom
per-table-routing
Feb 22, 2026
Merged

bpf,endpoint: introduce fib-table-id annotation#44319
ldelossa merged 3 commits intomainfrom
per-table-routing

Conversation

@ldelossa
Copy link
Copy Markdown
Contributor

@ldelossa ldelossa commented Feb 12, 2026

Add a new pod annotation, 'network.cilium.io/fib-table-id', that enables dynamic pod routing.

When this pod annotation is set the corresponding table ID will be provided to the Cilium datapath.

The table ID will then be used to determine a pod's next hop via a kernel fib lookup against the provided table.

The mechanisms to manipulate the provided FIB table is not introduced in this pull request.

Provide a new annotation that enables dynamic pod routing.

@ldelossa ldelossa added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Feb 12, 2026
@ldelossa ldelossa force-pushed the per-table-routing branch 2 times, most recently from c86db15 to 0262207 Compare February 18, 2026 19:20
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 18, 2026

/test

@ldelossa ldelossa marked this pull request as ready for review February 19, 2026 13:55
@ldelossa ldelossa requested review from a team as code owners February 19, 2026 13:55
@borkmann
Copy link
Copy Markdown
Member

borkmann commented Feb 19, 2026

Nice, I like it!

Should we gate option.Config.EnableFibTableIDAnnotation and only allow it to be enabled when we have either BPF host routing enabled or netkit mode?

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 19, 2026

@borkmann Good idea.

Do we need to be explicit about the netkit mode, is it enough to just check BFP host routing is enabled? My thinking is, even in a case where netkit is enabled but BPF host routing is disabled (legacy), the bpf_lxc program would not go into the fib redirect path, where we now use the table id.

Is my understanding off there?

@borkmann
Copy link
Copy Markdown
Member

borkmann commented Feb 19, 2026

@borkmann Good idea.

Do we need to be explicit about the netkit mode, is it enough to just check BFP host routing is enabled? My thinking is, even in a case where netkit is enabled but BPF host routing is disabled (legacy), the bpf_lxc program would not go into the fib redirect path, where we now use the table id.

Is my understanding off there?

We can check for just BPF host routing. I don't think we can enable netkit with legacy, that should not be possible. And netkit itself demands BPF host routing and otherwise bails out.

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 19, 2026

@borkmann done:

https://github.com/cilium/cilium/pull/44319/changes#diff-2ed5415f522d0b72066d62527fb40dbea9bf745f45d5e2d47f7715680f165fcaR142-R147

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 19, 2026

/test

derailed
derailed approved these changes Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ldelossa Nice work!

dylandreimerink
dylandreimerink approved these changes Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

jrife
jrife requested changes Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jrife jrife left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should use of this feature have an associated probe similar to the one for BPF_FIB_LOOKUP_SKIP_NEIGH?

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 20, 2026
edited
Loading

@jrife I don't think there's much actual usage to that probe you linked. node.SupportsFIBLookupSkipNeigh is dead code isn't it?

@jrife
Copy link
Copy Markdown
Contributor

jrife commented Feb 20, 2026

It doesn't look dead to me. It's still set based on the result of the probe here and affects whether or not the BPF_FIB_LOOKUP_SKIP_NEIGH flag is used in the datapath. It looks like BPF_FIB_LOOKUP_TBID was added more recently even than BPF_FIB_LOOKUP_SKIP_NEIGH. What happens if a user attempts to use the network.cilium.io/fib-table-id annotation on an older kernel that doesn't support this?

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 20, 2026

@jrife Thanks! I miss read that and didn't realize it gets plumbed into the datapath. I will add a probe in a new commit.

@ldelossa
bpf,endpoint: introduce fib-table-id annotation
6e54db2 
Add a new annotation, 'network.cilium.io/fib-table-id', providing
a fib table ID accessible via the CONFIG(fib_table_id) macro within
bpf_lxc.

A future commit will utilize this configuration value to perform eBPF
redirects that respect a particular kernel fib table, allowing dynamic
route selection for pod egress traffic.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@ldelossa
bpf,fib: utilize fib_table_id config value on pod egress
badf499 
When `ENABLE_HOST_ROUTING` is enabled the eBPF data path can now
evaluate the `fib_table_id` config parameter.

If this config parameter is set to a value other then 0 this value is
used to scope the final fib lookup, routing the pod egress packet to its
next hop.

This enables dynamic routing on a per-pod basis.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@ldelossa ldelossa requested a review from jrife February 21, 2026 01:40
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 21, 2026

@jrife added the probe. Please re-review.

@ldelossa
bpf,probe: add kernel probe for BPF_FIB_LOOKUP_TBID
309f810 
Introduce a new kernel probe to detect if the BPF_FIB_LOOKUP_TBID flag
is supported for use with bpf_fib_lookup.

If the flag is not available, and Cilium is configured to utilize it via
the EnableFibTableIDAnnotation option, Cilium will fail to start with an
error.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Feb 21, 2026

/test

jrife
jrife approved these changes Feb 22, 2026
View reviewed changes
@ldelossa ldelossa added this pull request to the merge queue Feb 22, 2026
Merged via the queue into main with commit 5562e71 Feb 22, 2026
753 of 880 checks passed
@ldelossa ldelossa deleted the per-table-routing branch February 22, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derailed derailed derailed approved these changes

@borkmann borkmann borkmann approved these changes

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@jrife jrife jrife approved these changes

@christarazi christarazi christarazi approved these changes

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 is a code owner automatically assigned from cilium/loader

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@ldelossa @borkmann @jrife @derailed @dylandreimerink @christarazi @msune