[v1.18] l7lb: bpf: fix use hairpin redirect for L7 LB on bridge devices#44758
Merged
julianwiedmann merged 1 commit intov1.18from Mar 13, 2026
Merged
[v1.18] l7lb: bpf: fix use hairpin redirect for L7 LB on bridge devices#44758julianwiedmann merged 1 commit intov1.18from
julianwiedmann merged 1 commit intov1.18from
Conversation
Contributor
Author
|
/test |
Contributor
Author
|
|
Member
a rebase should help - let me carry this over the finish line for you :) |
[ upstream commit 52f35a9 ] [ backporter's notes: fixed conflicts: * adapting to the old loader implementation, adding changes only to the Netdev program attached to network devices. * added bits into bpf/tests/pktgen.h without backporting whole unrelated PRs * changed check in bpf/tests/l7_lb_hairpin.c to check for CILIUM_NET_IFINDEX instead of CONFIG(cilium_net_ifindex), as the latter is not used in this backport ] Fix L7 proxy traffic disruption (DROP_REASON_NOSOCKET) on nodes where the BPF program is attached to a Linux bridge device and the br_netfilter module is loaded with net.bridge.bridge-nf-call-iptables=1. With #36383, we changed the non-BPF-TPROXY L7 LB redirect path to mark packets with MARK_MAGIC_TO_PROXY and punt them to the stack, relying on an iptables TPROXY rule in PREROUTING to deliver the packet to the proxy. This optimization avoids a hairpin redirect through cilium_net. However, when br_netfilter is active on a bridge device, the kernel's ip_sabotage_in() function interferes: 1. Packet arrives on bridge port -> br_netfilter evaluates PREROUTING (1st time, BPF hasn't run yet -> TPROXY rule doesn't match) 2. ip_sabotage_in() sets NF_HOOK_STATE_SABOTAGED on the packet 3. tc-ingress BPF runs, sets MARK_MAGIC_TO_PROXY, punts to stack 4. IP stack calls PREROUTING again, but ip_sabotage causes it to be SKIPPED entirely 5. TPROXY rule never fires -> no listening socket on VIP -> DROP_REASON_NOSOCKET We therefore add a new datapath config variable that will be set to true only when compiling the Netdev datapath program (cil_{from,to}_netdev) and the network device is a bridge. This allows us to fall back to the pre-#36383 hairpin redirect via cilium_net for L7 LB traffic, bypassing the ip_sabotage_in() function and allowing the TPROXY rule to match as expected. Non-bridge devices continue using the optimized punt-to-stack path. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
296ebb7 to
67d9a70
Compare
Member
|
/test |
julianwiedmann
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: