Skip to content

bpf,lxc: do not pass non-routed traffic to stack when tbid is explicit#45061

Merged
ldelossa merged 1 commit intomainfrom
ldelossa/drop-explicit-fib-cant-fwd
Mar 31, 2026
Merged

bpf,lxc: do not pass non-routed traffic to stack when tbid is explicit#45061
ldelossa merged 1 commit intomainfrom
ldelossa/drop-explicit-fib-cant-fwd

Conversation

@ldelossa
Copy link
Copy Markdown
Contributor

@ldelossa ldelossa commented Mar 30, 2026

Do not drop BPF_FIB_LKUP_RET_NOT_FWDED traffic when tbid is explicitly
set.

When tbid is explicitly set, we are forcing the pod's egress routing to
be part of a specific routing domain.

If this routing domain does not have a specific route toward the
destination we must drop it, not push it to stack.

A push to stack here would cause the egress packet to leak into the
stack's routing domain and potentially take an unexpected next hop to
the destination.

[bpf] avoid leaking explicit tbid traffic to the host network namespace

@ldelossa ldelossa requested a review from a team as a code owner March 30, 2026 14:30
@ldelossa ldelossa added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Mar 30, 2026
aspsk
aspsk approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aspsk aspsk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good.

Out of curiosity, was there a real use-case where this happened?

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Mar 30, 2026

@aspsk not yet since we are still developing the 'VRF' isolation.

But in non-production testing this case has came up. Traffic we expected to get dropped when we flushed the VRF specific table was still traversing the host and going out the wrong link.

@julianwiedmann julianwiedmann added release-note/misc This PR makes changes that have no direct user impact. and removed release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Mar 31, 2026
julianwiedmann
julianwiedmann reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Traffic we expected to get dropped when we flushed the VRF specific table was still traversing the host and going out the wrong link.

Ah, I was wondering about that. Was expecting that such a dedicated routing table would always contain at least one default route that drops all matching traffic, so we don't leak into the regular routing setup. But that won't help if the whole dedicated table is flushed ...

@ldelossa
bpf,lxc: do not pass non-routed traffic to stack when tbid is explicit
d02705c 
Do not drop `BPF_FIB_LKUP_RET_NOT_FWDED` traffic when tbid is explicitly
set.

When tbid is explicitly set, we are forcing the pod's egress routing to
be part of a specific routing domain.

If this routing domain does not have a specific route toward the
destination we must drop it, not push it to stack.

A push to stack here would cause the egress packet to leak into the
stack's routing domain and potentially take an unexpected next hop to
the destination.

Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
@ldelossa ldelossa force-pushed the ldelossa/drop-explicit-fib-cant-fwd branch from b900240 to d02705c Compare March 31, 2026 15:03
julianwiedmann
julianwiedmann approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty!

@ldelossa
Copy link
Copy Markdown
Contributor Author

ldelossa commented Mar 31, 2026

/test

1 similar comment
@cilium-ariane
Copy link
Copy Markdown

cilium-ariane bot commented Mar 31, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 31, 2026
@ldelossa ldelossa added this pull request to the merge queue Mar 31, 2026
Merged via the queue into main with commit 4efca8d Mar 31, 2026
572 of 582 checks passed
@ldelossa ldelossa deleted the ldelossa/drop-explicit-fib-cant-fwd branch March 31, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aspsk aspsk aspsk approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ldelossa @aspsk @julianwiedmann @msune