[v1.18] bpf: tests: egressgw improvements#43337
Merged
julianwiedmann merged 6 commits intov1.18from Jan 5, 2026
Merged
Conversation
Member
Author
|
/test |
At least on v1.18 this is necessary to enable EGW and HostFW, otherwise one of the memcpy()'s in the RevSNAT path is rejected by the verifier. Not upstreaming this for now, since the same test config passes on the main branch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 2bc33c2 ] The memcpy() below expects the IPv6 address to be aligned. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit d36dc8c ] Replace open-coded occurrences with the appropriate helper. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 741109f ] Let's validate that EGW replies (ext_endpoint -> EgressIP) make it through the ingress path on the GW node without being blocked by the HostFW. This relies on the following sequence 1. RevSNAT (turns the packet into ext_endpoint -> PodIP), then 2. HostFW ingress enforcement, which does an on-the-spot ipcache lookup for the daddr (PodIP) and breaks out if the matched identity is not HOST_ID. Also enable HostFW in the "redirect_from_host" tests, even though this only tests the egress path on the GW node. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit db404c0 ] In order for this entry to be actually catch-all, we need to adjust its LPM prefix length. This matches the IPv4 path. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 4650e58 ] In a real-world cluster we wouldn't actually expect the cluster-external endpoint to have a dedicated IPcache entry. Instead there's a catch-all entry that we should match against. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
0b7323d to
5ab0d37
Compare
Member
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Manual backport of
Along with one
v1.18-only patch to let us pass the verifier.Once this PR is merged, a GitHub action will update the labels of these PRs: