[v1.18] bpf:wireguard: delivery host packets to bpf_host for ingress policies#43690
Merged
jrajahalme merged 3 commits intov1.18from Jan 12, 2026
Merged
[v1.18] bpf:wireguard: delivery host packets to bpf_host for ingress policies#43690jrajahalme merged 3 commits intov1.18from
jrajahalme merged 3 commits intov1.18from
Conversation
[ upstream commit e3f4218 ] Context is always skbuff, therefore TC_ACT_OK, I just find the code more readable with the default CTX_ACT_OK, which in this case resolves to TC_ACT_OK. This is similar to what we do in bpf_overlay and others. While at it, move some code comments. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
[ upstream commit 3c3b908d ] This revalidation is only required in the IPv4 path, while ipv6_local_delivery() doesn't take an `ip6` parameter. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 88e28e1 ] This effectively restores HostFw for WireGuard. Prior to this, we were erroneously always returning to the stack all packets destined for local host, skipping the HostFw policies if enabled. With this patch, packets for local host will always be delivered to cilium_net@egress, similarly to what we do in bpf_overlay after decap. With HostFw enabled, the to-host program in `cilium_host@ingress` will then enforce policies. This patch does not affect packets for local endpoint: * With BPF Host Routing: will be directly delivered to the pod, tail calling into its ep->lxc_id function to enforce ingress policies. * Without BPF Host Routing: will return to stack, which then goes to its to-container installed program to match ingress policies. Trying to pull-in the whole `host_firewall.h` and `policy.h` would require to set bpf_wireguard similarly as we do for bpf_host, meaning assigning an endpoint ID, otherwise host policies would block all host related packets (ep id == 0). For this reason, we decide here to go through cilium_host. From a bpf test perspective: * no changes for packet to/from local endpoint INGRESS/EGRESS * no changes for packet from local host EGRESS * packet to local host INGRESS: differently than bpf_host, in WireGuard we always redirect to cilium_host@ingress. While fixing this bits, let's move the superfluous `revalidate_data` post NodePort inside the NodePort code, as not needed otherwise. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
Contributor
Author
|
/test |
jrajahalme
approved these changes
Jan 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: