bpf: pass through for after dmac translation for tunneling

Gets the case working where we have tunneling enabled and nodeport request comes in on the main device (not tunnel) from external source where the backend EP is local. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
dvandra · Jul 21, 2019 · c61b460 · c61b460
1 parent b8f8f33
commit c61b460
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/bpf/bpf_netdev.c b/bpf/bpf_netdev.c
@@ -120,11 +120,13 @@ static inline int handle_ipv6(struct __sk_buff *skb, __u32 src_identity)
 		if (ret < 0)
 			return ret;
 	}
-
+#ifdef ENCAP_IFINDEX
+	return TC_ACT_OK;
+#endif /* ENCAP_IFINDEX */
 	/* Verifier workaround: modified ctx access. */
 	if (!revalidate_data(skb, &data, &data_end, &ip6))
 		return DROP_INVALID;
-#endif
+#endif /* ENABLE_NODEPORT */
 
 	nexthdr = ip6->nexthdr;
 	hdrlen = ipv6_hdrlen(skb, l3_off, &nexthdr);
@@ -289,11 +291,13 @@ static inline int handle_ipv4(struct __sk_buff *skb, __u32 src_identity)
 		if (ret < 0)
 			return ret;
 	}
-
+#ifdef ENCAP_IFINDEX
+	return TC_ACT_OK;
+#endif /* ENCAP_IFINDEX */
 	/* Verifier workaround: modified ctx access. */
 	if (!revalidate_data(skb, &data, &data_end, &ip4))
 		return DROP_INVALID;
-#endif
+#endif /* ENABLE_NODEPORT */
 
 	l4_off = ETH_HLEN + ipv4_hdrlen(ip4);
 	secctx = derive_ipv4_sec_ctx(skb, ip4);

diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
@@ -26,6 +26,11 @@
 
 #define CB_SRC_IDENTITY	0
 
+/* No nodeport on cilium_host interface. */
+#ifdef FROM_HOST
+# undef ENABLE_NODEPORT
+#endif
+
 static inline void tc_index_clear_nodeport(struct __sk_buff *skb)
 {
 #ifdef ENABLE_NODEPORT

diff --git a/daemon/bpf.sha b/daemon/bpf.sha
@@ -1,2 +1,2 @@
-GO_BINDATA_SHA1SUM=fead66db8a8bda1ef232a92b4acc9d7528e7de9e
+GO_BINDATA_SHA1SUM=8175dcb49e1a5213b4a45b281d6419512c623cc7
 BPF_FILES=../bpf/COPYING ../bpf/Makefile ../bpf/Makefile.bpf ../bpf/bpf_alignchecker.c ../bpf/bpf_features.h ../bpf/bpf_hostdev_ingress.c ../bpf/bpf_ipsec.c ../bpf/bpf_lb.c ../bpf/bpf_lxc.c ../bpf/bpf_netdev.c ../bpf/bpf_network.c ../bpf/bpf_overlay.c ../bpf/bpf_sock.c ../bpf/bpf_xdp.c ../bpf/cilium-map-migrate.c ../bpf/filter_config.h ../bpf/include/bpf/api.h ../bpf/include/elf/elf.h ../bpf/include/elf/gelf.h ../bpf/include/elf/libelf.h ../bpf/include/iproute2/bpf_elf.h ../bpf/include/linux/bpf.h ../bpf/include/linux/bpf_common.h ../bpf/include/linux/byteorder.h ../bpf/include/linux/byteorder/big_endian.h ../bpf/include/linux/byteorder/little_endian.h ../bpf/include/linux/icmp.h ../bpf/include/linux/icmpv6.h ../bpf/include/linux/if_arp.h ../bpf/include/linux/if_ether.h ../bpf/include/linux/if_packet.h ../bpf/include/linux/in.h ../bpf/include/linux/in6.h ../bpf/include/linux/ioctl.h ../bpf/include/linux/ip.h ../bpf/include/linux/ipv6.h ../bpf/include/linux/perf_event.h ../bpf/include/linux/swab.h ../bpf/include/linux/tcp.h ../bpf/include/linux/type_mapper.h ../bpf/include/linux/udp.h ../bpf/init.sh ../bpf/lib/arp.h ../bpf/lib/common.h ../bpf/lib/config.h ../bpf/lib/conntrack.h ../bpf/lib/conntrack_map.h ../bpf/lib/csum.h ../bpf/lib/dbg.h ../bpf/lib/drop.h ../bpf/lib/encap.h ../bpf/lib/eps.h ../bpf/lib/eth.h ../bpf/lib/events.h ../bpf/lib/icmp6.h ../bpf/lib/ipv4.h ../bpf/lib/ipv6.h ../bpf/lib/l3.h ../bpf/lib/l4.h ../bpf/lib/lb.h ../bpf/lib/lxc.h ../bpf/lib/maps.h ../bpf/lib/metrics.h ../bpf/lib/nat.h ../bpf/lib/nat46.h ../bpf/lib/nodeport.h ../bpf/lib/policy.h ../bpf/lib/tailcall.h ../bpf/lib/trace.h ../bpf/lib/utils.h ../bpf/lib/xdp.h ../bpf/lxc_config.h ../bpf/netdev_config.h ../bpf/node_config.h ../bpf/probes/raw_change_tail.t ../bpf/probes/raw_fib_lookup.t ../bpf/probes/raw_insn.h ../bpf/probes/raw_invalidate_hash.t ../bpf/probes/raw_lpm_map.t ../bpf/probes/raw_lru_map.t ../bpf/probes/raw_main.c ../bpf/probes/raw_map_val_adj.t ../bpf/probes/raw_mark_map_val.t ../bpf/probes/raw_sock_cookie.t ../bpf/run_probes.sh ../bpf/sockops/Makefile ../bpf/sockops/bpf_redir.c ../bpf/sockops/bpf_sockops.c ../bpf/sockops/bpf_sockops.h ../bpf/sockops/sockops_config.h