bpf: Replace invoke_tailcall_if with C if-else

dylandreimerink · dylandreimerink · commit d22d1b8f7b6d · 2025-10-06T09:51:21.000Z
We currently use the `invoke_tailcall_if` macro to conditionally
perform a tail call or inline the same function based on configuration.
This macro will only work with compile time constants. So since we are
preparing to move to load time configuration, we need to replace these
macros with regular if-else statements.

At present all conditionals are still compile time constants, so the
result should be the same. We simply rely on the compilers constant
propagation to optimize away the dead branches. The big difference will
be when conditionals are migrated to load time configuration.

We already have unused tail call pruning based on load time
configuration in place, so after this we should just be able to migrate
the conditionals to load time configuration one by one.

Signed-off-by: Dylan Reimerink &lt;dylan.reimerink@isovalent.com&gt;
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -455,19 +455,22 @@ tail_handle_ipv6(struct __ctx_buff *ctx, __u32 ipcache_srcid, const bool from_ho
 			return ret;
 
 		ctx_store_meta(ctx, CB_SRC_LABEL, src_sec_identity);
-		if (from_host)
-			ret = invoke_tailcall_if(is_defined(ENABLE_HOST_FIREWALL),
-						 CILIUM_CALL_IPV6_CONT_FROM_HOST,
-						 tail_handle_ipv6_cont_from_host,
-						 &ext_err);
-		else
-			ret = invoke_tailcall_if(is_defined(ENABLE_HOST_FIREWALL),
-						 CILIUM_CALL_IPV6_CONT_FROM_NETDEV,
-						 tail_handle_ipv6_cont_from_netdev,
-						 &ext_err);
+		if (from_host) {
+			if (is_defined(ENABLE_HOST_FIREWALL))
+				ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_CONT_FROM_HOST,
+							 &ext_err);
+			else
+				ret = tail_handle_ipv6_cont_from_host(ctx);
+		} else {
+			if (is_defined(ENABLE_HOST_FIREWALL))
+				ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_CONT_FROM_NETDEV,
+							 &ext_err);
+			else
+				ret = tail_handle_ipv6_cont_from_netdev(ctx);
+		}
 	}
 
-	/* Catch errors from both handle_ipv6 and invoke_tailcall_if here. */
+	/* Catch errors from both handle_ipv6 and tail_call_internal here. */
 	if (IS_ERR(ret))
 		return send_drop_notify_error_ext(ctx, src_sec_identity, ret, ext_err,
 						  METRIC_INGRESS);
@@ -911,19 +914,22 @@ tail_handle_ipv4(struct __ctx_buff *ctx, __u32 ipcache_srcid, const bool from_ho
 			return ret;
 
 		ctx_store_meta(ctx, CB_SRC_LABEL, src_sec_identity);
-		if (from_host)
-			ret = invoke_tailcall_if(is_defined(ENABLE_HOST_FIREWALL),
-						 CILIUM_CALL_IPV4_CONT_FROM_HOST,
-						 tail_handle_ipv4_cont_from_host,
-						 &ext_err);
-		else
-			ret = invoke_tailcall_if(is_defined(ENABLE_HOST_FIREWALL),
-						 CILIUM_CALL_IPV4_CONT_FROM_NETDEV,
-						 tail_handle_ipv4_cont_from_netdev,
-						 &ext_err);
+		if (from_host) {
+			if (is_defined(ENABLE_HOST_FIREWALL))
+				ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_CONT_FROM_HOST,
+							 &ext_err);
+			else
+				ret = tail_handle_ipv4_cont_from_host(ctx);
+		} else {
+			if (is_defined(ENABLE_HOST_FIREWALL))
+				ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_CONT_FROM_NETDEV,
+							 &ext_err);
+			else
+				ret = tail_handle_ipv4_cont_from_netdev(ctx);
+		}
 	}
 
-	/* Catch errors from both handle_ipv4 and invoke_tailcall_if here. */
+	/* Catch errors from both handle_ipv4 and tail_call_internal here. */
 	if (IS_ERR(ret))
 		return send_drop_notify_error_ext(ctx, src_sec_identity, ret, ext_err,
 						  METRIC_INGRESS);
@@ -1805,24 +1811,22 @@ to_host_from_lxc(struct __ctx_buff *ctx)
 	case bpf_htons(ETH_P_IPV6):
 		ctx_store_meta(ctx, CB_SRC_LABEL, 0);
 		ctx_store_meta(ctx, CB_TRACED, 1);
-		ret = invoke_tailcall_if(__or(__and(is_defined(ENABLE_IPV4),
-						    is_defined(ENABLE_IPV6)),
-					      is_defined(DEBUG)),
-					 CILIUM_CALL_IPV6_TO_HOST_POLICY_ONLY,
-					 tail_ipv6_host_policy_ingress,
-					 &ext_err);
+		if ((is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)) || is_defined(DEBUG))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_TO_HOST_POLICY_ONLY,
+						 &ext_err);
+		else
+			ret = tail_ipv6_host_policy_ingress(ctx);
 		break;
 # endif
 # ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
 		ctx_store_meta(ctx, CB_SRC_LABEL, 0);
 		ctx_store_meta(ctx, CB_TRACED, 1);
-		ret = invoke_tailcall_if(__or(__and(is_defined(ENABLE_IPV4),
-						    is_defined(ENABLE_IPV6)),
-					      is_defined(DEBUG)),
-					 CILIUM_CALL_IPV4_TO_HOST_POLICY_ONLY,
-					 tail_ipv4_host_policy_ingress,
-					 &ext_err);
+		if ((is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)) || is_defined(DEBUG))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_TO_HOST_POLICY_ONLY,
+						 &ext_err);
+		else
+			ret = tail_ipv4_host_policy_ingress(ctx);
 		break;
 # endif
 	default:
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -351,7 +351,11 @@ int NAME(struct __ctx_buff *ctx)						\
 		return drop_for_direction(ctx, DIR, DROP_INVALID_TC_BUFFER,	\
 					  ext_err);				\
 										\
-	ret = invoke_tailcall_if(CONDITION, TARGET_ID, TARGET_NAME, &ext_err);	\
+	if (CONDITION)								\
+		ret = tail_call_internal(ctx, TARGET_ID, &ext_err);		\
+	else									\
+		ret = TARGET_NAME(ctx);						\
+										\
 	if (IS_ERR(ret))							\
 		return drop_for_direction(ctx, DIR, ret, ext_err);		\
 										\
@@ -413,7 +417,11 @@ int NAME(struct __ctx_buff *ctx)						\
 		return drop_for_direction(ctx, DIR, DROP_INVALID_TC_BUFFER,	\
 					  ext_err);				\
 										\
-	ret = invoke_tailcall_if(CONDITION, TARGET_ID, TARGET_NAME, &ext_err);	\
+	if (CONDITION)								\
+		ret = tail_call_internal(ctx, TARGET_ID, &ext_err);		\
+	else									\
+		ret = TARGET_NAME(ctx);						\
+										\
 	if (IS_ERR(ret))							\
 		return drop_for_direction(ctx, DIR, ret, ext_err);		\
 										\
@@ -1916,7 +1924,7 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx)
 
 TAIL_CT_LOOKUP6(CILIUM_CALL_IPV6_CT_INGRESS_POLICY_ONLY,
 		tail_ipv6_ct_ingress_policy_only, CT_INGRESS,
-		__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)),
+		(is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)),
 		CILIUM_CALL_IPV6_TO_LXC_POLICY_ONLY, tail_ipv6_policy)
 
 TAIL_CT_LOOKUP6(CILIUM_CALL_IPV6_CT_INGRESS, tail_ipv6_ct_ingress, CT_INGRESS,
@@ -2267,7 +2275,7 @@ int tail_ipv4_to_endpoint(struct __ctx_buff *ctx)
 
 TAIL_CT_LOOKUP4(CILIUM_CALL_IPV4_CT_INGRESS_POLICY_ONLY,
 		tail_ipv4_ct_ingress_policy_only, CT_INGRESS,
-		__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)),
+		(is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)),
 		CILIUM_CALL_IPV4_TO_LXC_POLICY_ONLY, tail_ipv4_policy)
 
 TAIL_CT_LOOKUP4(CILIUM_CALL_IPV4_CT_INGRESS, tail_ipv4_ct_ingress, CT_INGRESS,
@@ -2302,17 +2310,21 @@ int cil_lxc_policy(struct __ctx_buff *ctx)
 	switch (proto) {
 #ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
-		ret = invoke_tailcall_if(__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)),
-					 CILIUM_CALL_IPV6_CT_INGRESS_POLICY_ONLY,
-					 tail_ipv6_ct_ingress_policy_only, &ext_err);
+		if (is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_CT_INGRESS_POLICY_ONLY,
+						 &ext_err);
+		else
+			ret = tail_ipv6_ct_ingress_policy_only(ctx);
 		sec_label = SECLABEL_IPV6;
 		break;
 #endif /* ENABLE_IPV6 */
 #ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
-		ret = invoke_tailcall_if(__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)),
-					 CILIUM_CALL_IPV4_CT_INGRESS_POLICY_ONLY,
-					 tail_ipv4_ct_ingress_policy_only, &ext_err);
+		if (is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_CT_INGRESS_POLICY_ONLY,
+						 &ext_err);
+		else
+			ret = tail_ipv4_ct_ingress_policy_only(ctx);
 		sec_label = SECLABEL_IPV4;
 		break;
 #endif /* ENABLE_IPV4 */
diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
@@ -1146,13 +1146,12 @@ int tail_nodeport_nat_ingress_ipv6(struct __ctx_buff *ctx)
 	ctx_skip_host_fw_set(ctx);
 # endif
 
-	ret = invoke_traced_tailcall_if(__or(__and(is_defined(ENABLE_HOST_FIREWALL),
-						   is_defined(IS_BPF_HOST)),
-					     __and(is_defined(ENABLE_IPV6_FRAGMENTS),
-						   is_defined(IS_BPF_XDP))),
-					CILIUM_CALL_IPV6_NODEPORT_REVNAT_INGRESS,
-					nodeport_rev_dnat_ingress_ipv6,
-					&trace, &ext_err);
+	if ((is_defined(ENABLE_HOST_FIREWALL) && is_defined(IS_BPF_HOST)) ||
+	    (is_defined(ENABLE_IPV6_FRAGMENTS) && is_defined(IS_BPF_XDP)))
+		ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_NODEPORT_REVNAT_INGRESS, &ext_err);
+	else
+		ret = nodeport_rev_dnat_ingress_ipv6(ctx, &trace, &ext_err);
+
 	if (IS_ERR(ret))
 		goto drop_err;
 
@@ -2486,11 +2485,11 @@ int tail_nodeport_nat_ingress_ipv4(struct __ctx_buff *ctx)
 	 * Also let nodeport_rev_dnat_ipv4() redirect EgressGW
 	 * reply traffic into tunnel (see there for details).
 	 */
-	ret = invoke_traced_tailcall_if(__and(is_defined(ENABLE_HOST_FIREWALL),
-					      is_defined(IS_BPF_HOST)),
-					CILIUM_CALL_IPV4_NODEPORT_REVNAT,
-					nodeport_rev_dnat_ipv4,
-					&trace, &ext_err);
+	if (is_defined(ENABLE_HOST_FIREWALL) && is_defined(IS_BPF_HOST))
+		ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_NODEPORT_REVNAT, &ext_err);
+	else
+		ret = nodeport_rev_dnat_ipv4(ctx, &trace, &ext_err);
+
 	if (IS_ERR(ret))
 		goto drop_err;
 
diff --git a/bpf/lib/nodeport_egress.h b/bpf/lib/nodeport_egress.h
@@ -682,28 +682,26 @@ handle_nat_fwd(struct __ctx_buff *ctx, __u32 cluster_id, __u32 src_id,
 	switch (proto) {
 #ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
-		ret = invoke_traced_tailcall_if(__or4(__and(is_defined(ENABLE_IPV4),
-							    is_defined(ENABLE_IPV6)),
-						      __and(is_defined(ENABLE_HOST_FIREWALL),
-							    is_defined(IS_BPF_HOST)),
-						      __and(is_defined(ENABLE_CLUSTER_AWARE_ADDRESSING),
-							    is_defined(ENABLE_INTER_CLUSTER_SNAT)),
-						      __and(is_defined(ENABLE_EGRESS_GATEWAY_COMMON),
-							    is_defined(IS_BPF_HOST))),
-						CILIUM_CALL_IPV4_NODEPORT_NAT_FWD,
-						handle_nat_fwd_ipv4, trace, ext_err);
+		if ((is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)) ||
+		    (is_defined(ENABLE_HOST_FIREWALL) && is_defined(IS_BPF_HOST)) ||
+		    (is_defined(ENABLE_CLUSTER_AWARE_ADDRESSING) &&
+		     is_defined(ENABLE_INTER_CLUSTER_SNAT)) ||
+		    (is_defined(ENABLE_EGRESS_GATEWAY_COMMON) && is_defined(IS_BPF_HOST)))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_NODEPORT_NAT_FWD,
+						 ext_err);
+		else
+			ret = handle_nat_fwd_ipv4(ctx, trace, ext_err);
 		break;
 #endif /* ENABLE_IPV4 */
 #ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
-		ret = invoke_traced_tailcall_if(__or3(__and(is_defined(ENABLE_IPV4),
-							    is_defined(ENABLE_IPV6)),
-						      __and(is_defined(ENABLE_HOST_FIREWALL),
-							    is_defined(IS_BPF_HOST)),
-						      __and(is_defined(ENABLE_EGRESS_GATEWAY_COMMON),
-							    is_defined(IS_BPF_HOST))),
-						CILIUM_CALL_IPV6_NODEPORT_NAT_FWD,
-						handle_nat_fwd_ipv6, trace, ext_err);
+		if ((is_defined(ENABLE_IPV4) && is_defined(ENABLE_IPV6)) ||
+		    (is_defined(ENABLE_HOST_FIREWALL) && is_defined(IS_BPF_HOST)) ||
+		    (is_defined(ENABLE_EGRESS_GATEWAY_COMMON) && is_defined(IS_BPF_HOST)))
+			ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_NODEPORT_NAT_FWD,
+						 ext_err);
+		else
+			ret = handle_nat_fwd_ipv6(ctx, trace, ext_err);
 		break;
 #endif /* ENABLE_IPV6 */
 	default:
diff --git a/bpf/lib/tailcall.h b/bpf/lib/tailcall.h
@@ -135,34 +135,3 @@ tail_call_internal(struct __ctx_buff *ctx, const __u32 index, __s8 *ext_err)
 		*ext_err = (__s8)index;
 	return DROP_MISSED_TAIL_CALL;
 }
-
-/* invoke_tailcall_if() is a helper which based on COND either selects to emit
- * a tail call for the underlying function when true or emits it as inlined
- * when false. COND can be selected by one or multiple compile time flags.
- *
- * [...]
- * invoke_tailcall_if(__and(is_defined(ENABLE_IPV4), is_defined(ENABLE_IPV6)),
- *                    CILIUM_CALL_FOO, foo_fn);
- * [...]
- *
- * The loader will only load tail calls if they are invoked at least once.
- */
-
-#define __invoke_tailcall_if_0(NAME, FUNC, EXT_ERR)			\
-	FUNC(ctx)
-#define __invoke_tailcall_if_1(NAME, FUNC, EXT_ERR)			\
-	({								\
-		tail_call_internal(ctx, NAME, EXT_ERR);			\
-	})
-#define invoke_tailcall_if(COND, NAME, FUNC, EXT_ERR)			\
-	__eval(__invoke_tailcall_if_, COND)(NAME, FUNC, EXT_ERR)
-
-#define __invoke_traced_tailcall_if_0(NAME, FUNC, TRACE, EXT_ERR)	\
-	FUNC(ctx, TRACE, EXT_ERR)
-#define __invoke_traced_tailcall_if_1(NAME, FUNC, TRACE, EXT_ERR)	\
-	({								\
-		tail_call_internal(ctx, NAME, EXT_ERR);			\
-	})
-#define invoke_traced_tailcall_if(COND, NAME, FUNC, TRACE, EXT_ERR)	\
-	__eval(__invoke_traced_tailcall_if_, COND)(NAME, FUNC, TRACE,	\
-						   EXT_ERR)
