bpf: use tail calls to run host firewall in cil_to_host

to tackle the complexity issue introduced by the previous commit in cil_to_host in the bpf_host program, use the already existing CILIUM_CALL_IPV{4,6}_TO_HOST_POLICY_ONLY tail calls to handle the enforcement of the ingress host firewall policies Signed-off-by: Gilberto Bertin <jibi@cilium.io>
aanm · Jun 7, 2024 · 3c3e769 · 3c3e769
1 parent ee10671
commit 3c3e769
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -1675,12 +1675,16 @@ int cil_to_host(struct __ctx_buff *ctx)
 # endif
 # ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
-		ret = ipv6_host_policy_ingress(ctx, &src_id, &trace, &ext_err);
+		ctx_store_meta(ctx, CB_SRC_LABEL, src_id);
+		ctx_store_meta(ctx, CB_TRACED, traced);
+		ret = tail_call_internal(ctx, CILIUM_CALL_IPV6_TO_HOST_POLICY_ONLY, &ext_err);
 		break;
 # endif
 # ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
-		ret = ipv4_host_policy_ingress(ctx, &src_id, &trace, &ext_err);
+		ctx_store_meta(ctx, CB_SRC_LABEL, src_id);
+		ctx_store_meta(ctx, CB_TRACED, traced);
+		ret = tail_call_internal(ctx, CILIUM_CALL_IPV4_TO_HOST_POLICY_ONLY, &ext_err);
 		break;
 # endif
 	default:
@@ -1714,14 +1718,21 @@ int tail_ipv6_host_policy_ingress(struct __ctx_buff *ctx)
 		.reason = TRACE_REASON_UNKNOWN,
 		.monitor = 0,
 	};
-	__u32 src_id = 0;
+	__u32 src_id = ctx_load_meta(ctx, CB_SRC_LABEL);
+	bool traced = ctx_load_meta(ctx, CB_TRACED);
 	int ret;
 	__s8 ext_err = 0;
 
 	ret = ipv6_host_policy_ingress(ctx, &src_id, &trace, &ext_err);
 	if (IS_ERR(ret))
 		return send_drop_notify_error_ext(ctx, src_id, ret, ext_err,
 						  CTX_ACT_DROP, METRIC_INGRESS);
+
+	if (!traced)
+		send_trace_notify(ctx, TRACE_TO_STACK, src_id, UNKNOWN_ID,
+				  TRACE_EP_ID_UNKNOWN,
+				  CILIUM_IFINDEX, trace.reason, trace.monitor);
+
 	return ret;
 }
 #endif /* ENABLE_IPV6 */
@@ -1735,14 +1746,21 @@ int tail_ipv4_host_policy_ingress(struct __ctx_buff *ctx)
 		.reason = TRACE_REASON_UNKNOWN,
 		.monitor = TRACE_PAYLOAD_LEN,
 	};
-	__u32 src_id = 0;
+	__u32 src_id = ctx_load_meta(ctx, CB_SRC_LABEL);
+	bool traced = ctx_load_meta(ctx, CB_TRACED);
 	int ret;
 	__s8 ext_err = 0;
 
 	ret = ipv4_host_policy_ingress(ctx, &src_id, &trace, &ext_err);
 	if (IS_ERR(ret))
 		return send_drop_notify_error_ext(ctx, src_id, ret, ext_err,
 						  CTX_ACT_DROP, METRIC_INGRESS);
+
+	if (!traced)
+		send_trace_notify(ctx, TRACE_TO_STACK, src_id, UNKNOWN_ID,
+				  TRACE_EP_ID_UNKNOWN,
+				  CILIUM_IFINDEX, trace.reason, trace.monitor);
+
 	return ret;
 }
 #endif /* ENABLE_IPV4 */
@@ -1770,6 +1788,8 @@ to_host_from_lxc(struct __ctx_buff *ctx __maybe_unused)
 # endif
 # ifdef ENABLE_IPV6
 	case bpf_htons(ETH_P_IPV6):
+		ctx_store_meta(ctx, CB_SRC_LABEL, 0);
+		ctx_store_meta(ctx, CB_TRACED, 1);
 		ret = invoke_tailcall_if(__or(__and(is_defined(ENABLE_IPV4),
 						    is_defined(ENABLE_IPV6)),
 					      is_defined(DEBUG)),
@@ -1780,6 +1800,8 @@ to_host_from_lxc(struct __ctx_buff *ctx __maybe_unused)
 # endif
 # ifdef ENABLE_IPV4
 	case bpf_htons(ETH_P_IP):
+		ctx_store_meta(ctx, CB_SRC_LABEL, 0);
+		ctx_store_meta(ctx, CB_TRACED, 1);
 		ret = invoke_tailcall_if(__or(__and(is_defined(ENABLE_IPV4),
 						    is_defined(ENABLE_IPV6)),
 					      is_defined(DEBUG)),

diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -829,6 +829,7 @@ enum {
 #define CB_SRV6_SID_2		CB_IFINDEX	/* Alias, non-overlapping */
 #define CB_CLUSTER_ID_EGRESS	CB_IFINDEX	/* Alias, non-overlapping */
 #define CB_HSIPC_ADDR_V4	CB_IFINDEX	/* Alias, non-overlapping */
+#define CB_TRACED		CB_IFINDEX	/* Alias, non-overlapping */
 	CB_POLICY,
 #define	CB_ADDR_V6_2		CB_POLICY	/* Alias, non-overlapping */
 #define CB_SRV6_SID_3		CB_POLICY	/* Alias, non-overlapping */