[BPF/SNAT] Improve code readability and complexity of the datapath #19712

sahid · 2022-05-06T07:32:14Z

This is addressing issue #19660.

Split the snat_v{4,6}_process() functions into nat_snat_v{4,6}() and nat_rev_snat_v{4,6}().

The proposed change would not only improve the readability of the datapath code, but also should reduce the verifier complexity of the code path which is responsible for doing the rev-SNAT translations, as no new SNAT mapping needs to be find for this code path (only the lookup in the BPF SNAT map).

Fixes: #19660

Masquerading bpf mode -  Improve code readability and comlexity of the datapath.

sahid · 2022-05-06T07:47:33Z

This is currently only addressing IPv4. I would appreciate comments before starting working on IPv6. Thanks a lot.

sahid · 2022-05-06T11:20:56Z

Looks like the complexity increased libbpf: Program too large (4102 insns), at most 4096 insns KI'm wondering if the problem is not coming from this commit: b3d8c9b

sahid · 2022-05-06T15:08:57Z

Looks like the complexity increased libbpf: Program too large (4102 insns), at most 4096 insns KI'm wondering if the problem is not coming from this commit: b3d8c9b

~~I have made comparisons with an other PR executing k8s-1.22-kernel-4.19 [0] It seems my change is introducing new instructions with test_cilium_ipcache (not sure what is that sorry).~~

My change here which does factor the code of test_bpf_ct_prog should probably undefine IPCACHE4_PREFIXES and IPCACHE6_PREFIXES as they were not enabled originally.

[0] https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.19/1293/consoleText

sahid · 2022-05-10T10:55:14Z

@brb Hello, the verifier does not look to have appreciated the split here:
3a137c0

I have isolated the commit

b6127504bd (HEAD -> issues/19660-wip) bpf/nat: split v4_process in v4_nat and v4_rev_nat
6b57b5257c (upstream/master) fqdn/dnsproxy: Improve error wrapping

Then ran verifier locally

vagrant@k8s1:~/go/src/github.com/cilium/cilium$ uname -r
4.19.190-0419190-generic

vagrant@k8s1:~/go/src/github.com/cilium/cilium$ make -C bpf && sudo test/bpf/verifier-test.sh
...
processed 1573 insns (limit 131072), stack depth 232
libbpf: load bpf program failed: Argument list too long
libbpf: Program too large (4524 insns), at most 4096 insns
libbpf: failed to load program 'tail_nodeport_nat_ipv4'

Any idea?

sahid · 2022-05-10T14:04:58Z

My feeling is that, we are using inline functions which duplicates the number of instructions... I start to think this refactoring will not work. We should probablly just consider to split the logic inside v4_process() based on dir.

brb · 2022-05-11T09:23:15Z

Any idea?

Without seeing the full verifier log it's difficult to answer.

Anyway, my idea was to get rid of snat_v4_process() completely instead of making it call snat_v4_nat() / snat_v4_rev_nat() depending on the dir. The latter two would be called by functions which call snat_v4_process() today. This might require adding new tail calls.

sayboras · 2022-09-12T09:39:30Z

/test

Job 'Cilium-PR-K8s-1.23-kernel-5.4' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Timed out after 30.001s.

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.23-kernel-5.4 so I can create one.

bpf/lib/nat.h

pchaigno · 2022-09-16T10:48:53Z

/test

bpf/lib/nat.h

This split snat_v4_process() to introduce two functions: snat_v4_nat() and snat_v4_rev_nat(). This does not change logic, it is expected to reduce verifier complexity and improve code maintenability. Fixes: cilium#19660 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

This split snat_v6_process() to introduce two functions: snat_v6_nat() and snat_v6_rev_nat(). This does not change logic, it is expected to reduce verifier complexity and improve code maintenability. Fixes: cilium#19660 Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

In this desire of continuing improving code quality and verifier complexity. This patch is splitting snat_v*_can_skip into two functions. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

In this desire of continuing improving code quality and verifier complexity. This patch is splitting snat_v*_handle_mapping into two functions. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

This is introducting and using snat_v*_init_tuple() to set initial values for the ct tuple. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

It's redondante variable that does not look to bring any value. Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com>

brb · 2022-09-19T12:14:40Z

/test

sahid requested a review from a team as a code owner May 6, 2022 07:32

sahid requested a review from a team May 6, 2022 07:32

sahid requested review from a team as code owners May 6, 2022 07:32

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 6, 2022

sahid requested review from kkourt and nbusseneau May 6, 2022 07:32

sahid mentioned this pull request May 6, 2022

[SNAT] add "need to frag" ICMP support #18414

Merged