Skip to content

bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path #29304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 22, 2023
Merged

bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path #29304

merged 1 commit into from
Nov 22, 2023

Conversation

julianwiedmann
Copy link
Member

#28920 introduced usage of CB_FROM_TUNNEL in the IPv6 ingress tail-call. But unless all calling programs get upgraded/downgraded in very specific order (so that while this version of the tail-call is installed, all in-flight skbs have their CB_FROM_TUNNEL populated), some packets potentially miss the tunnel-specific processing that tail_ipv6_policy() is meant to apply. In particular their type might not get switched to PACKET_HOST, resulting in drops with SKB_DROP_REASON_OTHERHOST.

So we need to take a two-step approach - first roll out the support for CB_FROM_TUNNEL into all callers, but wait until a subsequent release (1.16) before tail_ipv6_policy() starts using it. Thus even on a downgrade to 1.15, all callers will continue to populate CB_FROM_TUNNEL.

Reported-by: Martynas Pumputis m@lambda.lt

@julianwiedmann
bpf: lxc: avoid upgrade/downgrade woes with CB_FROM_TUNNEL in IPv6 path
c989e56 
cilium#28920 introduced usage of
CB_FROM_TUNNEL in the IPv6 ingress tail-call. But unless all calling
programs get upgraded/downgraded in *very* specific order (so that while
this version of the tail-call is installed, *all* in-flight skbs have their
CB_FROM_TUNNEL populated), some packets potentially miss the
tunnel-specific processing that tail_ipv6_policy() is meant to apply. In
particular their type might not get switched to PACKET_HOST, resulting in
drops with SKB_DROP_REASON_OTHERHOST.

So we need to take a two-step approach - first roll out the support for
CB_FROM_TUNNEL into all callers, but wait until a subsequent release (1.16)
before tail_ipv6_policy() starts using it. Thus even on a downgrade to
1.15, all callers will continue to populate CB_FROM_TUNNEL.

Reported-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added kind/bug This is a bug in the Cilium logic. area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/ipv6 Relates to IPv6 protocol support labels Nov 21, 2023
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann requested a review from brb November 21, 2023 13:28
@julianwiedmann julianwiedmann added the dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. label Nov 21, 2023
@julianwiedmann julianwiedmann marked this pull request as ready for review November 21, 2023 13:29
@julianwiedmann julianwiedmann requested a review from a team as a code owner November 21, 2023 13:29
brb added a commit that referenced this pull request Nov 21, 2023
@brb
WIP: test #29304
8f1fca4 
Signed-off-by: Martynas Pumputis <m@lambda.lt>
@julianwiedmann julianwiedmann removed the dont-merge/discussion A discussion is ongoing and should be resolved before merging, regardless of reviews & tests status. label Nov 21, 2023
brb
brb reviewed Nov 21, 2023
View reviewed changes
brb
brb approved these changes Nov 22, 2023
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 22, 2023
@brb brb merged commit ad12010 into cilium:main Nov 22, 2023
@julianwiedmann julianwiedmann deleted the 1.15-bpf-lxc-updown branch November 22, 2023 07:05
brb added a commit that referenced this pull request Nov 22, 2023
@brb
WIP: test #29304
f22e32a 
Signed-off-by: Martynas Pumputis <m@lambda.lt>
julianwiedmann added a commit to julianwiedmann/cilium that referenced this pull request Jan 15, 2024
@julianwiedmann
bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6
8728877 
This workaround was added by cilium#29304 to
deal with up-/downgrade troubles between v1.14 and v1.15.

As the comment says, we can now remove this workaround for the 1.16 devel
cycle.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Jan 15, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jan 15, 2024
@julianwiedmann
bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6
80ebd70 
This workaround was added by #29304 to
deal with up-/downgrade troubles between v1.14 and v1.15.

As the comment says, we can now remove this workaround for the 1.16 devel
cycle.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
derailed pushed a commit to derailed/cilium that referenced this pull request Jan 24, 2024
@julianwiedmann @derailed
bpf: lxc: remove CB_FROM_TUNNEL upgrade toleration for IPv6
01259ea 
This workaround was added by cilium#29304 to
deal with up-/downgrade troubles between v1.14 and v1.15.

As the comment says, we can now remove this workaround for the 1.16 devel
cycle.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/ipv6 Relates to IPv6 protocol support kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@julianwiedmann @brb