Skip to content

bpf: nat: ICMP v4 improvements #36767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 7, 2025
Merged

bpf: nat: ICMP v4 improvements #36767

merged 3 commits into from
Jan 7, 2025

Conversation

julianwiedmann
Copy link
Member

@julianwiedmann julianwiedmann commented Dec 23, 2024
edited
Loading

Simplify the ICMP_DEST_UNREACH support, and add support for ICMP_TIME_EXCEEDED.

@julianwiedmann
bpf: nat: cover all IPv4 DEST_UNREACH codes
8d101bc 
There's nothing special about the other known code points. Handle them the
same way as the currently supported code points.

Suggested-by: Gilberto Bertin <jibi@cilium.io>
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: nat: support IPv4 NAT for ICMP_TIME_EXCEEDED
e6c405b 
Allow Time-Exceeded packets to pass through the BPF NAT engine.

SNAT / RevSNAT is applied similar to other types of ICMP Error messages.
We identify the inner packet, match it against an SNAT session, and use
the NAT entry to rewrite both the outer and inner headers.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: clarify DROP_UNKNOWN_ICMP_* macros
51fdf12 
Align the naming with their IPv6 variant, so it's perfectly clear that
these are related to IPv4.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/misc This PR makes changes that have no direct user impact. feature/snat Relates to SNAT or Masquerading of traffic labels Dec 23, 2024
@julianwiedmann
Copy link
Member Author

/test

@julianwiedmann julianwiedmann changed the title 1.18 bpf snat icmp bpf: nat: ICMP v4 improvements Dec 23, 2024
@julianwiedmann julianwiedmann marked this pull request as ready for review December 23, 2024 13:06
@julianwiedmann julianwiedmann requested a review from a team as a code owner December 23, 2024 13:06
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 7, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue Jan 7, 2025
Merged via the queue into cilium:main with commit b1652e8 Jan 7, 2025
70 checks passed
@julianwiedmann julianwiedmann deleted the 1.18-bpf-snat-icmp branch January 7, 2025 18:08
@julianwiedmann julianwiedmann mentioned this pull request May 5, 2025
Merged
1 task
@julianwiedmann julianwiedmann added the backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. label May 5, 2025
@julianwiedmann julianwiedmann mentioned this pull request May 5, 2025
Merged
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels May 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldelossa ldelossa ldelossa approved these changes

Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. feature/snat Relates to SNAT or Masquerading of traffic ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@julianwiedmann @ldelossa