bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets #39651
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 task
be3d7fb to
f6dc8c5
Compare
|
Going to test this. Given the backport hasn't landed yet, I'd expect all upgrades/downgrades tests to fail, while the other ones should be green. Let's see if this meets my expectations. |
|
/test |
|
As expected, all tests are passing except downgrade/upgrade from/to the previous Cilium version, as the backport is not merged yet. |
This commit protects current usages of MARK_MAGIC_ENCRYPT and MARK_MAGIC_DECRYPT for only when IPSec is enabled. This should make sure that in case of further re-using such marks or overlapping marks we do not hit unexpected codepaths. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
In previous commits we've protected previous usages of MARK_MAGIC_ENCRYPT in the IPSec codepaths. This means that now we shoudl be able to reuse such mark also in the WireGuard codepaths, to signal already-encrypted packets. This helps us simplifying our mark logic, which sometimes needs to carry 1 bit from the k8s mark space. Hopefully, by protecting all codepaths, we should be able to use only our space. A previous backport to v1.17 has been submitted: in v1.17, we still use MARK_MAGIC_WG_ENCRYPTED. During downgrades from v1.18, we wouldn't be able to tell that a packet marked with MARK_MAGIC_ENCRYPT has been WG-encrypted. With the patch being backported, we should support smooth upgrades/downgrades without disruptions. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
f6dc8c5 to
457fc7e
Compare
rgo3
approved these changes
Jun 6, 2025
|
/test [Backport Done, expecting e2e-upgrade to work] [e2e-upgrade 🟢 passed with no conn disruptions, running again to make sure] [e2e-upgrade 🟢 passed again except an unrelated flake, running again to make sure] [e2e-upgrade 🟢 passed again, marking as ready-for-review] |
pchaigno
approved these changes
Jun 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By protecting previous usages of MARK_MAGIC_ENCRYPT in the IPSec codepaths, we should be able to reuse such mark also to signal WG-encrypted packets. This allows us to save the bit from the k8s mark space and use our host mask.
A backport patch to v1.17 has been submitted #39652 to be able to recognize WG-encrypted packets in the previous version, which still uses MARK_MAGIC_WG_ENCRYPTED, during downgrades. As soon as it gets merged,
ci-e2e-upgradetests should pass.