Skip to content

[v1.17] bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets #39652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 6, 2025
Merged

[v1.17] bpf:wireguard: reuse MARK_MAGIC_ENCRYPT for encrypted packets #39652

merged 2 commits into from
Jun 6, 2025

Conversation

smagnani96
Copy link
Contributor

Manual backport of:

With this patch, we protect previous usages of MARK_MAGIC_ENCRYPT which refer only to the IPSec codepath.
In v1.18, we start using that mark to signal also WireGuard encrypted packets, replacing the old MARK_MAGIC_WG_ENCRYPTED that overlaps with the k8s mark space.
This means that v1.17 needs to be able to understand that mark too in the WireGuard codepaths.

Once this PR is merged, a GitHub action will update the labels of these PRs:

 39651

@smagnani96 smagnani96 added kind/backports This PR provides functionality previously merged into master. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. labels May 21, 2025
@smagnani96 smagnani96 force-pushed the pr/smagnani96/wg-reuse-ipsec-magic-encrypt-v1.17 branch from 247e889 to b724466 Compare May 21, 2025 11:39
smagnani96 added 2 commits May 21, 2025 15:10
@smagnani96
bpf: protect MARK_MAGIC_{EN,DE}CRYPT in the IPSec path
090ef5e 
[ upstream commit 294818e ]

This commit protects current usages of MARK_MAGIC_ENCRYPT and
MARK_MAGIC_DECRYPT for only when IPSec is enabled. This should make sure
that in case of further re-using such marks or overlapping marks we do
not hit unexpected codepaths.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
bpf:wireguard: handle downgrades from v1.18 with MARK_MAGIC_ENCRYPT
3d77b7a 
This commit adds the minimal logic to v1.17 to handle downgrades from
v1.18, where we started to use the MARK_MAGIC_ENCRYPT also in the
WireGuard codepath to signal encrypted packets post to-wireguard hook.
Therefore, here the ctx_mark_is_wireguard() function should handle that
case. We protected previous usages of that mark in the IPSec codepath,
so here we should be safe.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/wg-reuse-ipsec-magic-encrypt-v1.17 branch from b724466 to 3d77b7a Compare May 21, 2025 13:10
@smagnani96
Copy link
Contributor Author

/test

@smagnani96 smagnani96 requested a review from pchaigno June 5, 2025 10:14
@smagnani96 smagnani96 self-assigned this Jun 5, 2025
@smagnani96 smagnani96 marked this pull request as ready for review June 5, 2025 10:27
@smagnani96 smagnani96 requested a review from a team as a code owner June 5, 2025 10:27
@smagnani96 smagnani96 requested a review from rgo3 June 5, 2025 10:28
@smagnani96 smagnani96 mentioned this pull request Jun 5, 2025
Merged
rgo3
rgo3 approved these changes Jun 5, 2025
View reviewed changes
Copy link
Contributor

@rgo3 rgo3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 5, 2025
@pchaigno pchaigno added this pull request to the merge queue Jun 6, 2025
Merged via the queue into v1.17 with commit cd96dd2 Jun 6, 2025
455 of 460 checks passed
@pchaigno pchaigno deleted the pr/smagnani96/wg-reuse-ipsec-magic-encrypt-v1.17 branch June 6, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

@rgo3 rgo3 rgo3 approved these changes

Assignees

@smagnani96 smagnani96

Labels
backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smagnani96 @pchaigno @rgo3