Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: eBPF ingress/egress TC program for cilium external LB #2710

Merged
merged 19 commits into from
May 30, 2024
Merged

feat: eBPF ingress/egress TC program for cilium external LB #2710

merged 19 commits into from
May 30, 2024

Conversation

camrynl
Copy link
Contributor

@camrynl camrynl commented Apr 25, 2024

Reason for Change:

This is a POC for fixing external load balancer services on Cilium dual stack clusters. This PR includes both ingress and egress tc programs that convert a link local address to global unicast and vice versa, respectively.

Issue Fixed:

cilium/cilium#31326

Requirements:

Notes:

@camrynl camrynl requested a review from a team as a code owner April 25, 2024 18:02
@camrynl camrynl requested a review from spencermckee April 25, 2024 18:02
@rbtr
Copy link
Contributor

rbtr commented Apr 25, 2024

Is this susceptible to the same ordering issues being discussed here? I notice you're trying to attach to Cilium's qdisc

@camrynl
Copy link
Contributor Author

camrynl commented Apr 25, 2024

I've been testing these latest changes on a cluster with cilium's --bpf-filter-priority=2.

Previously, I did see that my filters would get removed if I tried using the same pref + handle as cilium and restarted pods. When my filters are set at prior 1 and cilium at prior 2, I haven't had any issues with the filters deleting after restarting cilium

filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 ingress_filter direct-action not_in_hw id 953 tag eedbf352a3397a97 jited
filter protocol all pref 2 bpf chain 0
filter protocol all pref 2 bpf chain 0 handle 0x1 cil_from_netdev-eth0 direct-action not_in_hw id 6373 tag 2929474d7184a654 jited

filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 egress_filter direct-action not_in_hw id 952 tag ae5bd94fad468f22 jited
filter protocol all pref 2 bpf chain 0
filter protocol all pref 2 bpf chain 0 handle 0x1 cil_to_netdev-eth0 direct-action not_in_hw id 6952 tag a0c933d81fd07f41 jited

Later I plan to install the program using an initcontainer from the cilium or cns daemonset, so I'm not sure if this will change the behavior.

vipul-21
vipul-21 reviewed May 1, 2024
View reviewed changes
bpf-tc/README Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
bpf-tc/README Outdated Show resolved Hide resolved
bpf-tc/pkg/egress/egress_bpfeb.o Outdated Show resolved Hide resolved
bpf-tc/pkg/egress/egress.go Outdated Show resolved Hide resolved
bpf-tc/pkg/egress/bpf/egress.c Outdated Show resolved Hide resolved
bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
tamilmani1989
tamilmani1989 requested changes May 7, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/README Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/cmd/bpf-tc/main.go Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/cmd/bpf-tc/main.go Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/include/helper.h Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/pkg/egress/bpf/egress.c Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/pkg/egress/bpf/egress.c Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
bpf-prog/bpf-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
@nickolaev nickolaev mentioned this pull request May 12, 2024
Closed
3 tasks
tamilmani1989
tamilmani1989 reviewed May 17, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
bpf-prog/ipv6-healthprobe-tc/cmd/ipv6-healthprobe-tc/main.go Outdated Show resolved Hide resolved
bpf-prog/ipv6-healthprobe-tc/cmd/ipv6-healthprobe-tc/main.go Outdated Show resolved Hide resolved
bpf-prog/ipv6-healthprobe-tc/pkg/egress/bpf/egress.c Outdated Show resolved Hide resolved
bpf-prog/ipv6-healthprobe-tc/pkg/ingress/bpf/ingress.c Outdated Show resolved Hide resolved
@camrynl camrynl requested review from vipul-21 and tamilmani1989 May 20, 2024 21:08
@camrynl camrynl requested a review from vakalapa May 21, 2024 20:14
@camrynl camrynl enabled auto-merge May 30, 2024 20:26
@camrynl
Copy link
Contributor Author

camrynl commented May 30, 2024

/azp run Azure Container Networking PR

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@camrynl camrynl added this pull request to the merge queue May 30, 2024
Merged via the queue into master with commit 0475212 May 30, 2024
12 checks passed
@camrynl camrynl deleted the camrynl/bpfprog branch May 30, 2024 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rbtr rbtr rbtr left review comments

@timraymond timraymond timraymond left review comments

@vipul-21 vipul-21 vipul-21 approved these changes

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

@spencermckee spencermckee Awaiting requested review from spencermckee spencermckee is a code owner automatically assigned from Azure/azure-sdn-members

@vakalapa vakalapa Awaiting requested review from vakalapa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@camrynl @rbtr @timraymond @tamilmani1989 @vipul-21