Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

datapath: Support NodePort BPF on L2-less devices #14858

Merged
merged 5 commits into from
Mar 5, 2021
Merged

datapath: Support NodePort BPF on L2-less devices #14858

merged 5 commits into from
Mar 5, 2021

Conversation

brb
Copy link
Member

@brb brb commented Feb 4, 2021
edited
Loading

See commit msgs.

I haven't added IPv6 tests, as I'd need to extend https://github.com/cilium/kube-wireguarder to support it. At this point, it would be a waste of time, as we are planning to add the native Wireguard support in this release cycle. So we can add the tests once #15075 has been resolved.

To fix L2-less with the fast redirect I've opened #15075.

Fix #12317

Add NodePort BPF support to L2-less devices (wireguard, tun, etc)

@brb brb added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/major This PR introduces major new functionality to Cilium. sig/loadbalancing labels Feb 4, 2021
@brb brb force-pushed the pr/brb/no-l2-addr branch 2 times, most recently from c3d8dc4 to 32c5872 Compare February 5, 2021 05:36
@brb
Copy link
Member Author

brb commented Feb 5, 2021

test-net-next

@brb brb force-pushed the pr/brb/no-l2-addr branch 3 times, most recently from 2d803c0 to 250a8d7 Compare February 22, 2021 15:54
@brb brb force-pushed the pr/brb/no-l2-addr branch from 250a8d7 to 3699607 Compare February 22, 2021 17:41
@brb
Copy link
Member Author

brb commented Feb 22, 2021

test-net-next

2 similar comments
@brb
Copy link
Member Author

brb commented Feb 23, 2021

test-net-next

@brb
Copy link
Member Author

brb commented Feb 23, 2021

test-net-next

@brb brb force-pushed the pr/brb/no-l2-addr branch 2 times, most recently from 23b7b27 to fc8fc37 Compare February 23, 2021 14:05
@brb brb mentioned this pull request Feb 23, 2021
Closed
@brb brb requested a review from borkmann February 23, 2021 15:02
@brb brb force-pushed the pr/brb/no-l2-addr branch from da2fe92 to da75418 Compare February 23, 2021 15:05
@brb brb marked this pull request as ready for review February 23, 2021 15:05
@brb brb requested review from a team February 23, 2021 15:05
@brb brb requested a review from a team as a code owner February 23, 2021 15:05
@brb brb requested review from a team and nbusseneau February 23, 2021 15:05
borkmann
borkmann reviewed Mar 3, 2021
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

modulo the minor bits, lgtm!

christarazi
christarazi reviewed Mar 3, 2021
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Awesome! Just a few comments below

pkg/datapath/linux/config/config.go Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
brb added 2 commits March 5, 2021 11:14
@brb
datapath: Support NodePort BPF on L2-less devices
7766714 
This commit extends NodePort BPF by making it possible to run it on
L3 network devices (without L2 addr). One prominent case is the
Wireguard tunnel device (wg0).

The main idea of the change is to make ETH_HLEN configurable via ELF
templating (on L2-less devices we set it to 0 during the load time),
and to craft an L2 hdr when forwarding from L2-less to L2 device.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb
daemon: Do not ignore L2-less devices in dev auto detection
5cb5a5b 
The previous commit added a support for L2-less devices.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb force-pushed the pr/brb/no-l2-addr branch from 678db1b to 99b097b Compare March 5, 2021 10:26
brb added 2 commits March 5, 2021 11:30
@brb
daemon: Fix ordering of BPF host routing detection
5b07a6d 
Fix a bug when NodePort BPF is disabled after the device
detection, and BPF host routing is kept enabled.

Fixes: 7e0cb33 ("bpf: do not enable host routing when kpr is disabled")
Signed-off-by: Martynas Pumputis <[email protected]>
@brb
datapath: Only make ETH_HLEN as static data if L3 dev exist
65a1aff 
This should eliminate a datapath perf penalty introduced by the L2-less
changes when running on systems which all involved devices have L2
addrs.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb force-pushed the pr/brb/no-l2-addr branch from 99b097b to 440480b Compare March 5, 2021 10:35
@brb
daemon: Disable BPF host routing when L2-less detected
440480b 
Until #15075 has been resolved.

Signed-off-by: Martynas Pumputis <[email protected]>
@brb
Copy link
Member Author

brb commented Mar 5, 2021

test-me-please

@brb brb requested review from borkmann and christarazi March 5, 2021 12:11
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 5, 2021
@nbusseneau nbusseneau removed their assignment Mar 5, 2021
@borkmann borkmann merged commit db2ad2a into master Mar 5, 2021
@borkmann borkmann deleted the pr/brb/no-l2-addr branch March 5, 2021 22:54
pchaigno
pchaigno reviewed Mar 9, 2021
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple comments which we'll require follow ups if I didn't miss something.

bpf/lib/nodeport.h Show resolved Hide resolved
daemon/cmd/kube_proxy_replacement.go Show resolved Hide resolved
brb added a commit that referenced this pull request Mar 15, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
5565d72 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity.

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
@brb brb mentioned this pull request Mar 15, 2021
Merged
brb added a commit that referenced this pull request Apr 2, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
9578e89 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
brb added a commit that referenced this pull request Apr 6, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
f502b3f 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
brb added a commit that referenced this pull request Apr 9, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
0502034 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
brb added a commit that referenced this pull request Apr 13, 2021
@brb
bpf: Add ETH_HLEN=0 to stress test complexity
1a699db 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
qmonnet pushed a commit that referenced this pull request Apr 13, 2021
@brb @qmonnet
bpf: Add ETH_HLEN=0 to stress test complexity
51834ca 
The PR "datapath: Support NodePort BPF on L2-less devices" [1] has
increased the complexity of bpf_host and bpf_lxc by introducing a
support for ETH_HLEN=0.

Extend the base options by adding ETH_HLEN=0 to stress test the verifier
complexity when running on net-next (ETH_HLEN=0 depends on the
skb_change_head helper which was introduced in 5.8).

[1]: #14858

Suggested-by: Paul Chaignon <[email protected]>
Signed-off-by: Martynas Pumputis <[email protected]>
@eyanulis eyanulis mentioned this pull request May 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno left review comments

@aanm aanm aanm approved these changes

@nbusseneau nbusseneau nbusseneau approved these changes

@christarazi christarazi christarazi approved these changes

@borkmann borkmann borkmann approved these changes

Assignees

@borkmann borkmann

@christarazi christarazi

@aanm aanm

Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NodePort fails when using IP attached to interface without HW address
6 participants
@brb @borkmann @pchaigno @christarazi @nbusseneau @aanm