bpf: Support external IPv4 DSR

borkmann · borkmann · commit 50f6fa80e2ef · 2024-01-31T12:07:56.000Z
Support IPIP termination from the Cilium L4LB against a regular Cilium
cluster. This work covers the termination as well as DSR aspect, so that
replies go directly back to clients instead of the Cilium L4LB.

Given the VIP:port of an external L4LB is not known in our K8s cluster,
we also cannot hold them in the revNat map. Therefore, add the tuple
info in the CT map.

Guard this under a compilation flag given this is only relevant for users
who really want to terminate the external L4LB in the workload cluster,
others don't need to take the additional cycles.

From agent side, the --enable-external-dsr={true,false} flag controls this
setting. The default is on false.

Example with IPIP termination :

  Cilium L4LB node:

  # ./cilium-dbg/cilium-dbg service list
  ID   Frontend          Service Type   Backend
  [...]
  11   1.1.1.1:80        ExternalIPs    1 =&gt; 192.168.2.12:80 (active)

  Cilium regular cluster with --enable-external-dsr=true:

  # ./cilium-dbg/cilium-dbg service list
  ID   Frontend             Service Type   Backend
  [...]
  11   192.168.2.12:80      ExternalIPs    1 =&gt; 193.99.144.80:80 (active)

  tcpdump on Cilium regular node:

  [...]
  09:36:17.421507 IP 192.168.2.11 &gt; 192.168.2.12: IP 192.168.2.13.43196 &gt; 1.1.1.1.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0
  09:36:17.421529 IP 192.168.2.12.43196 &gt; 193.99.144.80.80: Flags [S], seq 3976047959, win 42340, options [mss 1460,sackOK,TS val 4083238462 ecr 0,nop,wscale 9], length 0
  09:36:17.428443 IP 193.99.144.80.80 &gt; 192.168.2.12.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0
  09:36:17.428680 IP 1.1.1.1.80 &gt; 192.168.2.13.43196: Flags [S.], seq 1717159938, ack 3976047960, win 14600, options [mss 1460,nop,wscale 0,sackOK,TS val 1591760912 ecr 4083238462], length 0
  [...]

What can be seen is the IPIP termination, the Cilium regular node then
performing the service request to the backend, and upon reply reversing
everything along with the DSR (1.1.1.1.80) to the client directly.

Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -89,7 +89,7 @@ static __always_inline int __per_packet_lb_svc_xlate_4(void *ctx, struct iphdr *
 
 	has_l4_header = ipv4_has_l4_header(ip4);
 
-	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
+	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple, NULL);
 	if (IS_ERR(ret)) {
 		if (ret == DROP_UNSUPP_SERVICE_PROTO || ret == DROP_UNKNOWN_L4)
 			goto skip_service_lookup;
@@ -2082,7 +2082,7 @@ ipv4_to_endpoint_is_hairpin_flow(struct __ctx_buff *ctx, struct iphdr *ip4)
 	/* Extract the tuple from the packet so we can freely access addrs and ports.
 	 * All values are in network byte order.
 	 */
-	err = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
+	err = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple, NULL);
 	if (IS_ERR(err))
 		return false;
 
diff --git a/bpf/lib/common.h b/bpf/lib/common.h
@@ -581,7 +581,7 @@ enum {
 #define DROP_CT_INVALID_HDR	-135
 #define DROP_FRAG_NEEDED	-136
 #define DROP_CT_UNKNOWN_PROTO	-137
-#define DROP_UNUSED4		-138 /* unused */
+#define DROP_READ_ERROR		-138
 #define DROP_UNKNOWN_L3		-139
 #define DROP_MISSED_TAIL_CALL	-140
 #define DROP_WRITE_ERROR	-141
@@ -901,6 +901,11 @@ enum {
 	BE_STATE_MAINTENANCE,
 };
 
+struct lb4_reverse_nat {
+	__be32 address;
+	__be16 port;
+} __packed;
+
 struct ipv6_ct_tuple {
 	/* Address fields are reversed, i.e.,
 	 * these field names are correct for reply direction traffic.
@@ -939,11 +944,12 @@ struct ct_entry {
 			__u64 packets;
 			__u64 bytes;
 		};
+		struct lb4_reverse_nat dsr4;
 	};
 	__u32 lifetime;
 	__u16 rx_closing:1,
 	      tx_closing:1,
-	      unused_nat46:1,	/* unused since v1.12 / 81dee05e82fb */
+	      dsr_external:1,	/* DSR for a VIP from an external L4LB (dsr4) */
 	      lb_loopback:1,
 	      seen_non_syn:1,
 	      node_port:1,
@@ -1074,11 +1080,6 @@ struct lb4_health {
 	struct lb4_backend peer;
 };
 
-struct lb4_reverse_nat {
-	__be32 address;
-	__be16 port;
-} __packed;
-
 struct ipv4_revnat_tuple {
 	__sock_cookie cookie;
 	__be32 address;
@@ -1146,12 +1147,18 @@ struct ct_state {
 	      reserved1:1,	/* Was auth_required, not used in production anywhere */
 	      from_tunnel:1,	/* Connection is from tunnel */
 	      dsr_internal:1,
-	      reserved:8;
+	      dsr_external:1,
+	      reserved:7;
 	__u32 src_sec_id;
 #ifndef HAVE_FIB_IFINDEX
 	__u16 ifindex;
 #endif
 	__u32 backend_id;	/* Backend ID in lb4_backends */
+#ifdef ENABLE_DSR_EXTERNAL
+	union {
+		struct lb4_reverse_nat dsr4;
+	};
+#endif
 };
 
 static __always_inline bool ct_state_is_from_l7lb(const struct ct_state *ct_state __maybe_unused)
diff --git a/bpf/lib/conntrack.h b/bpf/lib/conntrack.h
@@ -206,6 +206,11 @@ ct_lookup_fill_state(struct ct_state *state, const struct ct_entry *entry,
 		state->proxy_redirect = entry->proxy_redirect;
 		state->from_l7lb = entry->from_l7lb;
 		state->from_tunnel = entry->from_tunnel;
+#ifdef ENABLE_DSR_EXTERNAL
+		state->dsr_external = entry->dsr_external;
+		if (state->dsr_external)
+			state->dsr4 = entry->dsr4;
+#endif
 #ifndef HAVE_FIB_IFINDEX
 		state->ifindex = entry->ifindex;
 #endif
@@ -910,6 +915,9 @@ ct_create_fill_entry(struct ct_entry *entry, const struct ct_state *state,
 		entry->node_port = state->node_port;
 		entry->dsr_internal = state->dsr_internal;
 		entry->from_tunnel = state->from_tunnel;
+#ifdef ENABLE_DSR_EXTERNAL
+		entry->dsr_external = state->dsr_external;
+#endif
 #ifndef HAVE_FIB_IFINDEX
 		entry->ifindex = state->ifindex;
 #endif
@@ -988,8 +996,13 @@ static __always_inline int ct_create4(const void *map_main,
 	union tcp_flags seen_flags = { .value = 0 };
 	int err;
 
-	if (ct_state)
+	if (ct_state) {
 		ct_create_fill_entry(&entry, ct_state, dir);
+#ifdef ENABLE_DSR_EXTERNAL
+		if (entry.dsr_external)
+			entry.dsr4 = ct_state->dsr4;
+#endif
+	}
 
 	seen_flags.value |= is_tcp ? TCP_FLAG_SYN : 0;
 	ct_update_timeout(&entry, is_tcp, dir, seen_flags);
diff --git a/bpf/lib/lb.h b/bpf/lib/lb.h
@@ -1155,6 +1155,14 @@ static __always_inline int lb4_rev_nat(struct __ctx_buff *ctx, int l3_off, int l
 			     loopback, has_l4_header);
 }
 
+static __always_inline int lb4_rev_dsr(struct __ctx_buff *ctx, int l3_off, int l4_off,
+				       struct lb4_reverse_nat *rev_dsr, bool loopback,
+				       struct ipv4_ct_tuple *tuple, int flags, bool has_l4_header)
+{
+	return __lb4_rev_nat(ctx, l3_off, l4_off, tuple, flags, rev_dsr,
+			     loopback, has_l4_header);
+}
+
 static __always_inline void
 lb4_fill_key(struct lb4_key *key, const struct ipv4_ct_tuple *tuple)
 {
@@ -1179,7 +1187,7 @@ lb4_fill_key(struct lb4_key *key, const struct ipv4_ct_tuple *tuple)
  */
 static __always_inline int
 lb4_extract_tuple(struct __ctx_buff *ctx, struct iphdr *ip4, int l3_off, int *l4_off,
-		  struct ipv4_ct_tuple *tuple)
+		  struct ipv4_ct_tuple *tuple, __be32 *external_vip __maybe_unused)
 {
 	int ret;
 
@@ -1190,14 +1198,41 @@ lb4_extract_tuple(struct __ctx_buff *ctx, struct iphdr *ip4, int l3_off, int *l4
 	*l4_off = l3_off + ipv4_hdrlen(ip4);
 
 	switch (tuple->nexthdr) {
+#ifdef ENABLE_DSR_EXTERNAL
+# if __ctx_is == __ctx_skb
+	case IPPROTO_IPIP: {
+		struct iphdr inner;
+
+		/* The initial packets hits the Cilium L4LB as:
+		 * - [ client-ip   -> l4lb-vip ]
+		 *
+		 * The IPIP packet from the Cilium L4LB looks as follows:
+		 * - outer: [ l4lb-rss-ip -> k8s-svc-ip ]
+		 * - inner: [ client-ip   -> l4lb-vip ]
+		 *
+		 * We extract [ client-ip -> k8s-svc-ip ] and later need
+		 * to reply with l4lb-vip as source. The l4lb-vip and
+		 * k8s-svc-ip ports are the same / must match.
+		 */
+		ctx_load_bytes(ctx, *l4_off, &inner, sizeof(inner));
+		tuple->nexthdr = inner.protocol;
+		tuple->saddr = inner.saddr;
+		if (external_vip)
+			*external_vip = inner.daddr;
+		if (ipv4_hdrlen(&inner) != sizeof(*ip4))
+			return DROP_NAT_UNSUPP_PROTO;
+		*l4_off += sizeof(*ip4);
+		fallthrough;
+	};
+# endif
+#endif
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 #ifdef ENABLE_SCTP
 	case IPPROTO_SCTP:
 #endif  /* ENABLE_SCTP */
 		ret = ipv4_load_l4_ports(ctx, ip4, *l4_off, CT_EGRESS,
 					 &tuple->dport, NULL);
-
 		if (IS_ERR(ret))
 			return ret;
 		return 0;
@@ -1366,6 +1401,7 @@ lb4_xlate(struct __ctx_buff *ctx, __be32 *new_saddr __maybe_unused,
 {
 	const __be32 *new_daddr = &backend->address;
 	struct csum_offset csum_off = {};
+	__be32 old_daddr;
 	__be32 sum;
 	int ret;
 
@@ -1375,12 +1411,16 @@ lb4_xlate(struct __ctx_buff *ctx, __be32 *new_saddr __maybe_unused,
 	if (skip_l3_xlate)
 		goto l4_xlate;
 
+	ret = ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, daddr),
+			     &old_daddr, 4);
+	if (unlikely(ret < 0))
+		return DROP_READ_ERROR;
 	ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, daddr),
 			      new_daddr, 4, 0);
-	if (ret < 0)
+	if (unlikely(ret < 0))
 		return DROP_WRITE_ERROR;
 
-	sum = csum_diff(&key->address, 4, new_daddr, 4, 0);
+	sum = csum_diff(&old_daddr, 4, new_daddr, 4, 0);
 #ifndef DISABLE_LOOPBACK_LB
 	if (new_saddr && *new_saddr) {
 		cilium_dbg_lb(ctx, DBG_LB4_LOOPBACK_SNAT, *old_saddr, *new_saddr);
diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
@@ -2416,7 +2416,7 @@ nodeport_rev_dnat_ingress_ipv4(struct __ctx_buff *ctx, struct trace_ctx *trace,
 
 	has_l4_header = ipv4_has_l4_header(ip4);
 
-	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
+	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple, NULL);
 	if (ret < 0) {
 		/* If it's not a SVC protocol, we don't need to check for RevDNAT: */
 		if (ret == DROP_UNSUPP_SERVICE_PROTO || ret == DROP_UNKNOWN_L4)
@@ -2444,8 +2444,18 @@ nodeport_rev_dnat_ingress_ipv4(struct __ctx_buff *ctx, struct trace_ctx *trace,
 			      CT_ENTRY_NODEPORT, &ct_state, &trace->monitor);
 	if (ret == CT_REPLY) {
 		trace->reason = TRACE_REASON_CT_REPLY;
-		ret = lb4_rev_nat(ctx, l3_off, l4_off, ct_state.rev_nat_index, false,
-				  &tuple, REV_NAT_F_TUPLE_SADDR, has_l4_header);
+#ifdef ENABLE_DSR_EXTERNAL
+		if (ct_state.dsr_external) {
+			ret = lb4_rev_dsr(ctx, l3_off, l4_off, &ct_state.dsr4,
+					  false, &tuple, REV_NAT_F_TUPLE_SADDR,
+					  has_l4_header);
+		} else
+#endif
+		{
+			ret = lb4_rev_nat(ctx, l3_off, l4_off, ct_state.rev_nat_index,
+					  false, &tuple, REV_NAT_F_TUPLE_SADDR,
+					  has_l4_header);
+		}
 		if (IS_ERR(ret))
 			return ret;
 		if (!revalidate_data(ctx, &data, &data_end, &ip4))
@@ -2683,7 +2693,7 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
 	}
 #endif
 
-	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
+	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple, NULL);
 	if (IS_ERR(ret))
 		goto drop_err;
 
@@ -2770,6 +2780,7 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
 	struct lb4_service *svc;
 	struct lb4_key key = {};
 	struct ct_state ct_state_new = {};
+	__be32 external_vip = 0;
 	__u32 cluster_id = 0;
 	__u32 monitor = 0;
 	int ret, l4_off;
@@ -2778,7 +2789,7 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
 
 	has_l4_header = ipv4_has_l4_header(ip4);
 
-	ret = lb4_extract_tuple(ctx, ip4, l3_off, &l4_off, &tuple);
+	ret = lb4_extract_tuple(ctx, ip4, l3_off, &l4_off, &tuple, &external_vip);
 	if (IS_ERR(ret)) {
 		if (ret == DROP_UNSUPP_SERVICE_PROTO) {
 			is_svc_proto = false;
@@ -2799,6 +2810,16 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
 
 		if (!lb4_src_range_ok(svc, ip4->saddr))
 			return DROP_NOT_IN_SRC_RANGE;
+#ifdef ENABLE_DSR_EXTERNAL
+		if (external_vip) {
+			if (ctx_adjust_hroom(ctx, -(int)sizeof(*ip4),
+					     BPF_ADJ_ROOM_MAC,
+					     BPF_F_ADJ_ROOM_FIXED_GSO))
+				return DROP_UNSUPP_SERVICE_PROTO;
+			tuple.daddr = external_vip;
+			l4_off -= sizeof(*ip4);
+		}
+#endif
 #if defined(ENABLE_L7_LB)
 		if (lb4_svc_is_l7loadbalancer(svc) && svc->l7_lb_proxy_port > 0) {
 			/* We cannot redirect from the XDP layer to cilium_host.
@@ -2930,6 +2951,15 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
 redo:
 			ct_state_new.src_sec_id = WORLD_IPV4_ID;
 			ct_state_new.node_port = 1;
+#ifdef ENABLE_DSR_EXTERNAL
+			ct_state_new.dsr_external = !!external_vip;
+			if (ct_state_new.dsr_external) {
+				ct_state_new.dsr4.address = external_vip;
+				ct_state_new.dsr4.port = key.dport;
+			}
+#else
+			ct_state_new.dsr_external = 0;
+#endif
 #ifndef HAVE_FIB_IFINDEX
 			ct_state_new.ifindex = (__u16)NATIVE_DEV_IFINDEX;
 #endif
@@ -3003,7 +3033,7 @@ nodeport_rev_dnat_fwd_ipv4(struct __ctx_buff *ctx, struct trace_ctx *trace,
 	has_l4_header = ipv4_has_l4_header(ip4);
 	is_fragment = ipv4_is_fragment(ip4);
 
-	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
+	ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple, NULL);
 	if (ret < 0) {
 		/* If it's not a SVC protocol, we don't need to check for RevDNAT: */
 		if (ret == DROP_UNSUPP_SERVICE_PROTO || ret == DROP_UNKNOWN_L4)
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -253,6 +253,9 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.Bool(option.EnableLocalNodeRoute, defaults.EnableLocalNodeRoute, "Enable installation of the route which points the allocation prefix of the local node")
 	option.BindEnv(vp, option.EnableLocalNodeRoute)
 
+	flags.Bool(option.EnableExternalDSR, false, "Enable termination and DSR handling of external L4LBs")
+	option.BindEnv(vp, option.EnableExternalDSR)
+
 	flags.Bool(option.EnableIPv4Name, defaults.EnableIPv4, "Enable IPv4 support")
 	option.BindEnv(vp, option.EnableIPv4Name)
 
diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
@@ -501,6 +501,7 @@ func disableNodePort() {
 	option.Config.EnableHostPort = false
 	option.Config.EnableExternalIPs = false
 	option.Config.EnableSVCSourceRangeCheck = false
+	option.Config.EnableExternalDSR = false
 	option.Config.EnableHostLegacyRouting = true
 }
 
diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
@@ -381,6 +381,9 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
 			cDefinesMap["ENABLE_MKE"] = "1"
 			cDefinesMap["MKE_HOST"] = fmt.Sprintf("%d", option.HostExtensionMKE)
 		}
+		if option.Config.EnableExternalDSR {
+			cDefinesMap["ENABLE_DSR_EXTERNAL"] = "1"
+		}
 		if option.Config.EnableRecorder {
 			cDefinesMap["ENABLE_CAPTURE"] = "1"
 			if option.Config.EnableIPv4 {
diff --git a/pkg/maps/ctmap/types.go b/pkg/maps/ctmap/types.go
@@ -558,7 +558,7 @@ const SizeofCtEntry = int(unsafe.Sizeof(CtEntry{}))
 const (
 	RxClosing = 1 << iota
 	TxClosing
-	Nat64
+	DSRExternal
 	LBLoopback
 	SeenNonSyn
 	NodePort
@@ -584,9 +584,6 @@ func (c *CtEntry) flagsString() string {
 	if (c.Flags & TxClosing) != 0 {
 		sb.WriteString("TxClosing ")
 	}
-	if (c.Flags & Nat64) != 0 {
-		sb.WriteString("Nat64 ")
-	}
 	if (c.Flags & LBLoopback) != 0 {
 		sb.WriteString("LBLoopback ")
 	}
@@ -602,6 +599,9 @@ func (c *CtEntry) flagsString() string {
 	if (c.Flags & DSRInternal) != 0 {
 		sb.WriteString("DSR ")
 	}
+	if (c.Flags & DSRExternal) != 0 {
+		sb.WriteString("DSRExt ")
+	}
 	if (c.Flags & FromL7LB) != 0 {
 		sb.WriteString("FromL7LB ")
 	}
diff --git a/pkg/option/config.go b/pkg/option/config.go

Original file line number	Diff line number	Diff line change
`@@ -501,6 +501,7 @@ func disableNodePort() {`
`501`	`501`	`option.Config.EnableHostPort = false`
`502`	`502`	`option.Config.EnableExternalIPs = false`
`503`	`503`	`option.Config.EnableSVCSourceRangeCheck = false`
	`504`	`+ option.Config.EnableExternalDSR = false`
`504`	`505`	`option.Config.EnableHostLegacyRouting = true`
`505`	`506`	`}`
`506`	`507`