loader: attach datapath to IPIP tunnel devices

gyutaeb · gyutaeb · commit 557ddcd969f7 · 2025-01-30T17:15:26.000+09:00
This change adds the ability to attach the loader to IPIP tunnel
devices. cil_from_netdev and cil_to_netdev datapath programs are loaded
like for native devices.
diff --git a/pkg/datapath/loader/loader.go b/pkg/datapath/loader/loader.go
@@ -177,6 +177,55 @@ func (l *loader) bpfMasqAddrs(ifName string) (masq4, masq6 netip.Addr) {
 	return
 }
 
+// patchIPIPdevDatapath calculates the changes necessary
+// to attach the IPIP endpoint datapath to different interfaces.
+func (l *loader) patchIPIPdevDatapath(ep datapath.Endpoint, ifName string) (map[string]uint64, map[string]string, error) {
+	opts := ELFVariableSubstitutions(ep)
+	strings := ELFMapSubstitutions(ep)
+
+	iface, err := safenetlink.LinkByName(ifName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// The THIS_INTERFACE_MAC value is specific to each attachment interface.
+	mac := mac.MAC(iface.Attrs().HardwareAddr)
+	if mac == nil {
+		// L2-less device
+		mac = make([]byte, 6)
+	}
+	opts["THIS_INTERFACE_MAC_1"] = uint64(sliceToBe32(mac[0:4]))
+	opts["THIS_INTERFACE_MAC_2"] = uint64(sliceToBe16(mac[4:6]))
+
+	ifIndex := uint32(iface.Attrs().Index)
+
+	if !option.Config.EnableHostLegacyRouting {
+		opts["SECCTX_FROM_IPCACHE"] = uint64(secctxFromIpcacheEnabled)
+	} else {
+		opts["SECCTX_FROM_IPCACHE"] = uint64(secctxFromIpcacheDisabled)
+	}
+
+	opts["NATIVE_DEV_IFINDEX"] = uint64(ifIndex)
+
+	if option.Config.EnableBPFMasquerade && ifName != defaults.SecondHostDevice {
+		ipv4, ipv6 := l.bpfMasqAddrs(ifName)
+
+		if option.Config.EnableIPv4Masquerade && ipv4.IsValid() {
+			opts["IPV4_MASQUERADE"] = uint64(byteorder.NetIPv4ToHost32(ipv4.AsSlice()))
+		}
+		if option.Config.EnableIPv6Masquerade && ipv6.IsValid() {
+			ipv6Bytes := ipv6.AsSlice()
+			opts["IPV6_MASQUERADE_1"] = sliceToBe64(ipv6Bytes[0:8])
+			opts["IPV6_MASQUERADE_2"] = sliceToBe64(ipv6Bytes[8:16])
+		}
+	}
+
+	callsMapHostDevice := bpf.LocalMapName(callsmap.HostMapName, templateLxcID)
+	strings[callsMapHostDevice] = bpf.LocalMapName(callsmap.NetdevMapName, uint16(ifIndex))
+
+	return opts, strings, nil
+}
+
 // patchHostNetdevDatapath calculates the changes necessary
 // to attach the host endpoint datapath to different interfaces.
 func (l *loader) patchHostNetdevDatapath(ep datapath.Endpoint, ifName string) (map[string]uint64, map[string]string, error) {
@@ -428,6 +477,51 @@ func (l *loader) reloadHostDatapath(ep datapath.Endpoint, spec *ebpf.CollectionS
 		}
 	}
 
+	if option.Config.EnableIPIPTermination {
+		ipipDevices := []string{}
+		if option.Config.IPv4Enabled() {
+			ipipDevices = append(ipipDevices, defaults.IPIPv4Device)
+		}
+		if option.Config.IPv6Enabled() {
+			ipipDevices = append(ipipDevices, defaults.IPIPv6Device)
+		}
+		for _, device := range ipipDevices {
+			iface, err := safenetlink.LinkByName(device)
+			if err != nil {
+				log.WithError(err).WithField("device", device).Warn("Link does not exist")
+				continue
+			}
+
+			linkDir := bpffsDeviceLinksDir(bpf.CiliumPath(), iface)
+			netdevConsts, netdevRenames, err := l.patchIPIPdevDatapath(ep, device)
+			if err != nil {
+				return err
+			}
+
+			coll, commit, err := loadDatapath(spec, netdevRenames, netdevConsts)
+			if err != nil {
+				return err
+			}
+			defer coll.Close()
+
+			// Attach cil_from_netdev to ingress.
+			if err := attachSKBProgram(iface, coll.Programs[symbolFromHostNetdevEp], symbolFromHostNetdevEp,
+				linkDir, netlink.HANDLE_MIN_INGRESS, option.Config.EnableTCX); err != nil {
+				return fmt.Errorf("interface %s ingress: %w", device, err)
+			}
+
+			// Attach cil_to_netdev to egress.
+			if err := attachSKBProgram(iface, coll.Programs[symbolToHostNetdevEp], symbolToHostNetdevEp,
+				linkDir, netlink.HANDLE_MIN_EGRESS, option.Config.EnableTCX); err != nil {
+				return fmt.Errorf("interface %s egress: %w", device, err)
+			}
+
+			if err := commit(); err != nil {
+				return fmt.Errorf("committing bpf pins: %w", err)
+			}
+		}
+	}
+
 	// call at the end of the function so that we can easily detect if this removes necessary
 	// programs that have just been attached.
 	if err := removeObsoleteNetdevPrograms(devices); err != nil {
