bpf: Preserve source identity for hairpin via stack

tgraf · aanm · commit f25d8b97e908 · 2020-04-14T10:02:57.000+02:00
When Cilium is used in chaining mode with portmap, the hostPort is translated using iptables DNAT as inserted by the portmap plugin. When this happens all within a node, we can preserve the source identity for the reply traffic for correct visibility. The traffic will be allowed anyway based on the connection tracking state. Updates: #9784 Signed-off-by: Thomas Graf <thomas@cilium.io>
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -354,12 +354,17 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
 		set_encrypt_key_mark(ctx, encrypt_key);
 #ifdef IP_POOLS
 		set_encrypt_dip(ctx, tunnel_endpoint);
-#else
-		set_identity_mark(ctx, SECLABEL);
 #endif
 	}
 #endif
 #endif
+	/* Always encode the source identity when passing to the stack. If the
+	 * stack hairpins the packet back to a local endpoint the source
+	 * identity can still be derived even if SNAT is performed by a
+	 * component such as portmap */
+	ctx->mark |= MARK_MAGIC_IDENTITY;
+	set_identity_mark(ctx, SECLABEL);
+
 	return CTX_ACT_OK;
 }
 
@@ -705,12 +710,18 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
 		set_encrypt_key_mark(ctx, encrypt_key);
 #ifdef IP_POOLS
 		set_encrypt_dip(ctx, tunnel_endpoint);
-#else
-		set_identity_mark(ctx, SECLABEL);
 #endif
 	}
 #endif
 #endif
+
+	/* Always encode the source identity when passing to the stack. If the
+	 * stack hairpins the packet back to a local endpoint the source
+	 * identity can still be derived even if SNAT is performed by a
+	 * component such as portmap */
+	ctx->mark |= MARK_MAGIC_IDENTITY;
+	set_identity_mark(ctx, SECLABEL);
+
 	cilium_dbg_capture(ctx, DBG_CAPTURE_DELIVERY, 0);
 	return CTX_ACT_OK;
 }
