Skip to content

Commit f25d8b9

Browse files
tgrafaanm
authored andcommitted
bpf: Preserve source identity for hairpin via stack
When Cilium is used in chaining mode with portmap, the hostPort is translated using iptables DNAT as inserted by the portmap plugin. When this happens all within a node, we can preserve the source identity for the reply traffic for correct visibility. The traffic will be allowed anyway based on the connection tracking state. Updates: #9784 Signed-off-by: Thomas Graf <[email protected]>
1 parent fcc5b2b commit f25d8b9

File tree

1 file changed

+15
-4
lines changed

1 file changed

+15
-4
lines changed

bpf/bpf_lxc.c

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -354,12 +354,17 @@ static __always_inline int ipv6_l3_from_lxc(struct __ctx_buff *ctx,
354354
set_encrypt_key_mark(ctx, encrypt_key);
355355
#ifdef IP_POOLS
356356
set_encrypt_dip(ctx, tunnel_endpoint);
357-
#else
358-
set_identity_mark(ctx, SECLABEL);
359357
#endif
360358
}
361359
#endif
362360
#endif
361+
/* Always encode the source identity when passing to the stack. If the
362+
* stack hairpins the packet back to a local endpoint the source
363+
* identity can still be derived even if SNAT is performed by a
364+
* component such as portmap */
365+
ctx->mark |= MARK_MAGIC_IDENTITY;
366+
set_identity_mark(ctx, SECLABEL);
367+
363368
return CTX_ACT_OK;
364369
}
365370

@@ -705,12 +710,18 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx,
705710
set_encrypt_key_mark(ctx, encrypt_key);
706711
#ifdef IP_POOLS
707712
set_encrypt_dip(ctx, tunnel_endpoint);
708-
#else
709-
set_identity_mark(ctx, SECLABEL);
710713
#endif
711714
}
712715
#endif
713716
#endif
717+
718+
/* Always encode the source identity when passing to the stack. If the
719+
* stack hairpins the packet back to a local endpoint the source
720+
* identity can still be derived even if SNAT is performed by a
721+
* component such as portmap */
722+
ctx->mark |= MARK_MAGIC_IDENTITY;
723+
set_identity_mark(ctx, SECLABEL);
724+
714725
cilium_dbg_capture(ctx, DBG_CAPTURE_DELIVERY, 0);
715726
return CTX_ACT_OK;
716727
}

0 commit comments

Comments
 (0)