Skip to content

Commit

Permalink
Merge pull request #9159 from tomastigera/tomas-bpf-fix-notrack
Browse files Browse the repository at this point in the history 
[BPF] disable conntrack bypass, exclude link-local
  • Loading branch information
@tomastigera
tomastigera authored Oct 18, 2024
2 parents c5b4ffe + 02a1c33 commit dfc45a0
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 1 deletion.
2 changes: 1 addition & 1 deletion felix/config/config_params.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ type Config struct {
BPFMapSizeConntrack int `config:"int;512000;non-zero"`
BPFMapSizeIPSets int `config:"int;1048576;non-zero"`
BPFMapSizeIfState int `config:"int;1000;non-zero"`
BPFHostConntrackBypass bool `config:"bool;true"`
BPFHostConntrackBypass bool `config:"bool;false"`
BPFEnforceRPF string `config:"oneof(Disabled,Strict,Loose);Loose;non-zero"`
BPFPolicyDebugEnabled bool `config:"bool;true"`
BPFForceTrackPacketsFromIfaces []string `config:"iface-filter-slice;docker+"`
Expand Down
6 changes: 6 additions & 0 deletions felix/fv/bpf_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5576,6 +5576,12 @@ func conntrackFlushWorkloadEntries(felixes []*infrastructure.Felix) func() {
}

func conntrackChecks(felixes []*infrastructure.Felix) []interface{} {
if felixes[0].ExpectedIPIPTunnelAddr != "" ||
felixes[0].ExpectedWireguardTunnelAddr != "" ||
felixes[0].ExpectedWireguardV6TunnelAddr != "" {
return nil
}

return []interface{}{
CheckWithInit(conntrackFlushWorkloadEntries(felixes)),
CheckWithFinalTest(conntrackCheck(felixes)),
Expand Down
19 changes: 19 additions & 0 deletions felix/rules/static.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1207,6 +1207,25 @@ func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8,
}
}

switch ipVersion {
case 4:
bpfUntrackedFlowRules = append(bpfUntrackedFlowRules,
generictables.Rule{
Match: r.NewMatch().DestNet("169.254.0.0/16"),
Action: r.Return(),
Comment: []string{"link-local"},
},
)
case 6:
bpfUntrackedFlowRules = append(bpfUntrackedFlowRules,
generictables.Rule{
Match: r.NewMatch().DestNet("fe80::/10"),
Action: r.Return(),
Comment: []string{"link-local"},
},
)
}

bpfUntrackedFlowRules = append(bpfUntrackedFlowRules,
generictables.Rule{
Match: r.NewMatch().MarkMatchesWithMask(tcdefs.MarkSeenSkipFIB, tcdefs.MarkSeenSkipFIB),
Expand Down
5 changes: 5 additions & 0 deletions felix/rules/static_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1832,6 +1832,11 @@ var _ = Describe("Static", func() {

Describe("with BPF mode raw chains", func() {
staticBPFModeRawRules := []generictables.Rule{
{
Match: Match().DestNet("169.254.0.0/16"),
Action: ReturnAction{},
Comment: []string{"link-local"},
},
{
Match: Match().MarkMatchesWithMask(0x1100000, 0x1100000),
Action: ReturnAction{},
Expand Down

0 comments on commit dfc45a0

Please sign in to comment.