crap: introduce cilium raw acquisition of packets

bpf/bpf_alignchecker.c

@@ -89,6 +89,7 @@ add_type(struct egress_gw_policy_entry6);
 
 #include "lib/vtep.h"
 add_type(struct vtep_key);
+add_type(struct vtep_policy_key);
 add_type(struct vtep_value);
 
 add_type(struct srv6_vrf_key4);

bpf/bpf_host.c

@@ -56,6 +56,7 @@
 #include "lib/wireguard.h"
 #include "lib/l2_responder.h"
 #include "lib/vtep.h"
+#include "lib/crap.h"
 #include "lib/subnet.h"
 
  #define host_egress_policy_hook(ctx, src_sec_identity, ext_err) CTX_ACT_OK
@@ -708,6 +709,29 @@ handle_ipv4_cont(struct __ctx_buff *ctx, __u32 secctx, const bool from_host,
 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
 		return DROP_INVALID;
 
+	struct crap_key key;
+	struct crap_value *tv;
+
+	key.dst_ip = ip4->daddr;
+
+	tv = map_lookup_elem (&cilium_crap_map, &key);
+	if (tv) {
+		ep = __lookup_ip4_endpoint(tv->pod_ip);
+		if (ep) {
+			int l3_off = ETH_HLEN;
+
+			return ipv4_local_delivery(ctx, l3_off, secctx, MARK_MAGIC_IDENTITY, ip4, ep,
+						 METRIC_INGRESS, true, false, 0);
+		}
+
+	  info = lookup_ip4_remote_endpoint(tv->pod_ip, 0);
+	  if (info) {
+	    return encap_and_redirect_with_nodeid(ctx, info, secctx,
+	                  info->sec_identity, &trace,
+	                  bpf_htons(ETH_P_IP));
+	  }
+	}
+
 #ifdef ENABLE_HOST_FIREWALL
 	from_host_raw = ctx_load_and_clear_meta(ctx, CB_FROM_HOST);
 

bpf/bpf_lxc.c

@@ -56,6 +56,7 @@
 #include "lib/fib.h"
 #include "lib/nodeport.h"
 #include "lib/policy_log.h"
+#include "lib/crap.h"
 #include "lib/vtep.h"
 #include "lib/subnet.h"
 
@@ -1171,12 +1172,24 @@ ipv4_forward_to_destination(struct __ctx_buff *ctx, struct iphdr *ip4,
 #if defined(ENABLE_VTEP)
 	{
 		struct vtep_key vkey = {};
+		struct vtep_policy_key vpkey = {
+			.prefixlen = 64,
+			.src_ip = ip4->saddr,
+			.dst_ip = ip4->daddr,
+		};
 		struct vtep_value *vtep;
 
 		vkey.vtep_ip = ip4->daddr & CONFIG(vtep_mask);
 		vtep = map_lookup_elem(&cilium_vtep_map, &vkey);
-		if (!vtep)
-			goto skip_vtep;
+		if (!vtep) {
+			if (!info || info->sec_identity == WORLD_IPV4_ID) {
+				vtep = map_lookup_elem(&cilium_vtep_policy_map, &vpkey);
+				if (!vtep)
+					goto skip_vtep;
+			} else {
+				goto skip_vtep;
+			}
+		}
 
 		if (vtep->vtep_mac && vtep->tunnel_endpoint) {
 			if (eth_store_daddr(ctx, (__u8 *)&vtep->vtep_mac, 0) < 0)
@@ -1550,6 +1563,16 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx,
 	if (!revalidate_data_pull(ctx, &data, &data_end, &ip4))
 		return DROP_INVALID;
 
+	struct crap_key key;
+	struct crap_value *tv;
+
+	key.dst_ip = ip4->saddr;
+
+	tv = map_lookup_elem (&cilium_crap_map, &key);
+	if (tv) {
+		return CTX_ACT_OK;
+	}
+
 /* If IPv4 fragmentation is disabled
  * AND a IPv4 fragmented packet is received,
  * then drop the packet.

bpf/bpf_overlay.c

@@ -42,6 +42,7 @@
 #include "lib/clustermesh.h"
 #include "lib/egress_gateway.h"
 #include "lib/tailcall.h"
+#include "lib/crap.h"
 #include "lib/vtep.h"
 #include "lib/arp.h"
 #include "lib/encap.h"
@@ -291,6 +292,22 @@ static __always_inline int handle_ipv4(struct __ctx_buff *ctx,
 	if (!revalidate_data_pull(ctx, &data, &data_end, &ip4))
 		return DROP_INVALID;
 
+	struct crap_key key;
+	struct crap_value *tv;
+
+	key.dst_ip = ip4->daddr;
+
+	tv = map_lookup_elem (&cilium_crap_map, &key);
+	if (tv) {
+		ep = __lookup_ip4_endpoint(tv->pod_ip);
+		if (ep) {
+			int l3_off = ETH_HLEN;
+
+			return ipv4_local_delivery(ctx, l3_off, SECLABEL_IPV4, MARK_MAGIC_IDENTITY, ip4, ep,
+						 METRIC_INGRESS, true, false, 0);
+		}
+	}
+
 /* If IPv4 fragmentation is disabled
  * AND a IPv4 fragmented packet is received,
  * then drop the packet.

bpf/lib/crap.h

@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */
+/* Copyright Authors of Cilium */
+
+#pragma once
+
+#include <linux/bpf.h>
+#include <bpf/section.h>
+#include <bpf/loader.h>
+#include <lib/static_data.h>
+
+struct crap_key {
+  __u32 dst_ip;
+};
+
+struct crap_value {
+  __u32 pod_ip;
+};
+
+struct {
+  __uint(type, BPF_MAP_TYPE_HASH);
+  __type(key, struct crap_key);
+  __type(value, struct crap_value);
+  __uint(pinning, LIBBPF_PIN_BY_NAME);
+  __uint(max_entries, 8192);
+  __uint(map_flags, BPF_F_NO_PREALLOC);
+} cilium_crap_map __section_maps_btf;

bpf/lib/vtep.h

@@ -12,6 +12,12 @@ struct vtep_key {
 	__u32 vtep_ip;
 };
 
+struct vtep_policy_key {
+	__u32 prefixlen;
+	__u32 src_ip;
+	__u32 dst_ip;
+};
+
 struct vtep_value {
 	__u64 vtep_mac;
 	__u32 tunnel_endpoint;
@@ -26,6 +32,15 @@ struct {
 	__uint(max_entries, VTEP_MAP_SIZE);
 	__uint(map_flags, CONDITIONAL_PREALLOC);
 } cilium_vtep_map __section_maps_btf;
+
+struct {
+	__uint(type, BPF_MAP_TYPE_LPM_TRIE);
+	__type(key, struct vtep_policy_key);
+	__type(value, struct vtep_value);
+	__uint(pinning, LIBBPF_PIN_BY_NAME);
+	__uint(max_entries, VTEP_POLICY_MAP_SIZE);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+} cilium_vtep_policy_map __section_maps_btf;
 #endif /* ENABLE_VTEP */
 
 DECLARE_CONFIG(__u32, vtep_mask, "VXLAN tunnel endpoint network mask")

bpf/node_config.h

@@ -111,6 +111,7 @@
 #define THROTTLE_MAP_SIZE 65536
 #define ENABLE_ARP_RESPONDER
 #define VTEP_MAP_SIZE 8
+#define VTEP_POLICY_MAP_SIZE 16384
 #define ENDPOINTS_MAP_SIZE 65536
 #define METRICS_MAP_SIZE 65536
 #define CILIUM_NET_MAC  { .addr = { 0xce, 0x72, 0xa7, 0x03, 0x88, 0x57 } }

bugtool/cmd/configuration.go

@@ -132,6 +132,7 @@ var bpfMapsPath = []string{
 	"tc/globals/cilium_snat_v4_alloc_retries",
 	"tc/globals/cilium_snat_v6_alloc_retries",
 	"tc/globals/cilium_vtep_map",
+	"tc/globals/cilium_vtep_policy_map",
 	"tc/globals/cilium_l2_responder_v4",
 	"tc/globals/cilium_l2_responder_v6",
 	"tc/globals/cilium_ratelimit",

cilium-dbg/cmd/bpf_crap.go

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// BPFCrapCmd represents the bpf command
+var BPFCrapCmd = &cobra.Command{
+	Use:   "crap",
+	Short: "Manage the CRAP rules",
+}
+
+func init() {
+	BPFCmd.AddCommand(BPFCrapCmd)
+}