WIP

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
cilium · Apr 25, 2024 · 6bb5d7b · 6bb5d7b
1 parent 65ba271
commit 6bb5d7b
Show file tree

Hide file tree

Showing 111 changed files with 563 additions and 1,146 deletions.
diff --git a/bpf/Makefile b/bpf/Makefile
@@ -34,12 +34,12 @@ LB_OPTIONS = \
 	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_SRC_RANGE_CHECK: \
 	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER: \
 	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK: \
-	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV: \
-	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY: \
-	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP: \
-	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_VTEP: \
-	-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_HIGH_SCALE_IPCACHE:-DDSR_ENCAP_IPIP=2 \
-	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_VTEP:-DENABLE_CLUSTER_AWARE_ADDRESSING:-DENABLE_INTER_CLUSTER_SNAT:
+	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV \
+	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV -DENABLE_SOCKET_LB_HOST_ONLY: \
+	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV -DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP: \
+	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV -DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_VTEP: \
+	-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DDSR_ENCAP_MODE=DSR_ENCAP_GENEVE -DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV -DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_HIGH_SCALE_IPCACHE \
+	-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION=LB_SELECTION_MAGLEV -DENABLE_SOCKET_LB_HOST_ONLY:-DENABLE_L7_LB:-DENABLE_SCTP:-DENABLE_VTEP:-DENABLE_CLUSTER_AWARE_ADDRESSING:-DENABLE_INTER_CLUSTER_SNAT:
 
 # These options are intended to max out the BPF program complexity. it is load
 # tested as well.
@@ -62,12 +62,12 @@ endif
 
 ifndef MAX_LB_OPTIONS
 MAX_LB_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_NAT_46X64=1 -DENABLE_NAT_46X64_GATEWAY=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-MAX_LB_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
+MAX_LB_OPTIONS += -DLB_SELECTION=LB_SELECTION_MAGLEV
 endif
 
 ifndef MAX_OVERLAY_OPTIONS
 MAX_OVERLAY_OPTIONS = $(MAX_BASE_OPTIONS) -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_MULTICAST=1
-MAX_OVERLAY_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
+MAX_OVERLAY_OPTIONS += -DLB_SELECTION=LB_SELECTION_MAGLEV
 ifneq ($(KERNEL),54)
 MAX_OVERLAY_OPTIONS += -DENABLE_WIREGUARD=1
 endif
@@ -96,7 +96,7 @@ HOST_OPTIONS = $(LXC_OPTIONS) \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL:-DENABLE_ICMP_RULE:-DENABLE_SRV6:-DENABLE_MULTICAST:-DENCRYPTED_OVERLAY: \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL:-DENABLE_ICMP_RULE:-DENABLE_SRV6:-DENABLE_SRV6_SRH_ENCAP:-DENABLE_SCTP:-DENABLE_MULTICAST:-DENCRYPTED_OVERLAY: \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL:-DENABLE_ICMP_RULE:-DENABLE_SRV6:-DENABLE_SRV6_SRH_ENCAP:-DENABLE_SCTP:-DENABLE_VTEP:-DENABLE_MULTICAST:-DENCRYPTED_OVERLAY: \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL:-DENABLE_ICMP_RULE:-DENABLE_SRV6:-DENABLE_SRV6_SRH_ENCAP:-DENCRYPTED_OVERLAY:-DENABLE_SCTP:-DENABLE_VTEP:-DENABLE_HIGH_SCALE_IPCACHE:-DDSR_ENCAP_IPIP=2 \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DDSR_ENCAP_MODE=DSR_ENCAP_GENEVE -DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL:-DENABLE_ICMP_RULE:-DENABLE_SRV6:-DENABLE_SRV6_SRH_ENCAP:-DENCRYPTED_OVERLAY:-DENABLE_SCTP:-DENABLE_VTEP:-DENABLE_HIGH_SCALE_IPCACHE \
 
 ifndef MAX_HOST_OPTIONS
 MAX_HOST_OPTIONS = $(MAX_BASE_OPTIONS) -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
@@ -117,16 +117,16 @@ XDP_OPTIONS = $(LB_OPTIONS) \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DTUNNEL_MODE:-DTUNNEL_PROTOCOL=TUNNEL_PROTOCOL_VXLAN \
 	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DTUNNEL_MODE:-DTUNNEL_PROTOCOL=TUNNEL_PROTOCOL_GENEVE \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DDSR_ENCAP_IPIP=2 \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DENABLE_SCTP:-DDSR_ENCAP_NONE=2 \
-	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DENABLE_SCTP:-DDSR_ENCAP_IPIP=2
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE=DSR_ENCAP_NONE \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE=DSR_ENCAP_IPIP \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE=DSR_ENCAP_GENEVE \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE=DSR_ENCAP_NONE \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE=DSR_ENCAP_IPIP -DENABLE_SCTP \
+	-DDISABLE_LOOPBACK_LB:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE=DSR_ENCAP_GENEVE -DENABLE_SCTP
 
 ifndef MAX_XDP_OPTIONS
 MAX_XDP_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_PREFILTER=1
-MAX_XDP_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
+MAX_XDP_OPTIONS += -DLB_SELECTION=LB_SELECTION_MAGLEV
 endif
 
 # The following option combinations are compile tested

diff --git a/bpf/Makefile.bpf b/bpf/Makefile.bpf
@@ -7,6 +7,9 @@ CLANG_FLAGS := ${FLAGS} --target=bpf -std=gnu89 -nostdinc
 # eBPF verifier enforces unaligned access checks where necessary, so don't
 # let clang complain too early.
 CLANG_FLAGS += -Wall -Wextra -Werror -Wshadow
+CLANG_FLAGS += -Wno-unused-function
+#CLANG_FLAGS += -Wno-unused-variable
+#CLANG_FLAGS += -Wno-unused-parameter
 CLANG_FLAGS += -Wno-address-of-packed-member
 CLANG_FLAGS += -Wno-unknown-warning-option
 CLANG_FLAGS += -Wno-gnu-variable-sized-type-not-at-end

diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -62,7 +62,6 @@ static __always_inline bool allow_vlan(__u32 __maybe_unused ifindex, __u32 __may
 	VLAN_FILTER(ifindex, vlan_id);
 }
 
-#if defined(ENABLE_IPV4) || defined(ENABLE_IPV6)
 static __always_inline int rewrite_dmac_to_host(struct __ctx_buff *ctx)
 {
 	/* When attached to cilium_host, we rewrite the DMAC to the mac of
@@ -78,18 +77,19 @@ static __always_inline int rewrite_dmac_to_host(struct __ctx_buff *ctx)
 	return CTX_ACT_OK;
 }
 
-#define SECCTX_FROM_IPCACHE_OK	2
-#ifndef SECCTX_FROM_IPCACHE
-# define SECCTX_FROM_IPCACHE	0
-#endif
-
 static __always_inline bool identity_from_ipcache_ok(void)
 {
+	#define SECCTX_FROM_IPCACHE_OK 2
+
+	#if defined(ENABLE_IPV4) || defined(ENABLE_IPV6)
+	#ifndef SECCTX_FROM_IPCACHE
+	#define SECCTX_FROM_IPCACHE	0
+	#endif
+	#endif
+
 	return SECCTX_FROM_IPCACHE == SECCTX_FROM_IPCACHE_OK;
 }
-#endif
 
-#ifdef ENABLE_IPV6
 static __always_inline __u32
 resolve_srcid_ipv6(struct __ctx_buff *ctx, struct ipv6hdr *ip6,
 		   __u32 srcid_from_ipcache, __u32 *sec_identity,
@@ -481,7 +481,6 @@ int tail_handle_ipv6_from_netdev(struct __ctx_buff *ctx)
 	return tail_handle_ipv6(ctx, 0, false);
 }
 
-# ifdef ENABLE_HOST_FIREWALL
 static __always_inline int
 handle_to_netdev_ipv6(struct __ctx_buff *ctx, __u32 src_sec_identity,
 		      struct trace_ctx *trace, __s8 *ext_err)
@@ -514,10 +513,7 @@ handle_to_netdev_ipv6(struct __ctx_buff *ctx, __u32 src_sec_identity,
 	/* to-netdev is attached to the egress path of the native device. */
 	return ipv6_host_policy_egress(ctx, srcid, ipcache_srcid, ip6, trace, ext_err);
 }
-#endif /* ENABLE_HOST_FIREWALL */
-#endif /* ENABLE_IPV6 */
 
-#ifdef ENABLE_IPV4
 static __always_inline __u32
 resolve_srcid_ipv4(struct __ctx_buff *ctx, struct iphdr *ip4,
 		   __u32 srcid_from_proxy, __u32 *sec_identity,
@@ -937,7 +933,6 @@ int tail_handle_ipv4_from_netdev(struct __ctx_buff *ctx)
 	return tail_handle_ipv4(ctx, 0, false);
 }
 
-#ifdef ENABLE_HOST_FIREWALL
 static __always_inline int
 handle_to_netdev_ipv4(struct __ctx_buff *ctx, __u32 src_sec_identity,
 		      struct trace_ctx *trace, __s8 *ext_err)
@@ -957,18 +952,15 @@ handle_to_netdev_ipv4(struct __ctx_buff *ctx, __u32 src_sec_identity,
 	 */
 	return ipv4_host_policy_egress(ctx, src_id, ipcache_srcid, ip4, trace, ext_err);
 }
-#endif /* ENABLE_HOST_FIREWALL */
-#endif /* ENABLE_IPV4 */
 
-#if defined(ENABLE_IPSEC) && defined(TUNNEL_MODE)
 static __always_inline int do_netdev_encrypt_encap(struct __ctx_buff *ctx, __u32 src_id)
 {
 	struct trace_ctx trace = {
 		.reason = TRACE_REASON_ENCRYPTED,
 		.monitor = 0,
 	};
 	struct remote_endpoint_info *ep = NULL;
-	void *data, *data_end;
+	void __maybe_unused *data, __maybe_unused *data_end;
 	struct ipv6hdr *ip6 __maybe_unused;
 	struct iphdr *ip4 __maybe_unused;
 	__u16 proto;
@@ -1000,9 +992,7 @@ static __always_inline int do_netdev_encrypt_encap(struct __ctx_buff *ctx, __u32
 	return encap_and_redirect_with_nodeid(ctx, ep->tunnel_endpoint, 0,
 					      src_id, 0, &trace);
 }
-#endif /* ENABLE_IPSEC && TUNNEL_MODE */
 
-#ifdef ENABLE_L2_ANNOUNCEMENTS
 static __always_inline int handle_l2_announcement(struct __ctx_buff *ctx)
 {
 	union macaddr mac = NODE_MAC;
@@ -1042,7 +1032,6 @@ static __always_inline int handle_l2_announcement(struct __ctx_buff *ctx)
 
 	return ret;
 };
-#endif
 
 static __always_inline int
 do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
@@ -1308,7 +1297,6 @@ int cil_from_host(struct __ctx_buff *ctx)
 	return handle_netdev(ctx, true);
 }
 
-#if defined(ENABLE_ENCRYPTED_OVERLAY)
 /*
  * If the traffic should be encrypted then CTX_ACT_REDIRECT is returned.
  * Unless an error occurred, and the caller can return this code to TC.
@@ -1331,7 +1319,6 @@ static __always_inline int do_encrypt_overlay(struct __ctx_buff *ctx)
 
 	return ret;
 };
-#endif /* ENABLE_ENCRYPTED_OVERLAY */
 
 /*
  * to-netdev is attached as a tc egress filter to one or more physical devices
@@ -1609,8 +1596,6 @@ int cil_to_host(struct __ctx_buff *ctx)
 	return ret;
 }
 
-#if defined(ENABLE_HOST_FIREWALL)
-#ifdef ENABLE_IPV6
 __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV6_TO_HOST_POLICY_ONLY)
 static __always_inline
 int tail_ipv6_host_policy_ingress(struct __ctx_buff *ctx)
@@ -1629,9 +1614,7 @@ int tail_ipv6_host_policy_ingress(struct __ctx_buff *ctx)
 						  CTX_ACT_DROP, METRIC_INGRESS);
 	return ret;
 }
-#endif /* ENABLE_IPV6 */
 
-#ifdef ENABLE_IPV4
 __section_tail(CILIUM_MAP_CALLS, CILIUM_CALL_IPV4_TO_HOST_POLICY_ONLY)
 static __always_inline
 int tail_ipv4_host_policy_ingress(struct __ctx_buff *ctx)
@@ -1650,7 +1633,6 @@ int tail_ipv4_host_policy_ingress(struct __ctx_buff *ctx)
 						  CTX_ACT_DROP, METRIC_INGRESS);
 	return ret;
 }
-#endif /* ENABLE_IPV4 */
 
 static __always_inline int
 /* Handles packet from a local endpoint entering the host namespace. Applies
@@ -1710,14 +1692,14 @@ to_host_from_lxc(struct __ctx_buff *ctx __maybe_unused)
  * control back to bpf_lxc.
  */
 static __always_inline int
-from_host_to_lxc(struct __ctx_buff *ctx, __s8 *ext_err)
+from_host_to_lxc(struct __ctx_buff *ctx, __s8 __maybe_unused *ext_err)
 {
-	struct trace_ctx trace = {
+	struct trace_ctx __maybe_unused trace = {
 		.reason = TRACE_REASON_UNKNOWN,
 		.monitor = 0,
 	};
 	int ret = CTX_ACT_OK;
-	void *data, *data_end;
+	void __maybe_unused *data, __maybe_unused *data_end;
 	struct iphdr *ip4 __maybe_unused;
 	struct ipv6hdr *ip6 __maybe_unused;
 	__u16 proto = 0;
@@ -1790,6 +1772,5 @@ int handle_lxc_traffic(struct __ctx_buff *ctx)
 
 	return to_host_from_lxc(ctx);
 }
-#endif /* ENABLE_HOST_FIREWALL */
 
 BPF_LICENSE("Dual BSD/GPL");
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -69,9 +69,6 @@
 # define ENABLE_PER_PACKET_LB 1
 #endif
 
-#ifdef ENABLE_PER_PACKET_LB
-
-#ifdef ENABLE_IPV4
 static __always_inline int __per_packet_lb_svc_xlate_4(void *ctx, struct iphdr *ip4,
 						       __s8 *ext_err)
 {
@@ -123,9 +120,7 @@ static __always_inline int __per_packet_lb_svc_xlate_4(void *ctx, struct iphdr *
 	lb4_ctx_store_state(ctx, &ct_state_new, proxy_port, cluster_id);
 	return tail_call_internal(ctx, CILIUM_CALL_IPV4_CT_EGRESS, ext_err);
 }
-#endif /* ENABLE_IPV4 */
 
-#ifdef ENABLE_IPV6
 static __always_inline int __per_packet_lb_svc_xlate_6(void *ctx, struct ipv6hdr *ip6,
 						       __s8 *ext_err)
 {
@@ -180,15 +175,12 @@ static __always_inline int __per_packet_lb_svc_xlate_6(void *ctx, struct ipv6hdr
 	lb6_ctx_store_state(ctx, &ct_state_new, proxy_port);
 	return tail_call_internal(ctx, CILIUM_CALL_IPV6_CT_EGRESS, ext_err);
 }
-#endif /* ENABLE_IPV6 */
 
-#endif
 
 #if defined(ENABLE_ARP_PASSTHROUGH) && defined(ENABLE_ARP_RESPONDER)
 #error "Either ENABLE_ARP_PASSTHROUGH or ENABLE_ARP_RESPONDER can be defined"
 #endif
 
-#ifdef ENABLE_IPV4
 static __always_inline void *
 select_ct_map4(struct __ctx_buff *ctx __maybe_unused, int dir __maybe_unused,
 	       struct ipv4_ct_tuple *tuple)
@@ -202,9 +194,7 @@ select_ct_map4(struct __ctx_buff *ctx __maybe_unused, int dir __maybe_unused,
 #endif
 	return get_cluster_ct_map4(tuple, cluster_id);
 }
-#endif
 
-#if defined ENABLE_IPV4 || defined ENABLE_IPV6
 static __always_inline int drop_for_direction(struct __ctx_buff *ctx,
 					      enum ct_dir dir, __u32 reason,
 					      __s8 ext_err)
@@ -247,7 +237,7 @@ static __always_inline int drop_for_direction(struct __ctx_buff *ctx,
 	return send_drop_notify_ext(ctx, src_label, dst, dst_id, reason,
 				    ext_err, CTX_ACT_DROP, m_dir);
 }
-#endif /* ENABLE_IPV4 || ENABLE_IPV6 */
+
 
 #define TAIL_CT_LOOKUP4(ID, NAME, DIR, CONDITION, TARGET_ID, TARGET_NAME)	\
 __section_tail(CILIUM_MAP_CALLS, ID)						\
@@ -342,7 +332,6 @@ int NAME(struct __ctx_buff *ctx)						\
 	return ret;								\
 }
 
-#ifdef ENABLE_CUSTOM_CALLS
 /* Encode return value and identity into cb buffer. This is used before
  * executing tail calls to custom programs. "ret" is the return value supposed
  * to be returned to the kernel, needed by the callee to preserve the datapath
@@ -367,9 +356,7 @@ encode_custom_prog_meta(struct __ctx_buff *ctx, int ret, __u32 identity)
 	ctx_store_meta(ctx, CB_CUSTOM_CALLS, custom_meta);
 	return 0;
 }
-#endif
 
-#ifdef ENABLE_IPV6
 struct {
 	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
 	__type(key, __u32);
@@ -803,9 +790,7 @@ int tail_handle_ipv6(struct __ctx_buff *ctx)
 						  CTX_ACT_DROP, METRIC_EGRESS);
 	return ret;
 }
-#endif /* ENABLE_IPV6 */
 
-#ifdef ENABLE_IPV4
 struct {
 	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
 	__type(key, __u32);
@@ -1447,7 +1432,7 @@ int tail_handle_arp(struct __ctx_buff *ctx)
 	return arp_respond(ctx, &mac, tip, &smac, sip, 0);
 }
 #endif /* ENABLE_ARP_RESPONDER */
-#endif /* ENABLE_IPV4 */
+
 
 /* Attachment/entry point is ingress for veth.
  * It corresponds to packets leaving the container.
@@ -1506,7 +1491,6 @@ int cil_from_container(struct __ctx_buff *ctx)
 	return ret;
 }
 
-#ifdef ENABLE_IPV6
 static __always_inline int
 ipv6_policy(struct __ctx_buff *ctx, struct ipv6hdr *ip6, int ifindex, __u32 src_label,
 	    struct ipv6_ct_tuple *tuple_out, __s8 *ext_err, __u16 *proxy_port,
@@ -1826,9 +1810,7 @@ TAIL_CT_LOOKUP6(CILIUM_CALL_IPV6_CT_INGRESS_POLICY_ONLY,
 
 TAIL_CT_LOOKUP6(CILIUM_CALL_IPV6_CT_INGRESS, tail_ipv6_ct_ingress, CT_INGRESS,
 		1, CILIUM_CALL_IPV6_TO_ENDPOINT, tail_ipv6_to_endpoint)
-#endif /* ENABLE_IPV6 */
 
-#ifdef ENABLE_IPV4
 static __always_inline int
 ipv4_policy(struct __ctx_buff *ctx, struct iphdr *ip4, int ifindex, __u32 src_label,
 	    struct ipv4_ct_tuple *tuple_out, __s8 *ext_err, __u16 *proxy_port,
@@ -2280,7 +2262,7 @@ TAIL_CT_LOOKUP4(CILIUM_CALL_IPV4_CT_INGRESS_POLICY_ONLY,
 
 TAIL_CT_LOOKUP4(CILIUM_CALL_IPV4_CT_INGRESS, tail_ipv4_ct_ingress, CT_INGRESS,
 		1, CILIUM_CALL_IPV4_TO_ENDPOINT, tail_ipv4_to_endpoint)
-#endif /* ENABLE_IPV4 */
+
 
 /* Handle policy decisions as the packet makes its way towards the endpoint.
  * Previously, the packet may have come from another local endpoint, another