Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loader: infrastructure for attaching SKB programs using the tcx API #32202

Closed
wants to merge 3 commits into from
Closed

loader: infrastructure for attaching SKB programs using the tcx API #32202

wants to merge 3 commits into from

Conversation

ti-mo
Copy link
Contributor

@ti-mo ti-mo commented Apr 26, 2024

Split off from #30103, this pulls out the tcx infrastructure so it can be merged without enabling the feature.

@rgo3

@rgo3 @ti-mo
loader: infrastructure for attaching SKB programs using the tcx API
be46dff 
This commit adds the necessary infrastructure to attach bpf programs operating
on sk_buff using the kernel's new tcx hook.

Enabling the functionality in the agent's endpoint attachment path happens in
a follow-up commit.

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2024
@ti-mo ti-mo added the release-note/misc This PR makes changes that have no direct user impact. label Apr 26, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2024
@ti-mo
Copy link
Contributor Author

ti-mo commented Apr 26, 2024

/test

@ti-mo
loader: attach skb programs using tcx by default, add enableTCX Helm …
5b42a5f 
…value

This commit puts the tcx logic in the endpoint attachment path and enables
it by default. The 'enableTCX' Helm value is added to disable tcx attachments
if external tooling hasn't caught up yet, as attaching a tcx program to an
interface disables the legacy tc pipeline.

The agent upgrades and downgrades interfaces seamlessly based on tcx being
enabled or not, so any existing workloads are migrated automatically at
runtime, without having to reboot the node.

Signed-off-by: Timo Beckers <timo@isovalent.com>
@borkmann @ti-mo
bpf, tcx: Clear tc_classid field
cd1f9a3 
This is needed for tcx given it does not automatically clear the
tc_classid cb field and could contain garbage from upper layers
of the stack. This later maps to skb->tc_index and given in Cilium
code we utilize it, we should explicitly zero the field like we
do with other cb buffers.

Under tcx and endpoint routes, the test below breaks if the field
if not cleared:

  ./cilium-cli connectivity test --test client-ingress

After the fix the test passes.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@ti-mo
Copy link
Contributor Author

ti-mo commented Apr 26, 2024

/test

@ti-mo ti-mo closed this Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

Assignees
No one assigned
Labels
release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ti-mo @borkmann @rgo3