Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

loader: infrastructure for attaching SKB programs using the tcx API #32202

Closed
wants to merge 3 commits into from
Closed

loader: infrastructure for attaching SKB programs using the tcx API #32202

wants to merge 3 commits into from

Commits on Apr 26, 2024

  1. loader: infrastructure for attaching SKB programs using the tcx API 

    This commit adds the necessary infrastructure to attach bpf programs operating
on sk_buff using the kernel's new tcx hook.

Enabling the functionality in the agent's endpoint attachment path happens in
a follow-up commit.

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
Co-authored-by: Timo Beckers <timo@isovalent.com>
    @rgo3 @ti-mo
    rgo3 and ti-mo committed Apr 26, 2024
    Configuration menu
    Copy the full SHA
    be46dff View commit details
    Browse the repository at this point in the history

  2. loader: attach skb programs using tcx by default, add enableTCX Helm … 

    …value

This commit puts the tcx logic in the endpoint attachment path and enables
it by default. The 'enableTCX' Helm value is added to disable tcx attachments
if external tooling hasn't caught up yet, as attaching a tcx program to an
interface disables the legacy tc pipeline.

The agent upgrades and downgrades interfaces seamlessly based on tcx being
enabled or not, so any existing workloads are migrated automatically at
runtime, without having to reboot the node.

Signed-off-by: Timo Beckers <timo@isovalent.com>
    @ti-mo
    ti-mo committed Apr 26, 2024
    Configuration menu
    Copy the full SHA
    5b42a5f View commit details
    Browse the repository at this point in the history

  3. bpf, tcx: Clear tc_classid field 

    This is needed for tcx given it does not automatically clear the
tc_classid cb field and could contain garbage from upper layers
of the stack. This later maps to skb->tc_index and given in Cilium
code we utilize it, we should explicitly zero the field like we
do with other cb buffers.

Under tcx and endpoint routes, the test below breaks if the field
if not cleared:

  ./cilium-cli connectivity test --test client-ingress

After the fix the test passes.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    @borkmann @ti-mo
    borkmann authored and ti-mo committed Apr 26, 2024
    Configuration menu
    Copy the full SHA
    cd1f9a3 View commit details
    Browse the repository at this point in the history