| Message ID | cover.1658759380.git.paul@isovalent.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | bpf: Allow any source IP in bpf_skb_set_tunnel_key | expand |
Hello: This series was applied to bpf/bpf-next.git (master) by Daniel Borkmann <daniel@iogearbox.net>: On Mon, 25 Jul 2022 16:31:07 +0200 you wrote: > Commit 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"") > added support for getting and setting the outer source IP of encapsulated > packets via the bpf_skb_{get,set}_tunnel_key BPF helper. This change > allows BPF programs to set any IP address as the source, including for > example the IP address of a container running on the same host. > > In that last case, however, the encapsulated packets are dropped when > looking up the route because the source IP address isn't assigned to any > interface on the host. To avoid this, we need to set the > FLOWI_FLAG_ANYSRC flag. > > [...] Here is the summary with links: - [bpf-next,v3,1/5] ip_tunnels: Add new flow flags field to ip_tunnel_key https://git.kernel.org/bpf/bpf-next/c/451ef36bd229 - [bpf-next,v3,2/5] vxlan: Use ip_tunnel_key flow flags in route lookups https://git.kernel.org/bpf/bpf-next/c/7e2fb8bc7ef6 - [bpf-next,v3,3/5] geneve: Use ip_tunnel_key flow flags in route lookups https://git.kernel.org/bpf/bpf-next/c/861396ac0b47 - [bpf-next,v3,4/5] bpf: Set flow flag to allow any source IP in bpf_tunnel_key https://git.kernel.org/bpf/bpf-next/c/b8fff748521c - [bpf-next,v3,5/5] selftests/bpf: Don't assign outer source IP to host https://git.kernel.org/bpf/bpf-next/c/1115169f47ae You are awesome, thank you!
Commit 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"") added support for getting and setting the outer source IP of encapsulated packets via the bpf_skb_{get,set}_tunnel_key BPF helper. This change allows BPF programs to set any IP address as the source, including for example the IP address of a container running on the same host. In that last case, however, the encapsulated packets are dropped when looking up the route because the source IP address isn't assigned to any interface on the host. To avoid this, we need to set the FLOWI_FLAG_ANYSRC flag. Changes in v3: - Rebased on top of bpf-next. - Reworked the last patch, for the selftests. Several changes were required to the existing vxlan_tunnel test to be able to test the change in the bpf_skb_set_tunnel_key helper. - Apart from the rebase, only the last selftests patch changed, so I kept the Reviewed-by and Acked-by tags on other patches. Changes in v2: - Removed changes to IPv6 code paths as they are unnecessary. Paul Chaignon (5): ip_tunnels: Add new flow flags field to ip_tunnel_key vxlan: Use ip_tunnel_key flow flags in route lookups geneve: Use ip_tunnel_key flow flags in route lookups bpf: Set flow flag to allow any source IP in bpf_tunnel_key selftests/bpf: Don't assign outer source IP to host drivers/net/geneve.c | 1 + drivers/net/vxlan/vxlan_core.c | 11 ++- include/net/ip_tunnels.h | 1 + net/core/filter.c | 1 + .../selftests/bpf/prog_tests/test_tunnel.c | 17 +++- .../selftests/bpf/progs/test_tunnel_kern.c | 80 ++++++++++++++++--- 6 files changed, 96 insertions(+), 15 deletions(-)