Merge pull request #8679 from sridhartigera/bpf-icmpv6

Do wep rpf and natOutgoing SNAT only for icmpv6 only if src is not link local
projectcalico · Apr 2, 2024 · 9bb0b7e · 9bb0b7e
2 parents f6bdfe3 + 9555d01
commit 9bb0b7e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/felix/bpf-gpl/ip_addr.h b/felix/bpf-gpl/ip_addr.h
@@ -47,7 +47,7 @@ static CALI_BPF_INLINE int ipv6_addr_t_cmp(ipv6_addr_t *x, ipv6_addr_t *y)
 }
 
 #define ip_void(ip)	((ip).a == 0 && (ip).b == 0 && (ip).c == 0 && (ip).d == 0)
-#define ip_link_local(ip)	(bpf_htonl((ip).a) == 0xfe800000)
+#define ip_link_local(ip)	((bpf_htonl((ip).a) & (0xffc00000)) == 0xfe800000)
 #define VOID_IP		({ipv6_addr_t x = {}; x;})
 #define ip_set_void(ip)	do {	\
 	(ip).a = 0;		\

diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
@@ -456,7 +456,7 @@ static CALI_BPF_INLINE void calico_tc_process_ct_lookup(struct cali_tc_ctx *ctx)
 
 	if (CALI_F_FROM_WEP
 #ifdef IPVER6
-			&& ctx->state->ip_proto != IPPROTO_ICMPV6
+			&& !(ctx->state->ip_proto == IPPROTO_ICMPV6 && ip_link_local(ctx->state->ip_src))
 #endif
 		) {
 		struct cali_rt *r = cali_rt_lookup(&ctx->state->ip_src);

diff --git a/felix/fv/bpf_dual_stack_test.go b/felix/fv/bpf_dual_stack_test.go
@@ -23,6 +23,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"regexp"
 	"strconv"
 
 	v1 "k8s.io/api/core/v1"
@@ -377,6 +378,30 @@ func describeBPFDualStackTests(ctlbEnabled, ipv6Dataplane bool) bool {
 					cc.Expect(Some, w[1][1], w[0][0], ExpectWithIPVersion(6))
 					cc.CheckConnectivity()
 				})
+
+				It("should be able to ping external client from w[0][0]", func() {
+					tc.TriggerDelayedStart()
+					externalClient := infrastructure.RunExtClient("ext-client")
+					_ = externalClient
+					ensureRightIFStateFlags(tc.Felixes[0], ifstate.FlgIPv4Ready|ifstate.FlgIPv6Ready)
+					ensureRightIFStateFlags(tc.Felixes[1], ifstate.FlgIPv4Ready|ifstate.FlgIPv6Ready)
+
+					tcpdump := externalClient.AttachTCPDump("any")
+					tcpdump.SetLogEnabled(true)
+					matcher := fmt.Sprintf("IP6 %s > %s: ICMP6, echo request",
+						felixIP6(0), externalClient.IPv6)
+
+					tcpdump.AddMatcher("ICMP", regexp.MustCompile(matcher))
+					tcpdump.Start()
+					defer tcpdump.Stop()
+
+					_, err := w[0][0].ExecCombinedOutput("ping6", "-c", "2", externalClient.IPv6)
+					Expect(err).NotTo(HaveOccurred())
+					Eventually(func() int { return tcpdump.MatchCount("ICMP") }).
+						Should(BeNumerically(">", 0), matcher)
+					externalClient.Stop()
+
+				})
 			}
 		} else {
 			JustBeforeEach(func() {