[BPF] add counters for dropped fragments

tomastigera · tomastigera · commit 4ee845a4ef0b · 2025-05-23T09:27:58.000-07:00
diff --git a/felix/bpf-gpl/counters.h b/felix/bpf-gpl/counters.h
@@ -7,7 +7,7 @@
 
 #include "bpf.h"
 
-#define MAX_COUNTERS_SIZE 17
+#define MAX_COUNTERS_SIZE 19
 
 typedef __u64 counters_t[MAX_COUNTERS_SIZE];
 
@@ -25,6 +25,10 @@ CALI_MAP(cali_counters, 3,
 		struct counters_key, counters_t, 20000,
 		0)
 
+CALI_MAP(cali_counters_scratch, 2,
+		BPF_MAP_TYPE_PERCPU_ARRAY,
+		__u32, counters_t, 1, 0)
+
 static CALI_BPF_INLINE counters_t *counters_get(int ifindex)
 {
 	struct counters_key key = {
@@ -49,7 +53,12 @@ static CALI_BPF_INLINE counters_t *counters_get(int ifindex)
 		/* If there was no entry created yet, create it. It is a hash
 		 * map so any entry must be created first!
 		 */
-		counters_t ctrs = {};
+		int scratch_zero = 0;
+		counters_t *ctrs = cali_counters_scratch_lookup_elem(&scratch_zero);
+		if (!ctrs) {
+			return NULL;
+		}
+
 		if (cali_counters_update_elem(&key, ctrs, BPF_ANY)) {
 			return NULL;
 		}
diff --git a/felix/bpf-gpl/reasons.h b/felix/bpf-gpl/reasons.h
@@ -26,7 +26,10 @@ enum calico_reason {
 	CALI_REASON_SOURCE_COLLISION,
 	CALI_REASON_SOURCE_COLLISION_FAILED,
 	CALI_REASON_CT_CREATE_FAILED,
-	CALI_REASON_ACCEPTED_BY_XDP, // Not used by counters map
+	CALI_REASON_FRAG_WAIT,
+	CALI_REASON_FRAG_REORDER,
+	// Not used by counters map
+	CALI_REASON_ACCEPTED_BY_XDP,
 	CALI_REASON_WEP_NOT_READY,
 	CALI_REASON_NATIFACE,
 };
diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
@@ -205,6 +205,7 @@ int calico_tc_main(struct __sk_buff *skb)
 #ifndef IPVER6
 	if (CALI_F_TO_HOST && ip_is_frag(ip_hdr(ctx))) {
 		if (!frags4_handle(ctx)) {
+			deny_reason(ctx, CALI_REASON_FRAG_WAIT);
 			goto deny;
 		}
 		/* force it through stack to trigger any further necessary fragmentation */
@@ -280,6 +281,9 @@ static CALI_BPF_INLINE int pre_policy_processing(struct cali_tc_ctx *ctx)
 			}
 			goto allow;
 		}
+
+		deny_reason(ctx, CALI_REASON_FRAG_REORDER);
+		goto deny;
 	}
 #endif
 
diff --git a/felix/bpf/counters/counters.go b/felix/bpf/counters/counters.go
@@ -27,7 +27,7 @@ import (
 )
 
 const (
-	MaxCounterNumber    int = 17
+	MaxCounterNumber    int = 19
 	counterMapKeySize   int = 8
 	counterMapValueSize int = 8
 )
@@ -76,6 +76,8 @@ const (
 	SourceCollisionHit
 	SourceCollisionResolutionFailed
 	ConntrackCreateFailed
+	DroppedFragWait
+	DroppedFragReorder
 )
 
 type Description struct {
@@ -170,6 +172,14 @@ var descriptions DescList = DescList{
 		Counter:  SourceCollisionResolutionFailed,
 		Category: "Dropped", Caption: "NAT source collision resolution failed",
 	},
+	{
+		Counter:  DroppedFragWait,
+		Category: "Dropped", Caption: "fragment of yet incomplete packet",
+	},
+	{
+		Counter:  DroppedFragReorder,
+		Category: "Dropped", Caption: "fragment out of order within host",
+	},
 }
 
 func Descriptions() DescList {

Original file line number	Diff line number	Diff line change
`@@ -205,6 +205,7 @@ int calico_tc_main(struct __sk_buff *skb)`
`205`	`205`	`#ifndef IPVER6`
`206`	`206`	`if (CALI_F_TO_HOST && ip_is_frag(ip_hdr(ctx))) {`
`207`	`207`	`if (!frags4_handle(ctx)) {`
	`208`	`+ deny_reason(ctx, CALI_REASON_FRAG_WAIT);`
`208`	`209`	`goto deny;`
`209`	`210`	`}`
`210`	`211`	`/* force it through stack to trigger any further necessary fragmentation */`
`@@ -280,6 +281,9 @@ static CALI_BPF_INLINE int pre_policy_processing(struct cali_tc_ctx *ctx)`
`280`	`281`	`}`
`281`	`282`	`goto allow;`
`282`	`283`	`}`
	`284`	`+`
	`285`	`+ deny_reason(ctx, CALI_REASON_FRAG_REORDER);`
	`286`	`+ goto deny;`
`283`	`287`	`}`
`284`	`288`	`#endif`
`285`	`289`