[BPF] handle fragmentation over vxlan

Forwarding would create fragmented VXLAN packet. First let it be
fragmented and then route it into vxlan. Easier to handle.

Author: tomastigera

felix/bpf-gpl/fib_co_re.h

@@ -37,6 +37,10 @@ static CALI_BPF_INLINE int forward_or_drop(struct cali_tc_ctx *ctx)
 		goto deny;
 	}
 
+	if (ctx->state->flags & CALI_ST_SKIP_REDIR_ONCE) {
+		goto skip_fib;
+	}
+
 	if (rc == CALI_RES_REDIR_BACK) {
 		int redir_flags = 0;
 		if  (CALI_F_FROM_HOST) {
@@ -174,7 +178,9 @@ static CALI_BPF_INLINE int forward_or_drop(struct cali_tc_ctx *ctx)
 			}
 		}
 	} else if (CALI_F_VXLAN && CALI_F_TO_HEP) {
-		if (!(ctx->skb->mark & CALI_SKB_MARK_SEEN) || (ctx->fwd.mark & CALI_SKB_MARK_FROM_NAT_IFACE_OUT)) {
+		if (!(ctx->skb->mark & CALI_SKB_MARK_SEEN) ||
+			ctx->state->flags & CALI_ST_IS_FRAG || /* frags go through host and don't have key set yet */
+			(ctx->fwd.mark & CALI_SKB_MARK_FROM_NAT_IFACE_OUT) == CALI_SKB_MARK_FROM_NAT_IFACE_OUT) {
 			/* packet to vxlan from the host, needs to set tunnel key. Either
 			 * it wasn't seen or it was routed via the bpfnat device because
 			 * its destination was a service and CTLB is disabled

felix/bpf-gpl/tc.c

@@ -207,6 +207,8 @@ int calico_tc_main(struct __sk_buff *skb)
 		if (!frags4_handle(ctx)) {
 			goto deny;
 		}
+		/* force it through stack to trigger any further necessary fragmentation */
+		ctx->state->flags |= CALI_ST_SKIP_REDIR_ONCE;
 	}
 #endif
 
@@ -276,6 +278,7 @@ static CALI_BPF_INLINE int pre_policy_processing(struct cali_tc_ctx *ctx)
 			if (ip_is_last_frag(ip_hdr(ctx))) {
 				frags4_remove_ct(ctx);
 			}
+			ctx->state->flags |= CALI_ST_IS_FRAG;
 			goto allow;
 		}
 	}
@@ -1292,6 +1295,7 @@ int calico_tc_skb_accepted_entrypoint(struct __sk_buff *skb)
 #ifndef IPVER6
 	if (CALI_F_FROM_HOST && ip_is_first_frag(ip_hdr(ctx))) {
 		frags4_record_ct(ctx);
+		ctx->state->flags |= CALI_ST_IS_FRAG;
 	}
 #endif
 
@@ -1376,7 +1380,7 @@ int calico_tc_skb_new_flow_entrypoint(struct __sk_buff *skb)
 	if (CALI_F_TO_HOST && state->flags & CALI_ST_SKIP_FIB) {
 		ct_ctx_nat->flags |= CALI_CT_FLAG_SKIP_FIB;
 	}
-	if (CALI_F_FROM_HEP && state->flags & CALI_ST_SKIP_REDIR_PEER) {
+	if (state->flags & CALI_ST_SKIP_REDIR_PEER) {
 		ct_ctx_nat->flags |= CALI_CT_FLAG_SKIP_REDIR_PEER;
 	}
 	if (CALI_F_TO_WEP) {

felix/bpf-gpl/types.h

@@ -156,6 +156,10 @@ enum cali_state_flags {
 	CALI_ST_LOG_PACKET        = 0x400,
 	/* CALI_ST_SKIP_REDIR_PEER is set when the packet is destined to a local VM workload */
 	CALI_ST_SKIP_REDIR_PEER	  = 0x800,
+	/* CALI_ST_SKIP_REDIR_ONCE skips redirection once for this particular packet */
+	CALI_ST_SKIP_REDIR_ONCE   = 0x1000,
+	/* CALI_ST_IS_FRAG marks a packet fragment */
+	CALI_ST_IS_FRAG           = 0x2000,
 };
 
 struct fwd {

felix/fv/bpf_test.go

@@ -440,7 +440,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 				options.ExtraEnvVars["FELIX_HEALTHHOST"] = "::"
 			}
 
-			if testOpts.protocol == "tcp" {
+			if false && testOpts.protocol == "tcp" {
 				filters := map[string]string{"all": "tcp"}
 				tcpResetTimeout := api.BPFConntrackTimeout("5s")
 				felixConfig := api.NewFelixConfiguration()
@@ -1737,9 +1737,18 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 					cc.CheckConnectivity(conntrackChecks(tc.Felixes)...)
 				})
 
-				_ = testOpts.protocol == "udp" && !testOpts.ipv6 && !testOpts.dsr && testOpts.tunnel == "none" &&
+				_ = !testOpts.ipv6 && !testOpts.dsr &&
 					It("should handle fragmented UDP", func() {
-						tcpdump1 := tc.Felixes[1].AttachTCPDump("eth0")
+						dev := "eth0"
+						switch testOpts.tunnel {
+						case "vxlan":
+							dev = "vxlan.calico"
+						case "ipip":
+							dev = "tunl0"
+						case "wireguard":
+							dev = "wireguard.cali"
+						}
+						tcpdump1 := tc.Felixes[1].AttachTCPDump(dev)
 						tcpdump1.SetLogEnabled(true)
 						tcpdump1.AddMatcher("udp-frags", regexp.MustCompile(
 							fmt.Sprintf("%s.* > %s.*", w[1][0].IP, w[0][0].IP)))