[BPF] Support for IPv4 fragmentation

Incoming IP fragments are stored in an LRU hash map. They can arrive out
of order. After each fragment, we check whether we have all fragments.
If any fragment is missing, we drop the skb as we cannot let it through.
Once we have all fragments, we use the current skb to assemble the whole
packet, we parse it again and we let it process by the rest of the
programs like if the packet arrived as a single chunk.

We need to defragment incoming packets because we would not be able to
pass then through policies that match on more than IP. Also we would not
be able to match them to connections in conntrack. In fact, the payload
of the fragments would be wrongly treated as L4 headers and
misinterpreted.

After a packet is reassebled, fragments are deleted. If for any reason
we never see all fragments, LRU will kick out the stored fragments
eventually.

There are some limitations:

* packet cannot have more than 10 fragments - 10 is arbitrary number
  greater than a reasonable number of fragments in modern networks (2)
  plus we fragment the packet internally into 1500 chunks in case the
  fragments were bigger than this - unlikely, but not impossible.
  However, there is no limit on fragmentation in any RFC except the
  smallest MTu of 576 bytes.
* we can store up to 10k fragments - 10k is again arbitrary. If there is
  a higher fragmentation rate than this, eBPF dataplane is probably not
  the right choice as performance would suffer and it is likely better
  to let generic Linux handle such cases.
* defragmentation is meant to handle corner cases and is not meant to be
  performant.

Author: tomastigera

felix/bpf-gpl/bpf.h

@@ -242,6 +242,7 @@ static CALI_BPF_INLINE __attribute__((noreturn)) void bpf_exit(int rc) {
 #define debug_ip(ip) (bpf_htonl((ip).d))
 #endif
 #define ip_is_dnf(ip) (true)
+#define ip_is_frag(ip) (false)
 
 #else
 
@@ -253,7 +254,7 @@ static CALI_BPF_INLINE __attribute__((noreturn)) void bpf_exit(int rc) {
 #endif
 
 #define ip_is_dnf(ip) ((ip)->frag_off & bpf_htons(0x4000))
-#define ip_frag_no(ip) ((ip)->frag_off & bpf_htons(0x1fff))
+#define ip_is_frag(ip) ((ip)->frag_off & bpf_htons(0x3fff))
 #endif
 
 #ifndef IP_FMT

felix/bpf-gpl/ip_v4_fragment.h

@@ -0,0 +1,203 @@
+// Project Calico BPF dataplane programs.
+// Copyright (c) 2020-2022 Tigera, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+#ifndef __CALI_IP_V4_FRAGMENT_H__
+#define __CALI_IP_V4_FRAGMENT_H__
+
+#include "ip_addr.h"
+
+struct frags4_key {
+	ipv4_addr_t src;
+	ipv4_addr_t dst;
+	__u16 id;
+	__u16 offset;
+};
+
+#define MAX_FRAG 1504 /* requires multiple of 8 */
+
+struct frags4_value {
+	__u16 more_frags:1;
+	__u16 len;
+	__u32 __pad;
+	char data[MAX_FRAG];
+};
+
+CALI_MAP(cali_v4_frags, 2, BPF_MAP_TYPE_LRU_HASH, struct frags4_key, struct frags4_value, 10000, 0)
+
+CALI_MAP(cali_v4_frgtmp, 2,
+		BPF_MAP_TYPE_PERCPU_ARRAY,
+		__u32, struct frags4_value,
+		1, 0)
+
+static CALI_BPF_INLINE struct frags4_value *frags4_get_scratch()
+{
+	__u32 key = 0;
+	return cali_v4_frgtmp_lookup_elem(&key);
+}
+
+static CALI_BPF_INLINE bool frags4_try_assemble(struct cali_tc_ctx *ctx)
+{
+	struct frags4_key k = {
+		.src = ip_hdr(ctx)->saddr,
+		.dst = ip_hdr(ctx)->daddr,
+		.id = ip_hdr(ctx)->id,
+	};
+
+	int i, tot_len = 0;
+
+	for (i = 0; i < 10; i++) {
+		struct frags4_value *v = cali_v4_frags_lookup_elem(&k);
+
+		if (!v) {
+			CALI_DEBUG("Missing IP fragment at offset %d", k.offset);
+			goto out;
+		}
+
+		tot_len += v->len;
+
+		if(!v->more_frags) {
+			goto assemble;
+		}
+
+		k.offset += v->len;
+	}
+
+	goto out;
+
+assemble:
+	CALI_DEBUG("IP FRAG: Found all fragments!");
+
+	int off = skb_l4hdr_offset(ctx);
+	int err = bpf_skb_change_tail(ctx->skb, off + tot_len,  0);
+	if (err) {
+		CALI_DEBUG("IP FRAG: bpf_skb_change_tail (len=%d) failed (err=%d)", tot_len, err);
+		goto out;
+	}
+
+	k.offset = 0;
+
+	for (i = 0; i < 10; i++) {
+		struct frags4_value *v = cali_v4_frags_lookup_elem(&k);
+
+		if (!v) {
+			CALI_DEBUG("IP FRAG: Missing IP fragment at offset %d", k.offset);
+			goto out;
+		}
+
+		__u16 len = v->len;
+		if (len == 0 || len > MAX_FRAG) {
+			goto out;
+		}
+		CALI_DEBUG("IP FRAG: copy %d bytes to %d", len, off);
+		if (bpf_skb_store_bytes(ctx->skb, off, v->data, len, 0)) {
+			CALI_DEBUG("IP FRAG: Failed to copy bytes");
+			goto out;
+		}
+
+		bool last = !v->more_frags;
+		cali_v4_frags_delete_elem(&k);
+
+		if(last) {
+			break;
+		}
+
+		k.offset += v->len;
+		off += v->len;
+	}
+
+	if (parse_packet_ip(ctx) != PARSING_OK) {
+		goto out;
+	}
+
+	/* recalculate IP csum of the restored IP header */
+	ip_hdr(ctx)->check = 0;
+	ip_hdr(ctx)->frag_off = 0;
+	ip_hdr(ctx)->tot_len =  bpf_htons(ip_hdr(ctx)->ihl*4 + tot_len);
+
+	__wsum ip_csum = bpf_csum_diff(0, 0, (__u32 *)ctx->ip_header, sizeof(struct iphdr), 0);
+	int ret = bpf_l3_csum_replace(ctx->skb, skb_iphdr_offset(ctx) + offsetof(struct iphdr, check), 0, ip_csum, 0);
+	if (ret) {
+		CALI_DEBUG("IP FRAG: set L3 csum failed");
+		goto out;
+	}
+
+	/* No need to recalculate L4 csum as the concatenated data should be intact. In
+	 * case of TCP/UDP, the pseudo IP header used to calculate the checksum does not
+	 * change src/dst IP, protocol and UDP/TCP length stay the same.
+	 */
+
+	if (parse_packet_ip(ctx) != PARSING_OK) {
+		goto out;
+	}
+
+	return true;
+out:
+	return false;
+}
+
+static CALI_BPF_INLINE bool frags4_handle(struct cali_tc_ctx *ctx)
+{
+	struct frags4_value *v = frags4_get_scratch();
+
+	if (!v) {
+		goto out;
+	}
+
+	struct frags4_key k = {
+		.src = ip_hdr(ctx)->saddr,
+		.dst = ip_hdr(ctx)->daddr,
+		.id = ip_hdr(ctx)->id,
+		.offset = 8 * bpf_ntohs(ip_hdr(ctx)->frag_off) & 0x1fff,
+
+	};
+
+	int i;
+	int r_off = skb_l4hdr_offset(ctx);
+	bool more_frags = bpf_ntohs(ip_hdr(ctx)->frag_off) & 0x2000;
+
+	for (i = 0; i < 10; i++) {
+		int sz = MAX_FRAG;
+		if (r_off + sz >= ctx->skb->len) {
+			sz = ctx->skb->len - r_off;
+		}
+		if (sz > MAX_FRAG) {
+			sz = MAX_FRAG;
+		}
+		if (sz <= 0) {
+			goto out;
+		}
+
+		if (bpf_skb_load_bytes(ctx->skb, r_off, v->data, sz)) {
+			CALI_DEBUG("IP FRAG: failed to read data");
+			goto out;
+		}
+		v->len = (__u16)sz;
+		v->more_frags = more_frags || r_off + sz < ctx->skb->len;
+		CALI_DEBUG("IP FRAG: frg off %d", k.offset);
+		CALI_DEBUG("IP FRAG: frg size %d r_off %d", sz, r_off);
+
+		if (cali_v4_frags_update_elem(&k, v, 0)) {
+			CALI_DEBUG("IP FRAG: Failed to save IP fragment.");
+			goto out;
+		}
+
+		r_off += sz;
+		k.offset += sz;
+		if (r_off >= ctx->skb->len) {
+			break;
+		}
+	}
+
+	if (!frags4_try_assemble(ctx)) {
+		goto out;
+	}
+
+
+	return true;
+
+out:
+	return false;
+}
+
+#endif /* __CALI_IP_V4_FRAGMENT_H__ */

felix/bpf-gpl/tc.c

@@ -56,6 +56,10 @@
 #include "bpf_helpers.h"
 #include "rule_counters.h"
 
+#ifndef IPVER6
+#include "ip_v4_fragment.h"
+#endif
+
 #define HAS_HOST_CONFLICT_PROG CALI_F_TO_HEP
 
 /* calico_tc_main is the main function used in all of the tc programs.  It is specialised
@@ -197,11 +201,26 @@ int calico_tc_main(struct __sk_buff *skb)
 		ctx->fwd.res = TC_ACT_SHOT;
 		goto finalize;
 	}
+
+#ifndef IPVER6
+	if (CALI_F_TO_HOST && ip_is_frag(ip_hdr(ctx))) {
+		if (!frags4_handle(ctx)) {
+			goto deny;
+		}
+	}
+#endif
+
 	return pre_policy_processing(ctx);
 
 allow:
 finalize:
 	return forward_or_drop(ctx);
+
+#ifndef IPVER6
+deny:
+	ctx->fwd.res = TC_ACT_SHOT;
+	goto finalize;
+#endif
 }
 
 static CALI_BPF_INLINE int pre_policy_processing(struct cali_tc_ctx *ctx)
@@ -1674,7 +1693,7 @@ static CALI_BPF_INLINE struct fwd calico_tc_skb_accepted(struct cali_tc_ctx *ctx
 	state->icmp_type = ICMPV6_TIME_EXCEED;
 	state->icmp_code = ICMPV6_EXC_HOPLIMIT;
 #else
-	if (ip_frag_no(ip_hdr(ctx))) {
+	if (ip_is_frag(ip_hdr(ctx))) {
 		goto deny;
 	}
 	state->icmp_type = ICMP_TIME_EXCEEDED;

felix/bpf/ipfrags/map.go

@@ -0,0 +1,54 @@
+// Copyright (c) 2025 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ipfrags
+
+import (
+	"github.com/projectcalico/calico/felix/bpf/maps"
+)
+
+func init() {
+	maps.SetSize(MapParams.VersionedName(), MapParams.MaxEntries)
+}
+
+var MapParams = maps.MapParameters{
+	Type:       "lru_hash",
+	KeySize:    KeySize,
+	ValueSize:  ValueSize,
+	MaxEntries: 10000, // max number of nodes that can forward nodeports to a single node
+	Name:       "cali_v4_frags",
+	Version:    2,
+}
+
+const (
+	KeySize   = 12
+	ValueSize = 2 + 2 + 4 + 1504
+)
+
+func Map() maps.Map {
+	return maps.NewPinnedMap(MapParams)
+}
+
+var MapParameters = maps.MapParameters{
+	Type:       "percpu_array",
+	KeySize:    4,
+	ValueSize:  ValueSize,
+	MaxEntries: 1,
+	Name:       "cali_v4_frgtmp",
+	Version:    2,
+}
+
+func MapTmp() maps.Map {
+	return maps.NewPinnedMap(MapParameters)
+}

felix/bpf/ut/bpf_prog_test.go

@@ -45,6 +45,7 @@ import (
 	"github.com/projectcalico/calico/felix/bpf/failsafes"
 	"github.com/projectcalico/calico/felix/bpf/hook"
 	"github.com/projectcalico/calico/felix/bpf/ifstate"
+	"github.com/projectcalico/calico/felix/bpf/ipfrags"
 	"github.com/projectcalico/calico/felix/bpf/ipsets"
 	"github.com/projectcalico/calico/felix/bpf/jump"
 	"github.com/projectcalico/calico/felix/bpf/libbpf"
@@ -576,12 +577,12 @@ func bpftool(args ...string) ([]byte, error) {
 var (
 	mapInitOnce sync.Once
 
-	natMap, natBEMap, ctMap, rtMap, ipsMap, testStateMap, affinityMap, arpMap, fsafeMap     maps.Map
-	natMapV6, natBEMapV6, ctMapV6, rtMapV6, ipsMapV6, affinityMapV6, arpMapV6, fsafeMapV6   maps.Map
-	stateMap, countersMap, ifstateMap, progMap, progMapXDP, policyJumpMap, policyJumpMapXDP maps.Map
-	perfMap                                                                                 maps.Map
-	profilingMap                                                                            maps.Map
-	allMaps                                                                                 []maps.Map
+	natMap, natBEMap, ctMap, rtMap, ipsMap, testStateMap, affinityMap, arpMap, fsafeMap, ipfragsMap maps.Map
+	natMapV6, natBEMapV6, ctMapV6, rtMapV6, ipsMapV6, affinityMapV6, arpMapV6, fsafeMapV6           maps.Map
+	stateMap, countersMap, ifstateMap, progMap, progMapXDP, policyJumpMap, policyJumpMapXDP         maps.Map
+	perfMap                                                                                         maps.Map
+	profilingMap, ipfragsMapTmp                                                                     maps.Map
+	allMaps                                                                                         []maps.Map
 )
 
 func initMapsOnce() {
@@ -605,6 +606,8 @@ func initMapsOnce() {
 		fsafeMap = failsafes.Map()
 		fsafeMapV6 = failsafes.MapV6()
 		countersMap = counters.Map()
+		ipfragsMap = ipfrags.Map()
+		ipfragsMapTmp = ipfrags.MapTmp()
 		ifstateMap = ifstate.Map()
 		policyJumpMap = jump.Map()
 		policyJumpMapXDP = jump.XDPMap()
@@ -614,7 +617,7 @@ func initMapsOnce() {
 
 		allMaps = []maps.Map{natMap, natBEMap, natMapV6, natBEMapV6, ctMap, ctMapV6, rtMap, rtMapV6, ipsMap, ipsMapV6,
 			stateMap, testStateMap, affinityMap, affinityMapV6, arpMap, arpMapV6, fsafeMap, fsafeMapV6,
-			countersMap, ifstateMap, profilingMap,
+			countersMap, ipfragsMap, ipfragsMapTmp, ifstateMap, profilingMap,
 			policyJumpMap, policyJumpMapXDP}
 		for _, m := range allMaps {
 			err := m.EnsureExists()
@@ -639,7 +642,7 @@ func cleanUpMaps() {
 	defer log.SetLevel(logLevel)
 
 	for _, m := range allMaps {
-		if m == stateMap || m == testStateMap || m == progMap || m == countersMap {
+		if m == stateMap || m == testStateMap || m == progMap || m == countersMap || m == ipfragsMapTmp {
 			continue // Can't clean up array maps
 		}
 		log.WithField("map", m.GetName()).Info("Cleaning")