[BPF] move IP defrag to its own program

tomastigera · tomastigera · commit ee7f6f89230d · 2025-05-23T09:28:26.000-07:00
diff --git a/felix/bpf-gpl/jump.h b/felix/bpf-gpl/jump.h
@@ -68,6 +68,7 @@ enum cali_jump_index {
 	PROG_INDEX_HOST_CT_CONFLICT,
 	PROG_INDEX_ICMP_INNER_NAT,
 	PROG_INDEX_NEW_FLOW,
+	PROG_INDEX_IP_FRAG,
 
 	PROG_INDEX_MAIN_DEBUG,
 	PROG_INDEX_POLICY_DEBUG,
@@ -77,6 +78,7 @@ enum cali_jump_index {
 	PROG_INDEX_HOST_CT_CONFLICT_DEBUG,
 	PROG_INDEX_ICMP_INNER_NAT_DEBUG,
 	PROG_INDEX_NEW_FLOW_DEBUG,
+	PROG_INDEX_IP_FRAG_DEBUG,
 };
 
 #if CALI_F_XDP
diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
@@ -204,12 +204,8 @@ int calico_tc_main(struct __sk_buff *skb)
 
 #ifndef IPVER6
 	if (CALI_F_TO_HOST && ip_is_frag(ip_hdr(ctx))) {
-		if (!frags4_handle(ctx)) {
-			deny_reason(ctx, CALI_REASON_FRAG_WAIT);
-			goto deny;
-		}
-		/* force it through stack to trigger any further necessary fragmentation */
-		ctx->state->flags |= CALI_ST_SKIP_REDIR_ONCE;
+		CALI_JUMP_TO(ctx, PROG_INDEX_IP_FRAG);
+		goto deny;
 	}
 #endif
 
@@ -2077,3 +2073,47 @@ int calico_tc_skb_drop(struct __sk_buff *skb)
 	CALI_DEBUG("DENY due to policy");
 	return TC_ACT_SHOT;
 }
+
+#ifndef IPVER6
+SEC("tc")
+int calico_tc_skb_ipv4_frag(struct __sk_buff *skb)
+{
+	/* Initialise the context, which is stored on the stack, and the state, which
+	 * we use to pass data from one program to the next via tail calls. */
+	DECLARE_TC_CTX(_ctx,
+		.skb = skb,
+		.fwd = {
+			.res = TC_ACT_UNSPEC,
+			.reason = CALI_REASON_UNKNOWN,
+		},
+	);
+	struct cali_tc_ctx *ctx = &_ctx;
+
+	CALI_DEBUG("Entering calico_tc_skb_ipv4_frag");
+	CALI_DEBUG("iphdr_offset %d ihl %d", skb_iphdr_offset(ctx), ctx->ipheader_len);
+
+	if (skb_refresh_validate_ptrs(ctx, UDP_SIZE)) {
+		deny_reason(ctx, CALI_REASON_SHORT);
+		CALI_DEBUG("Too short");
+		goto deny;
+	}
+
+	tc_state_fill_from_iphdr_v4(ctx);
+
+	if (!frags4_handle(ctx)) {
+		deny_reason(ctx, CALI_REASON_FRAG_WAIT);
+		goto deny;
+	}
+	/* force it through stack to trigger any further necessary fragmentation */
+	ctx->state->flags |= CALI_ST_SKIP_REDIR_ONCE;
+
+	return pre_policy_processing(ctx);
+
+finalize:
+	return forward_or_drop(ctx);
+
+deny:
+	ctx->fwd.res = TC_ACT_SHOT;
+	goto finalize;
+}
+#endif /* !IPVER6 */
diff --git a/felix/bpf/hook/load.go b/felix/bpf/hook/load.go
@@ -89,6 +89,19 @@ func (at AttachType) hasHostConflictProg() bool {
 	return at.Hook == Egress
 }
 
+func (at AttachType) hasIPDefrag() bool {
+	if at.Family != 4 {
+		return false
+	}
+
+	switch at.Type {
+	case tcdefs.EpTypeLO, tcdefs.EpTypeNAT:
+		return false
+	}
+
+	return at.Hook == Ingress
+}
+
 type DefPolicy int
 
 const (
diff --git a/felix/bpf/hook/map.go b/felix/bpf/hook/map.go
@@ -40,6 +40,7 @@ const (
 	SubProgTCHostCtConflict
 	SubProgIcmpInnerNat
 	SubProgNewFlow
+	SubProgIPFrag
 	SubProgTCMainDebug
 
 	SubProgXDPMain    = SubProgTCMain
@@ -57,6 +58,7 @@ var tcSubProgNames = []string{
 	"calico_tc_host_ct_conflict",
 	"calico_tc_skb_icmp_inner_nat",
 	"calico_tc_skb_new_flow_entrypoint",
+	"calico_tc_skb_ipv4_frag",
 }
 
 var xdpSubProgNames = []string{
@@ -206,6 +208,10 @@ func (pm *ProgramsMap) newLayout(at AttachType, obj *libbpf.Obj) (Layout, error)
 			continue
 		}
 
+		if SubProg(idx) == SubProgIPFrag && !at.hasIPDefrag() {
+			continue
+		}
+
 		err := obj.UpdateJumpMap(mapName, subprog, pm.nextIdx)
 		if err != nil {
 			return nil, fmt.Errorf("error updating programs map with %s/%s at %d: %w",
diff --git a/felix/bpf/tc/defs/defs.go b/felix/bpf/tc/defs/defs.go
@@ -55,6 +55,7 @@ const (
 	ProgIndexHostCtConflict
 	ProgIndexIcmpInnerNat
 	ProgIndexNewFlow
+	ProgIndexIPFrag
 	ProgIndexMainDebug
 	ProgIndexPolicyDebug
 	ProgIndexAllowedDebug
@@ -63,6 +64,7 @@ const (
 	ProgIndexHostCtConflictDebug
 	ProgIndexIcmpInnerNatDebug
 	ProgIndexNewFlowDebug
+	ProgIndexIPFragDebug
 	ProgIndexEndDebug
 	ProgIndexEnd
 
@@ -86,6 +88,7 @@ var ProgramNames = []string{
 	"calico_tc_host_ct_conflict",
 	"calico_tc_skb_icmp_inner_nat",
 	"calico_tc_skb_new_flow_entrypoint",
+	"calico_tc_skb_ipv4_frag",
 	/* ipv4 - debug */
 	"calico_tc_main",
 	"calico_tc_norm_pol_tail",
@@ -95,6 +98,7 @@ var ProgramNames = []string{
 	"calico_tc_host_ct_conflict",
 	"calico_tc_skb_icmp_inner_nat",
 	"calico_tc_skb_new_flow_entrypoint",
+	"calico_tc_skb_ipv4_frag",
 	/* ipv6 */
 	"calico_tc_main",
 	"calico_tc_norm_pol_tail",
@@ -104,6 +108,7 @@ var ProgramNames = []string{
 	"calico_tc_host_ct_conflict",
 	"calico_tc_skb_icmp_inner_nat",
 	"calico_tc_skb_new_flow_entrypoint",
+	"",
 	/* ipv6 - debug */
 	"calico_tc_main",
 	"calico_tc_norm_pol_tail",
@@ -113,6 +118,7 @@ var ProgramNames = []string{
 	"calico_tc_host_ct_conflict",
 	"calico_tc_skb_icmp_inner_nat",
 	"calico_tc_skb_new_flow_entrypoint",
+	"",
 }
 
 type ToOrFromEp string
diff --git a/felix/bpf/ut/bpf_prog_test.go b/felix/bpf/ut/bpf_prog_test.go
@@ -212,6 +212,7 @@ var tcJumpMapIndexes = map[string][]int{
 		tcdefs.ProgIndexHostCtConflict,
 		tcdefs.ProgIndexIcmpInnerNat,
 		tcdefs.ProgIndexNewFlow,
+		tcdefs.ProgIndexIPFrag,
 	},
 	"IPv4 debug": []int{
 		tcdefs.ProgIndexMainDebug,
@@ -222,6 +223,7 @@ var tcJumpMapIndexes = map[string][]int{
 		tcdefs.ProgIndexHostCtConflictDebug,
 		tcdefs.ProgIndexIcmpInnerNatDebug,
 		tcdefs.ProgIndexNewFlowDebug,
+		tcdefs.ProgIndexIPFragDebug,
 	},
 	"IPv6": []int{
 		tcdefs.ProgIndexMain,
