bpf: l3: remove unused code in local-delivery

Leftover for loopback, but we no longer need to bypass the ingress policy path. All callers are setting hairpin_flow == false. Signed-off-by: Julian Wiedmann <[email protected]>
cilium · May 11, 2024 · 5ecbae1 · 5ecbae1
1 parent 6669d4d
commit 5ecbae1
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 20 deletions.
diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
@@ -766,8 +766,7 @@ handle_ipv4_cont(struct __ctx_buff *ctx, __u32 secctx, const bool from_host,
 #endif
 
  return ipv4_local_delivery(ctx, l3_off, secctx, magic, ip4, ep,
- METRIC_INGRESS, from_host, false,
- false, 0);
+ METRIC_INGRESS, from_host, false, 0);
  }
 
  /* Below remainder is only relevant when traffic is pushed via cilium_host.

diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -1128,7 +1128,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, __u32 *d
  return ipv4_local_delivery(ctx, ETH_HLEN, SECLABEL_IPV4,
  MARK_MAGIC_IDENTITY, ip4,
  ep, METRIC_EGRESS, from_l7lb,
- false, false, 0);
+ false, 0);
  }
  }
 

diff --git a/bpf/bpf_overlay.c b/bpf/bpf_overlay.c
@@ -251,7 +251,7 @@ static __always_inline int handle_inter_cluster_revsnat(struct __ctx_buff *ctx,
 
  return ipv4_local_delivery(ctx, ETH_HLEN, src_sec_identity,
  MARK_MAGIC_IDENTITY, ip4, ep,
- METRIC_INGRESS, false, false, true,
+ METRIC_INGRESS, false, true,
  cluster_id);
  }
 
@@ -443,8 +443,7 @@ static __always_inline int handle_ipv4(struct __ctx_buff *ctx,
  ep = lookup_ip4_endpoint(ip4);
  if (ep && !(ep->flags & ENDPOINT_F_HOST))
  return ipv4_local_delivery(ctx, ETH_HLEN, *identity, MARK_MAGIC_IDENTITY,
- ip4, ep, METRIC_INGRESS, false, false, true,
- 0);
+ ip4, ep, METRIC_INGRESS, false, true, 0);
 
  ret = overlay_ingress_policy_hook(ctx, ip4, *identity, ext_err);
  if (ret != CTX_ACT_OK)

diff --git a/bpf/lib/l3.h b/bpf/lib/l3.h
@@ -75,7 +75,7 @@ l3_local_delivery(struct __ctx_buff *ctx, __u32 seclabel,
  __u32 magic __maybe_unused,
  const struct endpoint_info *ep __maybe_unused,
  __u8 direction __maybe_unused,
- bool from_host __maybe_unused, bool hairpin_flow __maybe_unused,
+ bool from_host __maybe_unused,
  bool from_tunnel __maybe_unused, __u32 cluster_id __maybe_unused)
 {
 #ifdef LOCAL_DELIVERY_METRICS
@@ -107,15 +107,6 @@ l3_local_delivery(struct __ctx_buff *ctx, __u32 seclabel,
 
  return redirect_ep(ctx, ep->ifindex, from_host, from_tunnel);
 #else
-# ifndef DISABLE_LOOPBACK_LB
- /* Skip ingress policy enforcement for hairpin traffic. As the hairpin
- * traffic is destined to a local pod (more specifically, the same pod
- * the traffic originated from) we skip the tail call for ingress policy
- * enforcement, and directly redirect it to the endpoint.
- */
- if (unlikely(hairpin_flow))
- return redirect_ep(ctx, ep->ifindex, from_host, from_tunnel);
-# endif /* DISABLE_LOOPBACK_LB */
 
  /* Jumps to destination pod's BPF program to enforce ingress policies. */
  ctx_store_meta(ctx, CB_SRC_LABEL, seclabel);
@@ -151,7 +142,7 @@ static __always_inline int ipv6_local_delivery(struct __ctx_buff *ctx, int l3_of
  return ret;
 
  return l3_local_delivery(ctx, seclabel, magic, ep, direction, from_host,
- false, from_tunnel, 0);
+ from_tunnel, 0);
 }
 #endif /* ENABLE_IPV6 */
 
@@ -165,8 +156,7 @@ static __always_inline int ipv4_local_delivery(struct __ctx_buff *ctx, int l3_of
  struct iphdr *ip4,
  const struct endpoint_info *ep,
  __u8 direction, bool from_host,
- bool hairpin_flow, bool from_tunnel,
- __u32 cluster_id)
+ bool from_tunnel, __u32 cluster_id)
 {
  mac_t router_mac = ep->node_mac;
  mac_t lxc_mac = ep->mac;
@@ -179,7 +169,7 @@ static __always_inline int ipv4_local_delivery(struct __ctx_buff *ctx, int l3_of
  return ret;
 
  return l3_local_delivery(ctx, seclabel, magic, ep, direction, from_host,
- hairpin_flow, from_tunnel, cluster_id);
+ from_tunnel, cluster_id);
 }
 #endif /* SKIP_POLICY_MAP */