loxilb-io/loxilb#877 Masquerading moved to separate tail call section

common/llb_dpapi.h

@@ -53,6 +53,7 @@
 #define LLB_SOCKID_MAP_SZ     (17*1024)
 #define LLB_MAX_HOSTURL_LEN   (256)
 
+#define LLB_DP_MASQ_PGM_ID     (7)
 #define LLB_DP_SUNP_PGM_ID2    (6)
 #define LLB_DP_CRC_PGM_ID2     (5)
 #define LLB_DP_CRC_PGM_ID1     (4)

kernel/llb_kern_devif.c

@@ -477,6 +477,10 @@ dp_ing_ct_main(void *ctx,  struct xfi *xf)
     goto res_end;
   }
 
+  if (xf->pm.phit & LLB_DP_NAT_HIT) {
+    goto ct_start;
+  }
+
   /* If ACL is hit, and packet arrives here 
    * it only means that we need CT processing.
    * In such a case, we skip nat lookup
@@ -492,7 +496,9 @@ dp_ing_ct_main(void *ctx,  struct xfi *xf)
       dp_record_it(ctx, xf);
     }
 
-    dp_do_nat(ctx, xf);
+    if (!(xf->pm.dp_mark & LLB_MARK_SNAT)) {
+      dp_do_nat(ctx, xf);
+    }
 
 #ifdef HAVE_DP_LBMODE_ONLY
     if ((xf->pm.phit & LLB_DP_NAT_HIT) == 0) {
@@ -505,15 +511,6 @@ dp_ing_ct_main(void *ctx,  struct xfi *xf)
     }
   }
 
-  LL_DBG_PRINTK("[CTRK] start");
-
-  val = dp_ct_in(ctx, xf);
-  if (val < 0) {
-    return DP_PASS;
-  }
-
-  xf->nm.ct_sts = LLB_PIPE_CT_INP;
-
   /* CT pipeline is hit after acl lookup fails 
    * So, after CT processing we continue the rest
    * of the stack. We could potentially make 
@@ -522,6 +519,24 @@ dp_ing_ct_main(void *ctx,  struct xfi *xf)
    * complexity for now 
    */
   dp_l3_fwd(ctx, xf, fa);
+
+  /* Perform masquerading if necessary */
+  if ((xf->pm.phit & LLB_DP_CTM_HIT) == 0) {
+    if (xf->pm.dp_mark & LLB_MARK_SNAT) {
+      bpf_tail_call(ctx, &pgm_tbl, LLB_DP_MASQ_PGM_ID);
+      return DP_PASS;
+    }
+  }
+
+ct_start:
+  /* Perform conntrack */
+  LL_DBG_PRINTK("[CTRK] start");
+  val = dp_ct_in(ctx, xf);
+  if (val < 0) {
+    return DP_PASS;
+  }
+  xf->nm.ct_sts = LLB_PIPE_CT_INP;
+
   dp_eg_l2(ctx, xf, fa);
 
 res_end:

kernel/llb_kern_entry.c

@@ -189,7 +189,7 @@ int tc_packet_func_slow(struct __sk_buff *md)
 }
 
 SEC("tc_packet_hook3")
-int tc_packet_func_fw(struct __sk_buff *md)
+int tc_packet_func_fw(struct __sk_buff *ctx)
 {
   int val = 0;
   struct xfi *xf;
@@ -199,7 +199,7 @@ int tc_packet_func_fw(struct __sk_buff *md)
     return DP_DROP;
   }
 
-  return dp_do_fw_main(md, xf);
+  return dp_do_fw_main(ctx, xf);
 }
 
 SEC("tc_packet_hook4")
@@ -259,4 +259,25 @@ int tc_slow_unp_func(struct __sk_buff *md)
   return val;
 }
 
+SEC("tc_packet_hook7")
+int tc_packet_func_masq(struct __sk_buff *ctx)
+{
+  int val = 0;
+  struct xfi *xf;
+
+  xf = bpf_map_lookup_elem(&xfis, &val);
+  if (!xf) {
+    return DP_DROP;
+  }
+
+  if (xf->pm.dp_mark & LLB_MARK_SNAT) {
+    /* Do masquerade */
+    dp_do_nat(ctx, xf);
+    RETURN_TO_MP();
+    /* Not reached */
+    return DP_DROP;
+  }
+  return DP_DROP;
+}
+
 #endif

kernel/llb_kern_fw.c

@@ -42,8 +42,8 @@ dp_do_fw4_main(void *ctx, struct xfi *xf)
   LL_DBG_PRINTK("[FW4] -- Lookup\n");
   LL_DBG_PRINTK("[FW4] key-sz %d\n", sizeof(key));
   LL_DBG_PRINTK("[FW4] port %x\n", key.inport);
-  LL_DBG_PRINTK("[FW4] daddr %x\n", key.dest);
-  LL_DBG_PRINTK("[FW4] saddr %d\n", key.source);
+  LL_DBG_PRINTK("[FW4] daddr 0x%x", key.dest);
+  LL_DBG_PRINTK("[FW4] saddr 0x%x", key.source);
   LL_DBG_PRINTK("[FW4] sport %d\n", key.sport);
   LL_DBG_PRINTK("[FW4] dport %d\n", key.dport);
   LL_DBG_PRINTK("[FW4] l4proto %d\n", key.protocol);
@@ -123,14 +123,6 @@ dp_do_fw4_main(void *ctx, struct xfi *xf)
   dp_do_map_stats(ctx, xf, LL_DP_FW4_STATS_MAP, act->ca.cidx);
   xf->pm.fw_rid = act->ca.cidx;
 
-  if (xf->pm.dp_mark & LLB_MARK_SNAT_EGR) {
-    if (xf->pm.dflrt) {
-      xf->pm.dp_mark = LLB_MARK_SNAT;
-    } else {
-      xf->pm.dp_mark = 0;
-    }
-  }
-
   RETURN_TO_MP();
   xf->pm.rcode |= LLB_PIPE_RC_TCALL_ERR;
   return DP_DROP;

kernel/llb_kern_l3fwd.c

@@ -134,7 +134,14 @@ dp_do_rtops(void *ctx, struct xfi *xf, void *fa_, struct dp_rt_tact *act)
     }
     if (act->ca.act_type == DP_SET_RT_NHNUM_DFLT) {
       xf->pm.dflrt = 1;
+      if (xf->pm.dp_mark & LLB_MARK_SNAT_EGR) {
+        xf->pm.dp_mark |= LLB_MARK_SNAT;
+        xf->pm.dp_mark &= ~LLB_MARK_SNAT_EGR;
+      } else {
+        xf->pm.dp_mark = 0;
+      }
     }
+
     return dp_do_rt_fwdops(ctx, xf);
   } /*else if (act->ca.act_type == DP_SET_L3RT_TUN_NH) {
 #ifdef HAVE_DP_EXTFC

kernel/llb_kern_natlbfwd.c

@@ -192,6 +192,8 @@ dp_do_nat(void *ctx, struct xfi *xf)
     xf->nm.pmhh[1] = act->pmhh[1];
     xf->nm.pmhh[2] = act->pmhh[2];  // LLB_MAX_MHOSTS
 
+    xf->pm.dp_mark &= ~LLB_MARK_SNAT_EGR;
+
     /* FIXME - Do not select inactive end-points 
      * Need multi-passes for selection
      */