Merge pull request #8943 from tomastigera/tomas-bpf-fv-test-fix

[BPF] fix rendering ipv6 iptables rules

Author: tomastigera

felix/dataplane/linux/int_dataplane.go

@@ -1512,7 +1512,9 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				// only go to the host. Make sure that they are not forwarded.
 				fwdRules = append(fwdRules, rules.ICMPv6Filter(d.ruleRenderer.IptablesFilterDenyAction())...)
 			}
-		} else {
+		}
+
+		if t.IPVersion == 4 || d.config.BPFIpv6Enabled {
 			// Let the BPF programs know if Linux conntrack knows about the flow.
 			fwdRules = append(fwdRules, bpfMarkPreestablishedFlowsRules()...)
 			// The packet may be about to go to a local workload.  However, the local workload may not have a BPF

felix/fv/bpf_test.go

@@ -462,6 +462,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 					felix.Exec("conntrack", "-L")
 					felix.Exec("calico-bpf", "policy", "dump", "cali8d1e69e5f89", "all", "--asm")
 					if testOpts.ipv6 {
+						felix.Exec("conntrack", "-L", "-f", "ipv6")
 						felix.Exec("ip6tables-save", "-c")
 						felix.Exec("ip", "-6", "link")
 						felix.Exec("ip", "-6", "addr")
@@ -4579,16 +4580,15 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 					fc.Spec.BPFEnabled = &bpfEnabled
 					_, err := calicoClient.FelixConfigurations().Update(context.Background(), fc, options2.SetOptions{})
 					Expect(err).NotTo(HaveOccurred())
-					return
+				} else {
+					// Fall back on creating it...
+					fc = api.NewFelixConfiguration()
+					fc.Name = "default"
+					fc.Spec.BPFEnabled = &bpfEnabled
+					fc, err = calicoClient.FelixConfigurations().Create(context.Background(), fc, options2.SetOptions{})
+					Expect(err).NotTo(HaveOccurred())
 				}
 
-				// Fall back on creating it...
-				fc = api.NewFelixConfiguration()
-				fc.Name = "default"
-				fc.Spec.BPFEnabled = &bpfEnabled
-				fc, err = calicoClient.FelixConfigurations().Create(context.Background(), fc, options2.SetOptions{})
-				Expect(err).NotTo(HaveOccurred())
-
 				// Wait for BPF to be active.
 				ensureAllNodesBPFProgramsAttached(tc.Felixes)
 			}
@@ -4601,7 +4601,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 				log.Info("Pongs received")
 			}
 
-			if testOpts.protocol == "tcp" && testOpts.dsr {
+			if testOpts.protocol == "tcp" && (testOpts.dsr || testOpts.ipv6) {
 				verifyConnectivityWhileEnablingBPF := func(from, to *workload.Workload) {
 					By("Starting persistent connection")
 					pc = from.StartPersistentConnection(to.IP, 8055, workload.PersistentConnectionOpts{

felix/rules/static.go

@@ -1152,18 +1152,23 @@ func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8,
 			Action:  GotoAction{Target: ChainRawBPFUntrackedPolicy},
 			Comment: []string{"Jump to target for packets with Bypass mark"},
 		},
-		Rule{
-			Match:   Match().DestAddrType(AddrTypeLocal),
-			Action:  SetMaskedMarkAction{Mark: tcdefs.MarkSeenSkipFIB, Mask: tcdefs.MarkSeenSkipFIB},
-			Comment: []string{"Mark traffic towards the host - it is TRACKed"},
-		},
-		Rule{
-			Match:   Match().NotDestAddrType(AddrTypeLocal),
-			Action:  GotoAction{Target: ChainRawUntrackedFlows},
-			Comment: []string{"Check if forwarded traffic needs to be TRACKed"},
-		},
 	)
 
+	if bypassHostConntrack {
+		rawRules = append(rawRules,
+			Rule{
+				Match:   Match().DestAddrType(AddrTypeLocal),
+				Action:  SetMaskedMarkAction{Mark: tcdefs.MarkSeenSkipFIB, Mask: tcdefs.MarkSeenSkipFIB},
+				Comment: []string{"Mark traffic towards the host - it is TRACKed"},
+			},
+			Rule{
+				Match:   Match().NotDestAddrType(AddrTypeLocal),
+				Action:  GotoAction{Target: ChainRawUntrackedFlows},
+				Comment: []string{"Check if forwarded traffic needs to be TRACKed"},
+			},
+		)
+	}
+
 	rawPreroutingChain := &Chain{
 		Name:  ChainRawPrerouting,
 		Rules: rawRules,