m

mazdakn · mazdakn · commit 28124876a87d · 2025-09-09T14:30:38.000-07:00
diff --git a/felix/bpf-gpl/qos.h b/felix/bpf-gpl/qos.h
@@ -108,7 +108,7 @@ static CALI_BPF_INLINE int qos_enforce_packet_rate(struct cali_tc_ctx *ctx)
 	return TC_ACT_SHOT;
 }
 
-static CALI_BPF_INLINE bool qos_dscp_need_update(struct cali_tc_ctx *ctx)
+static CALI_BPF_INLINE bool qos_dscp_needs_update(struct cali_tc_ctx *ctx)
 {
 	return ((ctx->state->flags & CALI_ST_CLUSTER_EXTERNAL) && EGRESS_DSCP >= 0);
 }
diff --git a/felix/bpf-gpl/routes.h b/felix/bpf-gpl/routes.h
@@ -123,6 +123,12 @@ static CALI_BPF_INLINE bool rt_addr_is_external(ipv46_addr_t *addr)
 	return cali_rt_flags_external(cali_rt_lookup_flags(addr));
 }
 
+static CALI_BPF_INLINE bool rt_addr_is_host_or_in_pool(ipv46_addr_t *addr)
+{
+	__u32 flags = cali_rt_lookup_flags(addr);
+	return cali_rt_flags_host(flags) || cali_rt_flags_is_in_pool(flags);
+}
+
 // Don't perform SNAT if either:
 // - packet is destined to an address in an IP pool;
 // - packet is destined to local host; or
@@ -136,5 +142,4 @@ static CALI_BPF_INLINE bool rt_flags_should_perform_nat_outgoing(enum cali_rt_fl
     }
     return true;
 }
-
 #endif /* __CALI_ROUTES_H__ */
diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
@@ -548,12 +548,10 @@ static CALI_BPF_INLINE void calico_tc_process_ct_lookup(struct cali_tc_ctx *ctx)
 				ctx->state->flags |= CALI_ST_NAT_OUTGOING;
 			}
 		}
-		// Check if traffic is leaving cluster. It might need to set DSCP.
-		if (cali_rt_flags_is_in_pool(r->flags)) {
-			if (rt_addr_is_external(&ctx->state->post_nat_ip_dst)) {
-				CALI_DEBUG("Outside cluster dest " IP_FMT "", debug_ip(ctx->state->post_nat_ip_dst));
-				ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
-			}
+		// Check if traffic is leaving cluster. We might need to set DSCP later.
+		if (cali_rt_flags_is_in_pool(r->flags) && rt_addr_is_external(&ctx->state->post_nat_ip_dst)) {
+			CALI_DEBUG("Outside cluster dest " IP_FMT "", debug_ip(ctx->state->post_nat_ip_dst));
+			ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
 		}
 		/* If 3rd party CNI is used and dest is outside cluster. See commit fc711b192f for details. */
 		if (!(cali_rt_flags_is_in_pool(r->flags))) {
@@ -565,25 +563,16 @@ static CALI_BPF_INLINE void calico_tc_process_ct_lookup(struct cali_tc_ctx *ctx)
 		}
 	}
 
-	// If either destination is outside cluster, set flag as might need to update DSCP later.
-	if (CALI_F_TO_HEP) {
-		struct cali_rt *r = cali_rt_lookup(&ctx->state->ip_src);
-		if (r && cali_rt_flags_host(r->flags)) {
-			if (rt_addr_is_external(&ctx->state->post_nat_ip_dst)) {
-				CALI_DEBUG("Outside cluster dest " IP_FMT "", debug_ip(ctx->state->post_nat_ip_dst));
-				ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
-			}
-		}
+	// If either source or destination is outside cluster, set flag as might need to update DSCP later.
+	if ((CALI_F_TO_HEP) && (rt_addr_is_local_host(&ctx->state->ip_src)) &&
+		(rt_addr_is_external(&ctx->state->post_nat_ip_dst))) {
+		CALI_DEBUG("Outside cluster dest " IP_FMT "", debug_ip(ctx->state->post_nat_ip_dst));
+		ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
 	}
-	// If source is outside cluster, set flag as might need to update DSCP later.
-	if (CALI_F_FROM_HEP) {
-		struct cali_rt *r = cali_rt_lookup(&ctx->state->post_nat_ip_dst);
-		if (r && (cali_rt_flags_host(r->flags) || cali_rt_flags_is_in_pool(r->flags))) {
-			if (rt_addr_is_external(&ctx->state->ip_src)) {
-				CALI_DEBUG("Outside cluster source " IP_FMT "", debug_ip(ctx->state->ip_src));
-				ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
-			}
-		}
+	if ((CALI_F_FROM_HEP) && (rt_addr_is_host_or_in_pool(&ctx->state->post_nat_ip_dst)) &&
+		(rt_addr_is_external(&ctx->state->ip_src))) {
+		CALI_DEBUG("Outside cluster source " IP_FMT "", debug_ip(ctx->state->ip_src));
+		ctx->state->flags |= CALI_ST_CLUSTER_EXTERNAL;
 	}
 
 	/* [SMC] I had to add this revalidation when refactoring the conntrack code to use the context and
@@ -1357,7 +1346,7 @@ int calico_tc_skb_accepted_entrypoint(struct __sk_buff *skb)
 		deny_reason(ctx, CALI_REASON_DROPPED_BY_QOS);
 		goto deny;
 	}
-	if ((CALI_F_FROM_WEP || CALI_F_TO_HEP) && qos_dscp_need_update(ctx) && !qos_dscp_set(ctx)) {
+	if ((CALI_F_FROM_WEP || CALI_F_TO_HEP) && qos_dscp_needs_update(ctx) && !qos_dscp_set(ctx)) {
 		goto deny;
 	}
 	ctx->fwd = calico_tc_skb_accepted(ctx);

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ static CALI_BPF_INLINE int qos_enforce_packet_rate(struct cali_tc_ctx *ctx)`
`108`	`108`	`return TC_ACT_SHOT;`
`109`	`109`	`}`
`110`	`110`
`111`		`-static CALI_BPF_INLINE bool qos_dscp_need_update(struct cali_tc_ctx *ctx)`
	`111`	`+static CALI_BPF_INLINE bool qos_dscp_needs_update(struct cali_tc_ctx *ctx)`
`112`	`112`	`{`
`113`	`113`	`return ((ctx->state->flags & CALI_ST_CLUSTER_EXTERNAL) && EGRESS_DSCP >= 0);`
`114`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,12 @@ static CALI_BPF_INLINE bool rt_addr_is_external(ipv46_addr_t *addr)`
`123`	`123`	`return cali_rt_flags_external(cali_rt_lookup_flags(addr));`
`124`	`124`	`}`
`125`	`125`
	`126`	`+static CALI_BPF_INLINE bool rt_addr_is_host_or_in_pool(ipv46_addr_t *addr)`
	`127`	`+{`
	`128`	`+ __u32 flags = cali_rt_lookup_flags(addr);`
	`129`	`+ return cali_rt_flags_host(flags) \|\| cali_rt_flags_is_in_pool(flags);`
	`130`	`+}`
	`131`	`+`
`126`	`132`	`// Don't perform SNAT if either:`
`127`	`133`	`// - packet is destined to an address in an IP pool;`
`128`	`134`	`// - packet is destined to local host; or`
`@@ -136,5 +142,4 @@ static CALI_BPF_INLINE bool rt_flags_should_perform_nat_outgoing(enum cali_rt_fl`
`136`	`142`	`}`
`137`	`143`	`return true;`
`138`	`144`	`}`
`139`		`-`
`140`	`145`	`#endif /* __CALI_ROUTES_H__ */`