Skip to content

BPF: Set DSCP only for traffic leaving cluster #10934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 11, 2025
Merged

BPF: Set DSCP only for traffic leaving cluster #10934

merged 3 commits into from
Sep 11, 2025

Conversation

@mazdakn
Copy link
Member

@mazdakn mazdakn commented Sep 4, 2025
edited
Loading

Description

Apply DSCP on traffic only when leaving cluster. In the original support of DSCP in bpf, DSCP is set on all egress traffic from an endpoint even when both source and destination are inside cluster. This PR changes the behavior to only set DSCP when either source or destination is outside cluster.

Related issues/PRs

Follow up for #10881

Todos

  • Tests
  • Documentation
  • Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

Copilot AI review requested due to automatic review settings September 4, 2025 19:00
@mazdakn mazdakn added the docs-not-required Docs not required for this change label Sep 4, 2025
@mazdakn mazdakn requested a review from a team as a code owner September 4, 2025 19:00
@mazdakn mazdakn added the release-note-not-required Change has no user-facing impact label Sep 4, 2025
@marvin-tigera marvin-tigera added this to the Calico v3.31.0 milestone Sep 4, 2025

This comment was marked as outdated.

Sign in to view

@mazdakn mazdakn changed the title [WIP] BPF: Set DSCP only for traffic leaving cluster BPF: Set DSCP only for traffic leaving cluster Sep 8, 2025
@mazdakn mazdakn requested a review from Copilot September 9, 2025 21:41

This comment was marked as outdated.

Sign in to view

@mazdakn mazdakn requested a review from Copilot September 9, 2025 21:48
Copilot AI reviewed Sep 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modifies the DSCP (Differentiated Services Code Point) handling in Calico's BPF dataplane to only apply DSCP marking when traffic is crossing cluster boundaries. Previously, DSCP was applied to all egress traffic from endpoints, but now it's restricted to traffic where either the source or destination is outside the cluster.

Key changes:

  • Introduces cluster boundary detection logic using routing table flags
  • Adds new state flags and conntrack flags to track external cluster traffic
  • Updates DSCP application logic to only set DSCP for cross-cluster traffic

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
felix/fv/dscp_test.go Updates test description and adds test case for return traffic from external connections
felix/bpf/ut/qos_test.go Refactors DSCP tests into comprehensive test cases covering internal and external cluster scenarios
felix/bpf-gpl/types.h Adds CALI_ST_CLUSTER_EXTERNAL state flag for tracking cross-cluster traffic
felix/bpf-gpl/tc.c Implements cluster boundary detection logic and updates DSCP application condition
felix/bpf-gpl/routes.h Adds helper functions for detecting external addresses and host/pool addresses
felix/bpf-gpl/qos.h Splits DSCP logic into condition check and application functions
felix/bpf-gpl/conntrack_types.h Adds CALI_CT_FLAG_CLUSTER_EXTERNAL conntrack flag and updates copyright year
Comments suppressed due to low confidence (1)

felix/bpf-gpl/qos.h:1

  • This TODO comment is now obsolete since the PR implements the functionality described in the comment. The TODO should be removed.
// Project Calico BPF dataplane programs.

@mazdakn mazdakn merged commit 8001cca into projectcalico:master Sep 11, 2025
2 of 3 checks passed
@mazdakn mazdakn deleted the dscp-bpf-egress branch September 11, 2025 22:13
@mazdakn mazdakn mentioned this pull request Sep 11, 2025
Merged
3 tasks
@mazdakn mazdakn mentioned this pull request Sep 19, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tomastigera tomastigera tomastigera approved these changes

Assignees

No one assigned

Labels

docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact

Projects

None yet

Milestone

Calico v3.31.0

Development

Successfully merging this pull request may close these issues.

3 participants

@mazdakn @tomastigera @marvin-tigera