github.com/cilium/cilium@v1.16.2/bpf/bpf_wireguard.c

github.com/cilium/cilium@v1.16.2/bpf/bpf_wireguard.c (about)

     1  // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
     2  /* Copyright Authors of Cilium */
     3  
     4  #define ETH_HLEN 0
     5  #define IS_BPF_WIREGUARD 1
     6  
     7  #include <bpf/ctx/skb.h>
     8  #include <bpf/api.h>
     9  
    10  #include <node_config.h>
    11  #include <netdev_config.h>
    12  
    13  #include "lib/trace.h"
    14  #include "lib/drop.h"
    15  #include "lib/nodeport.h"
    16  
    17  /* to-wireguard is attached as a tc egress filter to the cilium_wg0 device.
    18   */
    19  __section_entry
    20  int cil_to_wireguard(struct __ctx_buff *ctx)
    21  {
    22  	int __maybe_unused ret;
    23  	__s8 __maybe_unused ext_err = 0;
    24  	__u16 __maybe_unused proto = ctx_get_protocol(ctx);
    25  	__u32 __maybe_unused src_sec_identity = UNKNOWN_ID;
    26  	__u32 magic = ctx->mark & MARK_MAGIC_HOST_MASK;
    27  
    28  	struct trace_ctx __maybe_unused trace = {
    29  		.reason = TRACE_REASON_UNKNOWN,
    30  		.monitor = 0,
    31  	};
    32  
    33  	if (magic == MARK_MAGIC_IDENTITY)
    34  		src_sec_identity = get_identity(ctx);
    35  
    36  	bpf_clear_meta(ctx);
    37  
    38  #ifdef ENABLE_NODEPORT
    39  	if (magic == MARK_MAGIC_OVERLAY)
    40  		goto out;
    41  
    42  	ret = handle_nat_fwd(ctx, 0, proto, true, &trace, &ext_err);
    43  	if (IS_ERR(ret))
    44  		return send_drop_notify_error_ext(ctx, src_sec_identity, ret, ext_err,
    45  						  CTX_ACT_DROP, METRIC_EGRESS);
    46  
    47  out:
    48  #endif /* ENABLE_NODEPORT */
    49  
    50  	return TC_ACT_OK;
    51  }
    52  
    53  BPF_LICENSE("Dual BSD/GPL");