Merge pull request #1496 from zrggw/ipsec_issue

kmesh-bot · web-flow · commit 098968ae29ac · 2025-09-03T16:33:31.000+08:00
Resolving communication issue between pods after enabling IPsec
diff --git a/bpf/kmesh/general/include/tc.h b/bpf/kmesh/general/include/tc.h
@@ -24,8 +24,9 @@ struct tc_info {
     };
 };
 
-#define PARSER_FAILED 1
-#define PARSER_SUCC   0
+#define PARSER_FAILED        1
+#define PARSER_SUCC          0
+#define IPSEC_DECRYPTED_MARK 0x00d0
 
 static inline bool is_ipv4(struct tc_info *info)
 {
diff --git a/bpf/kmesh/general/tc_mark_decrypt.c b/bpf/kmesh/general/tc_mark_decrypt.c
@@ -12,16 +12,34 @@ int tc_mark_decrypt(struct __sk_buff *ctx)
 {
     struct nodeinfo *nodeinfo;
     struct tc_info info = {0};
+    __u8 protocol = 0;
+    bool decrypted = false;
+    __u32 mark = 0;
 
     if (parser_tc_info(ctx, &info)) {
         return TC_ACT_OK;
     }
-    nodeinfo = check_remote_manage_by_kmesh(ctx, &info, info.iph->saddr, info.ip6h->saddr.s6_addr32);
-    if (!nodeinfo) {
+    if (is_ipv4(&info)) {
+        protocol = info.iph->protocol;
+    } else if (is_ipv6(&info)) {
+        protocol = info.ip6h->nexthdr;
+    } else {
         return TC_ACT_OK;
     }
-    // 0x00d0 mean need decryption in ipsec
-    ctx->mark = 0x00d0;
+
+    if (protocol == IPPROTO_ESP) {
+        return TC_ACT_OK;
+    }
+
+    mark = ctx->mark;
+    decrypted = (mark == IPSEC_DECRYPTED_MARK); // IPSEC_DECRYPTED_MARK is same with xfmr state output-mark, which means
+                                                // packet was decrypted and then back to ingress
+
+    if (decrypted) {
+        return TC_ACT_OK;
+    }
+
+    ctx->mark = 0;
     return TC_ACT_OK;
 }
 
diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -31,8 +31,11 @@ const (
 	ENABLED       = uint32(1)
 	DISABLED      = uint32(0)
 
-	TC_MARK_DECRYPT = "tc_mark_decrypt"
-	TC_MARK_ENCRYPT = "tc_mark_encrypt"
+	TC_MARK_DECRYPT   = "tc_mark_decrypt"
+	TC_MARK_ENCRYPT   = "tc_mark_encrypt"
+	XfrmDecryptedMark = 0x00d0
+	XfrmEncryptMark   = 0x00e0
+	XfrmMarkMask      = 0xffffffff
 
 	TC_ATTACH = 0
 	TC_DETACH = 1
diff --git a/pkg/controller/encryption/ipsec/ipsec_handler.go b/pkg/controller/encryption/ipsec/ipsec_handler.go
@@ -280,6 +280,10 @@ func (is *IpSecHandler) createStateRule(src net.IP, dst net.IP, key []byte, ipse
 			Key:    key,
 			ICVLen: ipsecKey.Length,
 		},
+		OutputMark: &netlink.XfrmMark{
+			Value: constants.XfrmDecryptedMark,
+			Mask:  constants.XfrmMarkMask,
+		},
 	}
 	err := netlink.XfrmStateAdd(state)
 	if err != nil && !os.IsExist(err) {
@@ -302,12 +306,12 @@ func (is *IpSecHandler) createPolicyRule(srcCIDR, dstCIDR *net.IPNet, src, dst n
 			},
 		},
 		Mark: &netlink.XfrmMark{
-			Mask: 0xffffffff,
+			Mask: constants.XfrmMarkMask,
 		},
 	}
 	if out {
 		// ingress
-		mark := uint32(0xd0)
+		mark := uint32(constants.XfrmDecryptedMark)
 		policy.Mark.Value = mark
 
 		policy.Dir = netlink.XFRM_DIR_IN
@@ -321,7 +325,7 @@ func (is *IpSecHandler) createPolicyRule(srcCIDR, dstCIDR *net.IPNet, src, dst n
 		}
 	} else {
 		// egress, update SPI
-		mark := uint32(0xe0)
+		mark := uint32(constants.XfrmEncryptMark)
 
 		policy.Mark.Value = uint32(mark)
 		policy.Tmpls[0].Spi = int(spi)
diff --git a/test/bpf_ut/bpftest/general_test.go b/test/bpf_ut/bpftest/general_test.go
@@ -46,7 +46,23 @@ func testGeneralTC(t *testing.T) {
 			objFilename: "tc_mark_decrypt_test.o",
 			uts: []unitTest_BPF_PROG_TEST_RUN{
 				{
-					name: "tc_mark_decrypt",
+					name: "tc_mark_decrypt_case1",
+					setupInUserSpace: func(t *testing.T, coll *ebpf.Collection) {
+						setBpfConfig(t, coll, &factory.GlobalBpfConfig{
+							BpfLogLevel: constants.BPF_LOG_DEBUG,
+						})
+					},
+				},
+				{
+					name: "tc_mark_decrypt_case2",
+					setupInUserSpace: func(t *testing.T, coll *ebpf.Collection) {
+						setBpfConfig(t, coll, &factory.GlobalBpfConfig{
+							BpfLogLevel: constants.BPF_LOG_DEBUG,
+						})
+					},
+				},
+				{
+					name: "tc_mark_decrypt_case3",
 					setupInUserSpace: func(t *testing.T, coll *ebpf.Collection) {
 						setBpfConfig(t, coll, &factory.GlobalBpfConfig{
 							BpfLogLevel: constants.BPF_LOG_DEBUG,
diff --git a/test/bpf_ut/tc_mark_decrypt_test.c b/test/bpf_ut/tc_mark_decrypt_test.c
@@ -52,34 +52,120 @@ const struct tcphdr l4 = {
 };
 const char body[20] = "Should not change!!";
 
-PKTGEN("tc", "tc_mark_decrypt")
+// Test Case 1: TCP protocol, mark 0x00a0, expect mark to be 0x0
+PKTGEN("tc", "tc_mark_decrypt_case1")
 int test1_pktgen(struct __sk_buff *ctx)
 {
     return build_tc_packet(ctx, &l2, &l3, &l4, body, (uint)sizeof(body));
 }
 
-JUMP("tc", "tc_mark_decrypt")
+JUMP("tc", "tc_mark_decrypt_case1")
 int test1_jump(struct __sk_buff *ctx)
 {
-    // build context
-    struct lpm_key key = {0};
-    key.trie_key.prefixlen = 32;
-    key.ip.ip4 = SRC_IP;
-    __u32 value = 1;
-    bpf_map_update_elem(&map_of_nodeinfo, &key, &value, BPF_ANY);
+    // Set initial mark to 0x00a0
+    ctx->mark = 0x00a0;
 
     bpf_tail_call(ctx, &entry_call_map, 0);
     return TEST_ERROR;
 }
 
-CHECK("tc", "tc_mark_decrypt")
+CHECK("tc", "tc_mark_decrypt_case1")
 int test1_check(struct __sk_buff *ctx)
 {
     const __u32 expected_status_code = TC_ACT_OK;
 
     test_init();
 
     check_tc_packet(ctx, &expected_status_code, &l2, &l3, &l4, body, (uint)sizeof(body));
+    if (ctx->mark != 0x0)
+        test_fatal("ctx->mark mismatch, expected 0x0, got %u", ctx->mark);
+
+    test_finish();
+}
+
+// Test Case 2: TCP protocol, mark 0x00d0, expect mark to remain 0x00d0
+PKTGEN("tc", "tc_mark_decrypt_case2")
+int test2_pktgen(struct __sk_buff *ctx)
+{
+    return build_tc_packet(ctx, &l2, &l3, &l4, body, (uint)sizeof(body));
+}
+
+JUMP("tc", "tc_mark_decrypt_case2")
+int test2_jump(struct __sk_buff *ctx)
+{
+    // Set initial mark to 0x00d0 (already decrypted)
+    ctx->mark = 0x00d0;
+
+    bpf_tail_call(ctx, &entry_call_map, 0);
+    return TEST_ERROR;
+}
+
+CHECK("tc", "tc_mark_decrypt_case2")
+int test2_check(struct __sk_buff *ctx)
+{
+    const __u32 expected_status_code = TC_ACT_OK;
+
+    test_init();
+
+    check_tc_packet(ctx, &expected_status_code, &l2, &l3, &l4, body, (uint)sizeof(body));
+    if (ctx->mark != 0x00d0)
+        test_fatal("ctx->mark mismatch, expected 0x00d0, got %u", ctx->mark);
+
+    test_finish();
+}
+
+// Test Case 3: ESP protocol, mark 0x00d0, expect mark to remain 0x00d0
+PKTGEN("tc", "tc_mark_decrypt_case3")
+int test3_pktgen(struct __sk_buff *ctx)
+{
+    // Use ESP protocol header for this test
+    struct iphdr l3_esp = {
+        .version = 4,
+        .ihl = 5,
+        .tot_len = 40,
+        .id = 0x5438,
+        .frag_off = bpf_htons(IP_DF),
+        .ttl = 64,
+        .protocol = IPPROTO_ESP,
+        .saddr = SRC_IP,
+        .daddr = DEST_IP,
+    };
+
+    return build_tc_packet(ctx, &l2, &l3_esp, &l4, body, (uint)sizeof(body));
+}
+
+JUMP("tc", "tc_mark_decrypt_case3")
+int test3_jump(struct __sk_buff *ctx)
+{
+    // Set initial mark to 0x00d0
+    ctx->mark = 0x00d0;
+
+    // build context - no need for nodeinfo map for ESP packets
+    bpf_tail_call(ctx, &entry_call_map, 0);
+    return TEST_ERROR;
+}
+
+CHECK("tc", "tc_mark_decrypt_case3")
+int test3_check(struct __sk_buff *ctx)
+{
+    const __u32 expected_status_code = TC_ACT_OK;
+
+    test_init();
+
+    // Use ESP protocol header for verification
+    struct iphdr l3_esp = {
+        .version = 4,
+        .ihl = 5,
+        .tot_len = 40,
+        .id = 0x5438,
+        .frag_off = bpf_htons(IP_DF),
+        .ttl = 64,
+        .protocol = IPPROTO_ESP,
+        .saddr = SRC_IP,
+        .daddr = DEST_IP,
+    };
+
+    check_tc_packet(ctx, &expected_status_code, &l2, &l3_esp, &l4, body, (uint)sizeof(body));
     if (ctx->mark != 0x00d0)
         test_fatal("ctx->mark mismatch, expected 0x00d0, got %u", ctx->mark);
 
