[SRU][N/O][PATCH 0/1] Backport "netkit: Add option for scrubbing meta data"
Tim Whisonant
tim.whisonant at canonical.com
Wed Jan 8 21:35:31 UTC 2025
BugLink: https://bugs.launchpad.net/bugs/2091184
SRU Justification:
[Impact]
* When running Cilium with netkit in per-endpoint-routes mode,
network policy misclassifies traffic. In this direct routing
mode of Cilium, which is used in case of GKE/EKS/AKS, the Pod's
BPF program to enforce policy sits on the netkit primary device's
egress side.
[Fix]
* This has been fixed upstream via commit:
83134ef4609388f6b9ca31a384f531155196c2a7 : netkit: Add option for
scrubbing skb meta data
[Test Plan]
* Boot-tested the changes in GCP environment on amd64 hardware.
[Where problems could occur]
* There could be a difference in cache behavior with the struct
netkit with the added enum in the 4-byte hole between policy
and bundle.
[Other Info]
* Changes are limited to the NetKit driver. Risk is considered low as
the changes are limited and apply cleanly from upstream.
* SF #00402561
Daniel Borkmann (1):
netkit: Add option for scrubbing skb meta data
drivers/net/netkit.c | 68 +++++++++++++++++++++++++++++-------
include/uapi/linux/if_link.h | 15 ++++++++
2 files changed, 70 insertions(+), 13 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list