projectcalico
diff --git a/‎bpf-gpl/connect_balancer.c‎
Lines changed: 2 additions & 2 deletions b/‎bpf-gpl/connect_balancer.c‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎bpf-gpl/nat_lookup.h‎
Lines changed: 30 additions & 16 deletions b/‎bpf-gpl/nat_lookup.h‎
Lines changed: 30 additions & 16 deletions
diff --git a/‎bpf-gpl/nat_types.h‎
Lines changed: 5 additions & 1 deletion b/‎bpf-gpl/nat_types.h‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎bpf/nat/maps.go‎
Lines changed: 44 additions & 4 deletions b/‎bpf/nat/maps.go‎
Lines changed: 44 additions & 4 deletions
diff --git a/‎bpf/proxy/kube-proxy.go‎
Lines changed: 7 additions & 3 deletions b/‎bpf/proxy/kube-proxy.go‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎bpf/proxy/syncer.go‎
Lines changed: 17 additions & 14 deletions b/‎bpf/proxy/syncer.go‎
Lines changed: 17 additions & 14 deletions
diff --git a/‎bpf/proxy/syncer_test.go‎
Lines changed: 7 additions & 3 deletions b/‎bpf/proxy/syncer_test.go‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎cmd/calico-bpf/commands/nat.go‎
Lines changed: 6 additions & 2 deletions b/‎cmd/calico-bpf/commands/nat.go‎
Lines changed: 6 additions & 2 deletions
@@ -40,9 +40,9 @@ static CALI_BPF_INLINE int do_nat_common(struct bpf_sock_addr *ctx, __u8 proto,
 	nat_lookup_result res = NAT_LOOKUP_ALLOW;
 	__u16 dport_he = (__u16)(bpf_ntohl(ctx->user_port)>>16);
 	struct calico_nat_dest *nat_dest;
-	nat_dest = calico_v4_nat_lookup3(0, ctx->user_ip4, proto, dport_he, false, &res,
+	nat_dest = calico_v4_nat_lookup(0, ctx->user_ip4, proto, dport_he, false, &res,
 			proto == IPPROTO_UDP && !connect ? UDP_NOT_SEEN_TIMEO : 0, /* enforce affinity UDP */
-		 	proto == IPPROTO_UDP && !connect /* update affinity timer */);
+			proto == IPPROTO_UDP && !connect /* update affinity timer */);
 	if (!nat_dest) {
 		CALI_INFO("NAT miss.\n");
 		if (res == NAT_NO_BACKEND) {
 
@@ -15,14 +15,14 @@
 #include "routes.h"
 #include "nat_types.h"
 
-static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup3(__be32 ip_src,
-								     __be32 ip_dst,
-								     __u8 ip_proto,
-								     __u16 dport,
-								     bool from_tun,
-								     nat_lookup_result *res,
-								     int affinity_always_timeo,
-								     bool affinity_tmr_update)
+static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup(__be32 ip_src,
+								    __be32 ip_dst,
+								    __u8 ip_proto,
+								    __u16 dport,
+								    bool from_tun,
+								    nat_lookup_result *res,
+								    int affinity_always_timeo,
+								    bool affinity_tmr_update)
 {
 	struct calico_nat_v4_key nat_key = {
 		.prefixlen = NAT_PREFIX_LEN_WITH_SRC_MATCH_IN_BITS,
@@ -102,7 +102,27 @@ static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup3(__be32 ip_s
 		*res = NAT_FE_LOOKUP_DROP;
 		return NULL;
 	}
-	__u32 count = from_tun ? nat_lv1_val->local : nat_lv1_val->count;
+	__u32 count = nat_lv1_val->count;
+
+	if (from_tun) {
+		count = nat_lv1_val->local;
+	} else if (nat_lv1_val->flags & (NAT_FLG_INTERNAL_LOCAL | NAT_FLG_EXTERNAL_LOCAL)) {
+		bool local_traffic = true;
+
+		if (CALI_F_FROM_HEP) {
+			struct cali_rt *rt = cali_rt_lookup(ip_src);
+
+			if (!rt || (!cali_rt_is_host(rt) && !cali_rt_is_workload(rt))) {
+				local_traffic = false;
+			}
+		}
+
+		if ((local_traffic && (nat_lv1_val->flags & NAT_FLG_INTERNAL_LOCAL)) ||
+				(!local_traffic && (nat_lv1_val->flags & NAT_FLG_EXTERNAL_LOCAL))) {
+			count = nat_lv1_val->local;
+			CALI_DEBUG("local_traffic %d count %d flags 0x%x\n", local_traffic, count, nat_lv1_val->flags);
+		}
+	}
 
 	CALI_DEBUG("NAT: 1st level hit; id=%d\n", nat_lv1_val->id);
 
@@ -179,18 +199,12 @@ static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup3(__be32 ip_s
 	return nat_lv2_val;
 }
 
-static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup(__be32 ip_src, __be32 ip_dst,
-								    __u8 ip_proto, __u16 dport, nat_lookup_result *res)
-{
-	return calico_v4_nat_lookup3(ip_src, ip_dst, ip_proto, dport, false, res, 0, false);
-}
-
 static CALI_BPF_INLINE struct calico_nat_dest* calico_v4_nat_lookup2(__be32 ip_src, __be32 ip_dst,
 								    __u8 ip_proto, __u16 dport,
 								    bool from_tun,
 								    nat_lookup_result *res)
 {
-	return calico_v4_nat_lookup3(ip_src, ip_dst, ip_proto, dport, from_tun, res, 0, false);
+	return calico_v4_nat_lookup(ip_src, ip_dst, ip_proto, dport, from_tun, res, 0, false);
 }
 
 #endif /* __CALI_NAT_LOOKUP_H__ */
@@ -53,9 +53,13 @@ struct calico_nat_v4_value {
 	__u32 count;
 	__u32 local;
 	__u32 affinity_timeo;
+	__u32 flags;
 };
 
-CALI_MAP(cali_v4_nat_fe, 2,
+#define NAT_FLG_EXTERNAL_LOCAL	0x1
+#define NAT_FLG_INTERNAL_LOCAL	0x2
+
+CALI_MAP(cali_v4_nat_fe, 3,
 		BPF_MAP_TYPE_LPM_TRIE,
 		union calico_nat_v4_lpm_key, struct calico_nat_v4_value,
 		511000, BPF_F_NO_PREALLOC, MAP_PIN_GLOBAL)
 
@@ -51,8 +51,9 @@ const frontendAffKeySize = 8
 //    uint32_t count;
 //    uint32_t local;
 //    uint32_t affinity_timeo;
+//    uint32_t flags;
 // };
-const frontendValueSize = 16
+const frontendValueSize = 20
 
 // struct calico_nat_secondary_v4_key {
 //   uint32_t id;
@@ -138,6 +139,16 @@ func (k FrontendKey) String() string {
 	return fmt.Sprintf("NATKey{Proto:%v Addr:%v Port:%v SrcAddr:%v}", k.Proto(), k.Addr(), k.Port(), k.SrcCIDR())
 }
 
+const (
+	NATFlgExternalLocal = 0x1
+	NATFlgInternalLocal = 0x2
+)
+
+var flgTostr = map[int]string{
+	NATFlgExternalLocal: "external-local",
+	NATFlgInternalLocal: "internal-local",
+}
+
 type FrontendValue [frontendValueSize]byte
 
 func NewNATValue(id uint32, count, local, affinityTimeo uint32) FrontendValue {
@@ -149,6 +160,12 @@ func NewNATValue(id uint32, count, local, affinityTimeo uint32) FrontendValue {
 	return v
 }
 
+func NewNATValueWithFlags(id uint32, count, local, affinityTimeo, flags uint32) FrontendValue {
+	v := NewNATValue(id, count, local, affinityTimeo)
+	binary.LittleEndian.PutUint32(v[16:20], flags)
+	return v
+}
+
 func (v FrontendValue) ID() uint32 {
 	return binary.LittleEndian.Uint32(v[:4])
 }
@@ -166,9 +183,32 @@ func (v FrontendValue) AffinityTimeout() time.Duration {
 	return time.Duration(secs) * time.Second
 }
 
+func (v FrontendValue) Flags() uint32 {
+	return binary.LittleEndian.Uint32(v[16:20])
+}
+
+func (v FrontendValue) FlagsAsString() string {
+	flgs := v.Flags()
+	fstr := ""
+
+	for i := 0; i < 32; i++ {
+		flg := uint32(1 << i)
+		if flgs&flg != 0 {
+			fstr += flgTostr[int(flg)]
+		}
+		flgs &= ^flg
+		if flgs == 0 {
+			break
+		}
+		fstr += ", "
 	}
+
+	return fstr
+}
+
 func (v FrontendValue) String() string {
-	return fmt.Sprintf("NATValue{ID:%d,Count:%d,LocalCount:%d,AffinityTimeout:%d}",
-		v.ID(), v.Count(), v.LocalCount(), v.AffinityTimeout())
+	return fmt.Sprintf("NATValue{ID:%d,Count:%d,LocalCount:%d,AffinityTimeout:%d,Flags:{%s}}",
+		v.ID(), v.Count(), v.LocalCount(), v.AffinityTimeout(), v.FlagsAsString())
 }
 
 func (v FrontendValue) AsBytes() []byte {
@@ -237,7 +277,7 @@ var FrontendMapParameters = bpf.MapParameters{
 	MaxEntries: 511000,
 	Name:       "cali_v4_nat_fe",
 	Flags:      unix.BPF_F_NO_PREALLOC,
-	Version:    2,
+	Version:    3,
 }
 
 func FrontendMap(mc *bpf.MapContext) bpf.Map {
 
@@ -20,16 +20,20 @@ import (
 
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
 
+	"github.com/projectcalico/felix/bpf"
 	"github.com/projectcalico/felix/bpf/cachingmap"
-
 	"github.com/projectcalico/felix/bpf/nat"
-
-	"github.com/projectcalico/felix/bpf"
 	"github.com/projectcalico/felix/bpf/routes"
 )
 
+func init() {
+	// Alpha since 1.21 Beta since 1.22 default true - no harm in supporting it by default.
+	_ = utilfeature.DefaultMutableFeatureGate.Set("ServiceInternalTrafficPolicy=true")
+}
+
 // KubeProxy is a wrapper of Proxy that deals with higher level issue like
 // configuration, restarting etc.
 type KubeProxy struct {
 
@@ -489,13 +489,15 @@ func (s *Syncer) applyDerived(
 	local := svc.localCount
 
 	skey = getSvcKey(sname, getSvcKeyExtra(t, sinfo.ClusterIP().String()))
+	flags := uint32(0)
+
 	switch t {
-	case svcTypeLoadBalancer:
-		// Handle LB services the same as NodePort type.
-		fallthrough
-	case svcTypeNodePort:
+	case svcTypeNodePort, svcTypeLoadBalancer, svcTypeNodePortRemote:
 		if sinfo.NodeLocalExternal() {
-			count = local // use only local eps
+			flags |= nat.NATFlgExternalLocal
+		}
+		if sinfo.NodeLocalInternal() {
+			flags |= nat.NATFlgInternalLocal
 		}
 	}
 
@@ -506,11 +508,11 @@ func (s *Syncer) applyDerived(
 		svc:        sinfo,
 	}
 
-	if err := s.writeSvc(sinfo, svc.id, count, local); err != nil {
+	if err := s.writeSvc(sinfo, svc.id, count, local, flags); err != nil {
 		return err
 	}
 	if svcTypeLoadBalancer == t || svcTypeExternalIP == t {
-		err := s.writeLBSrcRangeSvcNATKeys(sinfo, svc.id, count, local)
+		err := s.writeLBSrcRangeSvcNATKeys(sinfo, svc.id, count, local, flags)
 		if err != nil {
 			log.Debug("Failed to write LB source range NAT keys")
 		}
@@ -587,7 +589,7 @@ func (s *Syncer) apply(state DPSyncerState) error {
 				npInfo := serviceInfoFromK8sServicePort(sinfo)
 				npInfo.clusterIP = npip
 				npInfo.port = nport
-				if npip.Equal(podNPIP) && sinfo.NodeLocalExternal() {
+				if npip.Equal(podNPIP) && sinfo.NodeLocalInternal() {
 					// do not program the meta entry, program each node
 					// separately
 					continue
@@ -598,7 +600,7 @@ func (s *Syncer) apply(state DPSyncerState) error {
 					continue
 				}
 			}
-			if sinfo.NodeLocalExternal() {
+			if sinfo.NodeLocalInternal() {
 				if miss := s.expandAndApplyNodePorts(sname, sinfo, eps, nport, s.rt.Lookup); miss != nil {
 					expNPMisses = append(expNPMisses, miss)
 				}
@@ -718,7 +720,7 @@ func (s *Syncer) updateService(skey svcKey, sinfo k8sp.ServicePort, id uint32, e
 		cnt++
 	}
 
-	if err := s.writeSvc(sinfo, id, cnt, local); err != nil {
+	if err := s.writeSvc(sinfo, id, cnt, local, 0); err != nil {
 		return 0, 0, err
 	}
 
@@ -800,7 +802,7 @@ func getSvcNATKeyLBSrcRange(svc k8sp.ServicePort) ([]nat.FrontendKey, error) {
 	return keys, nil
 }
 
-func (s *Syncer) writeLBSrcRangeSvcNATKeys(svc k8sp.ServicePort, svcID uint32, count, local int) error {
+func (s *Syncer) writeLBSrcRangeSvcNATKeys(svc k8sp.ServicePort, svcID uint32, count, local int, flags uint32) error {
 	var key nat.FrontendKey
 	affinityTimeo := uint32(0)
 	if svc.SessionAffinityType() == v1.ServiceAffinityClientIP {
@@ -814,7 +816,7 @@ func (s *Syncer) writeLBSrcRangeSvcNATKeys(svc k8sp.ServicePort, svcID uint32, c
 	if err != nil {
 		return err
 	}
-	val := nat.NewNATValue(svcID, uint32(count), uint32(local), affinityTimeo)
+	val := nat.NewNATValueWithFlags(svcID, uint32(count), uint32(local), affinityTimeo, flags)
 	for _, key := range keys {
 		if log.GetLevel() >= log.DebugLevel {
 			log.Debugf("bpf map writing %s:%s", key, val)
@@ -830,7 +832,7 @@ func (s *Syncer) writeLBSrcRangeSvcNATKeys(svc k8sp.ServicePort, svcID uint32, c
 	return nil
 }
 
-func (s *Syncer) writeSvc(svc k8sp.ServicePort, svcID uint32, count, local int) error {
+func (s *Syncer) writeSvc(svc k8sp.ServicePort, svcID uint32, count, local int, flags uint32) error {
 	key, err := getSvcNATKey(svc)
 	if err != nil {
 		return err
@@ -841,7 +843,7 @@ func (s *Syncer) writeSvc(svc k8sp.ServicePort, svcID uint32, count, local int)
 		affinityTimeo = uint32(svc.StickyMaxAgeSeconds())
 	}
 
-	val := nat.NewNATValue(svcID, uint32(count), uint32(local), affinityTimeo)
+	val := nat.NewNATValueWithFlags(svcID, uint32(count), uint32(local), affinityTimeo, flags)
 
 	if log.GetLevel() >= log.DebugLevel {
 		log.Debugf("bpf map writing %s:%s", key, val)
@@ -1416,6 +1418,7 @@ func K8sSvcWithNodePort(np int) K8sServicePortOption {
 func K8sSvcWithLocalOnly() K8sServicePortOption {
 	return func(s interface{}) {
 		s.(*serviceInfo).nodeLocalExternal = true
+		s.(*serviceInfo).nodeLocalInternal = true
 	}
 }
 
 
@@ -607,8 +607,9 @@ var _ = Describe("BPF Syncer", func() {
 			k = nat.NewNATKey(net.IPv4(10, 123, 0, 1), 4444, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))
 			Expect(svcs.m).To(HaveKey(k))
 			local := svcs.m[k]
-			Expect(local.Count()).To(Equal(uint32(1)))
+			Expect(local.Count()).To(Equal(uint32(3)))
 			Expect(local.LocalCount()).To(Equal(uint32(1)))
+			Expect(local.Flags()).To(Equal(uint32(nat.NATFlgInternalLocal | nat.NATFlgExternalLocal)))
 
 			k = nat.NewNATKey(net.IPv4(10, 0, 0, 2), 2222, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))
 			Expect(svcs.m).To(HaveKey(k))
@@ -738,7 +739,8 @@ var _ = Describe("BPF Syncer", func() {
 				val2, ok := svcs.m[nat.NewNATKey(net.IPv4(192, 168, 0, 1), 4444, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))]
 				Expect(ok).To(BeTrue())
 				Expect(val2.ID()).To(Equal(val1.ID()))
-				Expect(val2.Count()).To(Equal(uint32(0)))
+				Expect(val2.Count()).To(Equal(uint32(4)))
+				Expect(val2.LocalCount()).To(Equal(uint32(0)))
 
 				val3, ok := svcs.m[nat.NewNATKey(net.IPv4(10, 123, 0, 1), 4444, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))]
 				Expect(ok).To(BeTrue())
@@ -811,7 +813,9 @@ var _ = Describe("BPF Syncer", func() {
 			val2, ok := svcs.m[nat.NewNATKey(net.IPv4(192, 168, 0, 1), 4444, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))]
 			Expect(ok).To(BeTrue())
 			Expect(val2.ID()).To(Equal(val1.ID()))
-			Expect(val2.Count()).To(Equal(uint32(2)))
+			Expect(val2.Count()).To(Equal(uint32(4)))
+			Expect(val2.LocalCount()).To(Equal(uint32(2)))
+			Expect(val2.Flags()).To(Equal(uint32(nat.NATFlgInternalLocal | nat.NATFlgExternalLocal)))
 
 			val3, ok := svcs.m[nat.NewNATKey(net.IPv4(10, 123, 0, 1), 4444, proxy.ProtoV1ToIntPanic(v1.ProtocolTCP))]
 			Expect(ok).To(BeTrue())
 
@@ -94,8 +94,12 @@ func dumpNice(printf printfFn, natMap nat.MapMem, back nat.BackendMapMem) {
 		count := nv.Count()
 		local := nv.LocalCount()
 		id := nv.ID()
-		printf("%s port %d proto %d id %d count %d local %d\n",
-			nk.Addr(), nk.Port(), nk.Proto(), id, count, local)
+		flags := nv.FlagsAsString()
+		if flags != "" {
+			flags = " flags " + flags
+		}
+		printf("%s port %d proto %d id %d count %d local %d%s\n",
+			nk.Addr(), nk.Port(), nk.Proto(), id, count, local, flags)
 		for i := uint32(0); i < count; i++ {
 			bk := nat.NewNATBackendKey(id, uint32(i))
 			bv, ok := back[bk]