From a1a4012800a3b903b6273ac320b6b9c073928ced Mon Sep 17 00:00:00 2001
From: Gray Liang <gray.liang@isovalent.com>
Date: Wed, 28 Feb 2024 15:11:14 +0800
Subject: [PATCH] bpf: drop packets not redirected from wan/lan

skb->mark will be reset when going across netns (skb_scrub_packet), so
this commit sets a special value in cb[0] which can survive bpf_redirect
and netns crossing.

This solves issues like:

level=warning msg="No AddrPort presented: reading map: key [[::ffff:0.0.0.0]:68, 17, 255.255.255.255:67]: lookup: key does not exist"
---
 control/kern/tproxy.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/control/kern/tproxy.c b/control/kern/tproxy.c
index 82ffc6f3f..488bc2764 100644
--- a/control/kern/tproxy.c
+++ b/control/kern/tproxy.c
@@ -902,6 +902,7 @@ redirect_to_control_plane(struct __sk_buff *skb, __u32 link_h_len,
   __builtin_memcpy(redirect_entry.dmac, ethh->h_dest, sizeof(ethh->h_dest));
   bpf_map_update_elem(&redirect_track, &redirect_tuple, &redirect_entry, BPF_ANY);
 
+  skb->cb[0] = TPROXY_MARK;
   return bpf_redirect(PARAM.dae0_ifindex, 0);
 }
 
@@ -1382,6 +1383,11 @@ int tproxy_dae0peer_ingress(struct __sk_buff *skb) {
   __u8 ihl;
   __u8 l4proto;
   __u32 link_h_len = 14;
+
+  if (skb->cb[0] != TPROXY_MARK) {
+    return TC_ACT_SHOT;
+  }
+
   int ret = parse_transport(skb, link_h_len, &ethh, &iph, &ipv6h, &icmp6h,
                             &tcph, &udph, &ihl, &l4proto);
   if (ret) {