update policy image

backport:
04cc3fb
927d6ab

Signed-off-by: l1b0k <[email protected]>

Author: l1b0k

Diff for: Dockerfile

@@ -1,21 +1,21 @@
-ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-75c98940@sha256:6dbdffee0cdc5c29239d487b4e567046d7dd23f61d67dbbbce1a2e5db9b210dc
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-927d6ab6@sha256:dbcc2cef1164b7ce0de7700cefbdece7ca0281d84e5db91ce96488f1a2c00ed7
 ARG UBUNTU_IMAGE=registry.cn-hangzhou.aliyuncs.com/acs/ubuntu:22.04-update
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:547db7ec9a750b8f888a506709adb41f135b952e@sha256:4d6fa0aede3556c5fb5a9c71bc6b9585475ac9b1064f516d4c45c8fb691c9d9e
 ARG CILIUM_BPFTOOL_IMAGE=quay.io/cilium/cilium-bpftool:78448c1a37ff2b790d5e25c3d8b8ec3e96e6405f@sha256:99a9453a921a8de99899ef82e0822f0c03f65d97005c064e231c06247ad8597d
 ARG CILIUM_IPROUTE2_IMAGE=quay.io/cilium/cilium-iproute2:3570d58349efb2d6b0342369a836998c93afd291@sha256:1abcd7a5d2117190ab2690a163ee9cd135bc9e4cf8a4df662a8f993044c79342
 ARG CILIUM_IPTABLES_IMAGE=quay.io/cilium/iptables-20.04:e6f83206c57e606282056903ffd3aab0183bdaed@sha256:7ce0de449d356a5259021dc13f2b00a8bddfbea57a1c91ff8f146d455cace9e5
 
-FROM --platform=$TARGETPLATFORM ${TERWAY_POLICY_IMAGE} as policy-dist
-FROM --platform=$TARGETPLATFORM ${CILIUM_LLVM_IMAGE} as llvm-dist
-FROM --platform=$TARGETPLATFORM ${CILIUM_BPFTOOL_IMAGE} as bpftool-dist
-FROM --platform=$TARGETPLATFORM ${CILIUM_IPROUTE2_IMAGE} as iproute2-dist
-FROM --platform=$TARGETPLATFORM ${CILIUM_IPTABLES_IMAGE} as iptables-dist
+FROM --platform=$TARGETPLATFORM ${TERWAY_POLICY_IMAGE} AS policy-dist
+FROM --platform=$TARGETPLATFORM ${CILIUM_LLVM_IMAGE} AS llvm-dist
+FROM --platform=$TARGETPLATFORM ${CILIUM_BPFTOOL_IMAGE} AS bpftool-dist
+FROM --platform=$TARGETPLATFORM ${CILIUM_IPROUTE2_IMAGE} AS iproute2-dist
+FROM --platform=$TARGETPLATFORM ${CILIUM_IPTABLES_IMAGE} AS iptables-dist
 
-FROM --platform=$BUILDPLATFORM golang:1.21.3 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23.2 AS builder
 ARG GOPROXY
 ARG TARGETOS
 ARG TARGETARCH
-ENV GOPROXY $GOPROXY
+ENV GOPROXY=$GOPROXY
 WORKDIR /go/src/github.com/AliyunContainerService/terway/
 COPY go.sum go.mod ./
 RUN go mod download

Diff for: policy/cilium/0032-fix-disable-per-package-lb.patch

@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <[email protected]>
+Date: Sat, 12 Oct 2024 09:33:24 +0800
+Subject: fix disable per-package lb
+
+Signed-off-by: l1b0k <[email protected]>
+---
+ bpf/bpf_lxc.c                       | 5 ++---
+ daemon/cmd/daemon_main.go           | 3 +++
+ pkg/datapath/linux/config/config.go | 5 +++++
+ pkg/option/config.go                | 6 ++++++
+ 4 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
+index 2773e2c276..7e424204e2 100644
+--- a/bpf/bpf_lxc.c
++++ b/bpf/bpf_lxc.c
+@@ -58,9 +58,9 @@
+  * Most services with L7 LB flag can not be redirected to their proxy port
+  * in bpf_sock, so we must check for those via per packet LB as well.
+  */
+-#if !defined(ENABLE_SOCKET_LB_FULL) || \
++#if (!defined(ENABLE_SOCKET_LB_FULL) || \
+     defined(ENABLE_SOCKET_LB_HOST_ONLY) || \
+-    defined(ENABLE_L7_LB)
++    defined(ENABLE_L7_LB) ) && !defined(DISABLE_PER_PACKET_LB)
+ # define ENABLE_PER_PACKET_LB 1
+ #endif
+ 
+@@ -1247,7 +1247,6 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx)
+ 
+ 	if (unlikely(!is_valid_lxc_src_ipv4(ip4)))
+ 		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_PER_PACKET_LB
+ 	{
+ 		struct ipv4_ct_tuple tuple = {};
+diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
+index de2ad4900b..8b495d972f 100644
+--- a/daemon/cmd/daemon_main.go
++++ b/daemon/cmd/daemon_main.go
+@@ -1147,6 +1147,9 @@ func initializeFlags() {
+ 	flags.MarkHidden(option.EnableStaleCiliumEndpointCleanup)
+ 	option.BindEnv(option.EnableStaleCiliumEndpointCleanup)
+ 
++	flags.Bool(option.DisablePerPacketLB, false, "Disable svc func.")
++	option.BindEnv(option.DisablePerPacketLB)
++
+ 	viper.BindPFlags(flags)
+ }
+ 
+diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
+index 060328adf9..4201e878fb 100644
+--- a/pkg/datapath/linux/config/config.go
++++ b/pkg/datapath/linux/config/config.go
+@@ -98,6 +98,11 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
+ 
+ 	cDefinesMap["KERNEL_HZ"] = fmt.Sprintf("%d", option.Config.KernelHz)
+ 
++	if option.Config.DisablePerPacketLB {
++		log.Infof("Disabling per-packet LB policy")
++		cDefinesMap["DISABLE_PER_PACKET_LB"] = "1"
++	}
++
+ 	if option.Config.EnableIPv6 {
+ 		extraMacrosMap["ROUTER_IP"] = routerIP.String()
+ 		fw.WriteString(defineIPv6("ROUTER_IP", routerIP))
+diff --git a/pkg/option/config.go b/pkg/option/config.go
+index d4d9643f4e..80b5eb2c7c 100644
+--- a/pkg/option/config.go
++++ b/pkg/option/config.go
+@@ -1104,6 +1104,8 @@ const (
+ 	// EnableStaleCiliumEndpointCleanup sets whether Cilium should perform cleanup of
+ 	// stale CiliumEndpoints during init.
+ 	EnableStaleCiliumEndpointCleanup = "enable-stale-cilium-endpoint-cleanup"
++
++	DisablePerPacketLB = "disable-per-package-lb"
+ )
+ 
+ // Default string arguments
+@@ -2262,6 +2264,8 @@ type DaemonConfig struct {
+ 	// This will attempt to remove local CiliumEndpoints that are not managed by Cilium
+ 	// following Endpoint restoration.
+ 	EnableStaleCiliumEndpointCleanup bool
++
++	DisablePerPacketLB bool
+ }
+ 
+ var (
+@@ -3257,6 +3261,8 @@ func (c *DaemonConfig) Populate() {
+ 	c.EnableK8sTerminatingEndpoint = viper.GetBool(EnableK8sTerminatingEndpoint)
+ 	c.EnableStaleCiliumEndpointCleanup = viper.GetBool(EnableStaleCiliumEndpointCleanup)
+ 
++	c.DisablePerPacketLB = viper.GetBool(DisablePerPacketLB)
++
+ 	// Disable Envoy version check if L7 proxy is disabled.
+ 	c.DisableEnvoyVersionCheck = viper.GetBool(DisableEnvoyVersionCheck)
+ 	if !c.EnableL7Proxy {
+-- 
+2.46.0
+

Diff for: policy/cilium/0033-logging.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <[email protected]>
+Date: Mon, 14 Oct 2024 16:33:42 +0800
+Subject: logging
+
+Signed-off-by: l1b0k <[email protected]>
+---
+ pkg/maps/ctmap/ctmap.go | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/maps/ctmap/ctmap.go b/pkg/maps/ctmap/ctmap.go
+index 868871811b..052cab28e9 100644
+--- a/pkg/maps/ctmap/ctmap.go
++++ b/pkg/maps/ctmap/ctmap.go
+@@ -496,6 +496,13 @@ func doGC4(m *Map, filter *GCFilter) gcStats {
+ 	globalDeleteLock[m.mapType].Lock()
+ 	stats.dumpError = m.DumpReliablyWithCallback(filterCallback, stats.DumpStats)
+ 	globalDeleteLock[m.mapType].Unlock()
++
++	log.Infof("gc map %s id %d max %d deleted %d alived %d", m.Name(), m.InnerID, m.MaxEntries, stats.deleted, stats.aliveEntries)
++	cur := stats.aliveEntries + stats.deleted
++	if float64(cur)/float64(m.MaxEntries) >= 0.9 {
++		log.Infof("ConntrackFull table %s current %d maxEntries %d", m.Name(), cur, m.MaxEntries)
++	}
++
+ 	return stats
+ }
+ 
+@@ -566,13 +573,13 @@ func GC(m *Map, filter *GCFilter) int {
+ // The consumer of the buffer invokes the function.
+ //
+ // The SNAT is being used for the following cases:
+-// 1. By NodePort BPF on an intermediate node before fwd'ing request from outside
++//  1. By NodePort BPF on an intermediate node before fwd'ing request from outside
+ //     to a destination node.
+-// 2. A packet from local endpoint sent to outside (BPF-masq).
+-// 3. A packet from a host local application (i.e. running in the host netns)
+-//    This is needed to prevent SNAT from hijacking such connections.
+-// 4. By DSR on a backend node to SNAT responses with service IP+port before
+-//    sending to a client.
++//  2. A packet from local endpoint sent to outside (BPF-masq).
++//  3. A packet from a host local application (i.e. running in the host netns)
++//     This is needed to prevent SNAT from hijacking such connections.
++//  4. By DSR on a backend node to SNAT responses with service IP+port before
++//     sending to a client.
+ //
+ // In the case of 1-3, we always create a CT_EGRESS CT entry. This allows the
+ // CT GC to remove corresponding SNAT entries. In the case of 4, will create
+-- 
+2.47.0
+