Move the xdpsock sample application from the Linux repo to the
bpf-examples repo. This example demonstrates a number of capabilities
of AF_XDP sockets.
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Move the xsk_fwd example application from the Linux repo to
bpf-examples. This sample demonstrates the ability to share a umem
between multiple sockets by implementing a simple packet forwarding
application. It also has a buffer pool manager for allocating and
freeing packet buffers.
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
bpf_object__find_program_by_title’ is deprecated: libbpf v0.7+:
use bpf_object__find_program_by_name() instead
See: https://github.com/libbpf/libbpf/issues/297
libbpf#297 Deprecate bpf_program__title() in favor of
bpf_program__section_name(). “Title” term is confusing and
unconventional, it’s SEC() in code and “section name” everywhere else.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
This makes it possible to use make -j for simultaneous make
processes to run. This does make the pretty output unordered.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Example programs seems to get out-of-sync (bit rot) more
easily when nobody sees the compile issues.
Thus, add more to the top-level Makefile.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
‘bpf_program__next’ is deprecated: libbpf v0.7+:
use bpf_object__next_program() instead
Also use bpf_xdp_attach() and bpf_xdp_detach() APIs.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
The distro kernel UAPI headers evolve too slow.
Thus, maintain a mirror in headers/linux/ in this proj.
Libbpf been overly-eager to get features into their releases
and depend on kernel commit 6089fb325cf7 ("bpf: Add btf enum64 support"),
which have not been released in an official kernel release yet.
Thus, this headers/linux/btf.h update comes from bpf-next git.
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
As we have not found a way to get the BTF object ID via the
sysfs filesystem BTF files.
Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
Skip BTF IDs that doesn't originate from the kernel as this
program are looking for kernel module BTF.
Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
The previous commit fixes the issue of reordered packets being able to
bypass the unique TSval check, so remove the corresponding section
from the issues in the TODO.
Signed-off-by: Simon Sundberg <simon.sundberg@kau.se>
The mechanism to ensure that only the first instance of each TSval is
timestamped is a simple equals check. This is check may fail if there
are reordered packets.
Consider a sequence of packets A, B, C and D, where A and B have
TSval=1 and C and D have TSval=2. If all packets arrive in
order (ABCD), then A and C will correctly be the only packets that are
timestamped (as B and D will have the same TSval as the previously
observed one). However, consider if B is reorderd so instead the
packets arrive as ACBD. In this scenario all ePPing will attempt to
timestamp all (instead of only A and C), as each packet now has a
different (but not always higher) TSval than the last seen
packet. Note that it will only sucessfully create the timestamps for
the later duplicated TSvals if the previous timestamp for the same
TSval has already been cleared out, so this is mainly an issue when
RTT < 1ms.
Fix this by only allowing a packet to be timestamped if its TSval is
stricly higher (accounting for wrap-around) than the last seen TSval,
and likewise only update last seen TSval if it is strictly higher than
the previous one.
To allow this calculation, also convert TSval and TSecr from network
byte order to host byte order when parsing the packet. While delaying
the transform from network to host byte order until the comparison
between the packet's TSval and last seen TSval could potentially save
the overhead of bpf_ntohs for some packets that do not need to go
through this check, most TCP packets will end up performing this
check, so performance difference should be minimal. Therefore, opt for
the simplier approach of converting TSval and TSecr directly, which
also makes them easier to interpret if ex. dumping the maps.
Signed-off-by: Simon Sundberg <simon.sundberg@kau.se>
Manually opening the /sys/kernel/btf/ file and trying to get
info via bpf_obj_get_info_by_fd() doesn't give us anything.
Signed-off-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
This contains a fix to the xdp-tools configure script so it works with the
Dash shell used on Debian and derivatives.
Fixes#50.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The trick with printing debug output as a u64 got it in the wrong byte
order; fix that by swapping everything appropriately before printing. Also
add some more information to the drop debug print.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
There were a couple of issues with the IGMP and multicast handling: the
packet parsing checked the MAC address for whether it was a multicast
address before it looked at the IP header, which meant it never got to the
IGMP packets (because they are also sent as multicast). Also, we need to
redirect IGMP packets to the bond master on egress to make sure
subscriptions work as they're supposed to.
Fix the parsing, add the redirect, and also remove the explicit check for
IGMP packets on ingress, as that will already be matched by the multicast
check.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
This reverts commit d3aaec4bdd ("pkt-loop-filter: Check ifindex against
state before dropping packets") - we should not accept packets that are
looped back to the same port either.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The exception for gratuitous ARPs are only supposed to be for entries that
would otherwise be dropped due to the loop filtering logic. In addition, we
should record egress gratuitous ARPs and make sure they don't trigger the
exception when looping back (this is 'rule 4' of the openvswitch SLB
bonding logic).
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
We were indiscriminately dropping packets when the map lookup succeeded,
let's actually check the ifindex first.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
We shouldn't be filtering incoming gratuitous ARPs based on the ifindex
learning. So parse ARP packets and allow them through if they have
identical source and destination IPs.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
When pinning of the bpf_link fails, we keep running to keep the PID alive.
However, staying in the foreground causes problems with scripts that
expects the setup to finish running; so fork into the background instead
and write a PID file so we can kill the running instance on unload.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
When running in the fallback mode where we keep running in the foreground
to keep the kprobe alive, we should unload the cls_bpf programs after being
interrupted instead of just exiting.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Support for bpf_link-based attaching of kprobes was added to kernel 5.15
with commit: b89fbfbb854c ("bpf: Implement minimal BPF perf link"). Prior
to this, it is not possible to pin kprobe attachments in bpffs, which
causes the pkt-loop-filter to fail. Add a fallback where we just keep
running in the foreground to keep the probe alive if bpf_link pinning
fails.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The type of the net->net_cookie field member was changed in kernel 5.12
with commit 3d368ab87cf6 ("net: initialize net->net_cookie at netns setup").
Older versions of the kernel devices net->net_cookie as an atomic64_t
instead of a u64. This causes CO-RE reading of the field to fail due to the
type mismatch. Handle this by adding CO-RE checks for the old type as well
and using the CO-RE facility to check for the right type at load time.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The ktime_get_coarse_ns() helper function was not backported to RHEL8, so
just switch to using ktime_get_boot_ns() instead.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The previous commit working around missing SO_NETNS_COOKIE failed to reset
the err variable, which means things still failed.
Reported-by: Hangbin Liu <haliu@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
The SO_NETNS_COOKIE sockopt is fairly new; make sure we can compile the
program without it being defined, and fall back (with a warning) to just
always returning 1 as the netns cookie if the option doesn't work, which
should keep things working in the init namespace at least.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Instead of having to pass the component interfaces to the userspace
program, we can just pass the bond ifname, and have the loader detect which
bond component interfaces are in the bond, and automatically load the BPF
program on each one. Reusing the active bond detection code from the
previous commit also allows us to automatically detect the right initial
active interface, and keep this up-to-date by hooking into the bonding code
that changes it when an iface goes down, instead of naively rotating
between active interfaces.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Add a small utility that uses a kprobe to extract the currently active
slave ifindex from a bond interface. This value is normally only exported
to userspace for bond types where it can be explicitly set, but the bond
driver has an internal notion of an active interface regardless of the bond
type. We can extract this value with a kprobe by attaching to a function in
the bond driver and triggering an operation that causes this function to be
called.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Filter not only the multicast packets themselves, but also any IGMP (and
ICMPv6 MLD) packets coming in on multiple interfaces.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Add a debug mode to pkt-loop-filter that outputs debug messages for every
dropped packet (with the reason it was dropped). Also add a small script to
read the kernel trace pipe, after making sure tracing is active (otherwise
there will be no output in the pipe).
The source MAC address+VLAN is squeezed into a single u64 when printing as
a quick workaround to the lack of MAC address printing in BPF printk.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
