-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools(xdp): add bpf program #1652
Conversation
137e9f2
to
d093a61
Compare
379cc14
to
0a14401
Compare
{ | ||
use aya_log_ebpf as log; | ||
match action { | ||
xdp_action::XDP_DROP => log::trace!(&ctx, "ACTION: DROP"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I guess this log is stored in a map? Or emitted to a file via bpf_trace_printk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It uses a pair of maps: https://github.com/aya-rs/aya/blob/main/bpf/aya-log-ebpf/src/lib.rs.
But note that this isn't enabled by default and is really only for debugging.
use std::io; | ||
|
||
pub fn run() -> Result<(), anyhow::Error> { | ||
let before = dump()?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, where is the before build from? Are we assuming the resultant BPF bytecodes should always be identical to that of the LFS files committed in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this check is to ensure the LFS build is in sync with what the code says. I didn't want to diff the actual binary since there can be some nondeterminism so we're just diffing the disassembly output, which should be good enough for this purpose.
|
||
- uses: camshaft/rust-cache@v1 | ||
|
||
- name: Build ebpf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we only test that our build is identical and that we can load the program, but we do not yet do an e2e test that the XDP BPF module correctly routes the packets?
Will we do so subsequently by sending in malformed packets and show they are not received, while the valid ones are?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The XDP IO provider will be coming soon. This PR is just focused on the default BPF program that ships with said IO provider.
working-directory: tools/xdp | ||
env: | ||
RUST_LOG: trace | ||
run: cargo xtask ci |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does xtask
do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tools/xdp/README.md
Outdated
## Run the kernel verifier | ||
|
||
```bash | ||
RUST_LOG=trace cargo xtask run -- -i lo --trace |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you explain some of the command line options (-i lo
) in the comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep
tools/xdp/ebpf/rust-toolchain.toml
Outdated
@@ -0,0 +1,6 @@ | |||
[toolchain] | |||
# pin the version to prevent random breakage | |||
channel = "nightly-2023-02-20" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do more recent versions not work, or is this just when you started this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's when I started it. I can update if you want.
let not_found_action = xdp_action::XDP_PASS as _; | ||
SOCKETS.redirect(queue_id, not_found_action) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is this not_found_action
? why is this considered not found?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's defining what to do if the entry isn't in the map. So if there isn't a socket associated with the queue index, we'll forward on to the OS.
tools/xdp/ebpf/src/main.rs
Outdated
impl Validator for PortValidator { | ||
#[inline(always)] | ||
fn validate_local_port(&self, port: u16) -> bool { | ||
// The destination isn't in the port map so forward it to the OS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this more saying "If the destination isn't in the port map, forward it to the OS"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think I copy/pasted this comment from when I was actually doing a if
. I'll fix it.
#[panic_handler] | ||
fn panic(_info: &core::panic::PanicInfo) -> ! { | ||
unsafe { core::hint::unreachable_unchecked() } | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is this needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's needed when you build a no_std binary. But the code should be panic free so it's not actually used in the end.
bf61ef2
to
10b5107
Compare
Description of changes:
This change adds a default XDP eBPF program to be loaded for the
s2n-quic-xdp
crate (coming soon). Since BPF programs are portable, the compiled program is committed to the repository to improve the ease of development.Testing:
I added a CI task that
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.