tc

Author: msune

docker/Dockerfile

@@ -12,7 +12,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     clang \
     libbpf-dev \
     iproute2 \
+    ethtool \
+    procps \
     python3 \
+    jq \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 #Copy sfunnel stuff

docker/entrypoint.sh

@@ -34,15 +34,15 @@ _IFACES=$(ls /sys/class/net | tr "\n" " " | sed 's/\s*$//g')
 IFACES=${IFACES:-$_IFACES}
 NETNS=${NETNS:-}
 
-UNSEG_DEV_NAME=${UNSEG_DEV_NAME:-_unseg}
+SEG_DEV_NAME=${SEG_DEV_NAME:-_seg}
 
 PROG=/opt/sfunnel/src/tc_sfunnel.o
 
 #Compile eBPF program only if rulesset are defined at load time
 #either via file or ENV
 compile(){
 	cd /opt/sfunnel/src
-	UNSEG_DEV_IFINDEX=${UNSEG_DEV_IFINDEX} DEBUG=${DEBUG} FILE=/etc/sfunnel/ruleset make
+	SEG_DEV_MAC="${SEG_DEV_MAC}" SEG_DEV_IFINDEX=${SEG_DEV_IFINDEX} DEBUG=${DEBUG} FILE=/etc/sfunnel/ruleset make
 }
 
 #$1: PROG
@@ -96,7 +96,7 @@ echo "  \$DEBUG='${DEBUG}'"
 echo "  \$NETNS='${NETNS}'"
 echo "  \$N_ATTEMPTS='${N_ATTEMPTS}'"
 echo "  \$RETRY_DELAY='${RETRY_DELAY}'"
-echo "  \$UNSEG_DEV_NAME='${UNSEG_DEV_NAME}'"
+echo "  \$SEG_DEV_NAME='${SEG_DEV_NAME}'"
 echo "[INFO] Container info:"
 echo "  Kernel: $(uname -a)"
 echo "  Debian: $(cat /etc/debian_version)"
@@ -109,12 +109,23 @@ if [[ "${DEBUG}" == "1" ]]; then
 	set -x
 fi
 
-# Create GSO/TSO/UFO unsegmenting device (work-around
-if [[ "${UNSEG_DEV_NAME}" != ""]]; then
-	ip link add ${UNSEG_DEV_NAME} type dummy
-	ip link set up dev ${UNSEG_DEV_NAME}
-	ethtool -K ${UNSEG_DEV_NAME} gso off tso off ufo off
-	UNSEG_DEV_IFINDEX=$(ip link show ${UNSEG_DEV_NAME} | head -n 1 | awk '{print $1}' | tr -d ':')
+# Create GSO/TSO/UFO unsegmenting device (work-around)
+if [[ "${SEG_DEV_NAME}" != "" ]]; then
+	if [[ "$(ip link | grep ${SEG_DEV_NAME})" == "" ]]; then
+		ip link add ${SEG_DEV_NAME} type veth peer name ${SEG_DEV_NAME}_pair
+	fi
+	ip link set up dev ${SEG_DEV_NAME}
+	ip link set up dev ${SEG_DEV_NAME}_pair
+	ip link set mtu 1480 dev ${SEG_DEV_NAME}
+	ip link set mtu 1480 dev ${SEG_DEV_NAME}_pair
+	ethtool -K ${SEG_DEV_NAME} gso off tso off ufo off
+	ethtool -K ${SEG_DEV_NAME}_pair gso off tso off ufo off
+	SEG_DEV_IFINDEX=$(ip link show ${SEG_DEV_NAME} | head -n 1 | awk '{print $1}' | tr -d ':')
+	SEG_DEV_MAC="$(ip -j link show ${SEG_DEV_NAME}_pair | jq -r '.[0].address' | tr -d ':' | sed 's/\(..\)/0x\1, /g' | sed 's/,\s*$$//')"
+
+	echo 1 > /proc/sys/net/ipv4/conf/${SEG_DEV_NAME}/accept_local
+	echo 1 > /proc/sys/net/ipv4/conf/${SEG_DEV_NAME}_pair/accept_local
+	echo 1 > /proc/sys/net/ipv4/ip_forward
 fi
 
 #Make sure /etc/sfunnel exists, even if no volume is mounted
@@ -166,4 +177,3 @@ for IFACE in ${IFACES}; do
 done
 
 echo "[INFO] Successfully ${OP_STR}ed BPF program(s) on interfaces {${IFACES}} DIRECTION=${DIRECTION}"
-

src/Makefile

@@ -1,6 +1,7 @@
 all: compile
 
-UNSEG_DEV_IFINDEX ?=
+SEG_DEV_IFINDEX ?= 0
+SEG_DEV_MAC ?= 0x00,0x00,0x00,0x00,0x00,0x00
 FILE ?= ruleset.default
 CFLAGS = -O2 -Wall -Werror -g
 ifeq ($(DEBUG), 1)
@@ -9,7 +10,7 @@ endif
 
 compile:
 	python3 ../tools/gen.py $(FILE) > ruleset.h
-	clang $(CFLAGS) -DUNSEG_DEV_IFINDEX=$(UNSEG_DEV_IFINDEX) -target bpf -c sfunnel.c -o tc_sfunnel.o
+	clang $(CFLAGS) -DSEG_DEV_MAC="$(SEG_DEV_MAC)" -DSEG_DEV_IFINDEX=$(SEG_DEV_IFINDEX) -target bpf -c sfunnel.c -o tc_sfunnel.o
 
 clean:
 	rm -rf *.o || true

src/sfunnel.c

@@ -319,19 +319,24 @@ static inline int proc_ip4(struct __sk_buff* skb, __u8* eth, struct iphdr* ip){
 	}
 	PRINTK("[%p] Matched rule#%u", skb, rule->id);
 
-#ifndef UNSEG_DEV_IFINDEX
-	//Check that packet is not GSO/TSO/UFO
-	if(skb->gso_size > 0){
-		if(skb->mark&REDIRECT_PKT_BIT){
-			//The packet has been redirected before, but is looped
-			//back GSOed => drop
-			return TC_ACT_SHOT;
-		}
+#ifdef SEG_DEV_IFINDEX
+	//Redirecting all pkts, incl. non GSOed, to avoid reorderings.
+	if((skb->mark&REDIRECT_PKT_BIT) == 0){
+		__u8 _seg_mac[ETH_ALEN] = {SEG_DEV_MAC};
+		bpf_skb_store_bytes(skb, offsetof(struct ethhdr, h_dest),
+						  _seg_mac, ETH_ALEN, 0);
+
 		skb->mark |= REDIRECT_PKT_BIT;
-        	return bpf_redirect(UNSEG_DEV_IFINDEX, BPF_F_INGRESS);
+		return bpf_redirect(SEG_DEV_IFINDEX, 0);
+	}else if(skb->gso_size > 0){
+		//The packet has been redirected before, but is looped
+		//back GSOed => drop (bug)
+		bpf_printk("Recirculated pkt is still GSOed");
+		return TC_ACT_SHOT;
 	}
+
 	skb->mark &= ~REDIRECT_PKT_BIT;
-#endif //UNSEG_DEV_IFINDEX
+#endif //SEG_DEV_IFINDEX
 
 	//Direct actions
 	if(rule->actions.drop.execute){