Skip to content

Commit 97a6d97

Browse files
msunemsune
committed
Tc ungso dev
1 parent 57c2b3a commit 97a6d97

File tree

3 files changed

+31
-2
lines changed

3 files changed

+31
-2
lines changed

docker/entrypoint.sh

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,15 @@ _IFACES=$(ls /sys/class/net | tr "\n" " " | sed 's/\s*$//g')
3434
IFACES=${IFACES:-$_IFACES}
3535
NETNS=${NETNS:-}
3636

37+
UNSEG_DEV_NAME=${UNSEG_DEV_NAME:-_unseg}
38+
3739
PROG=/opt/sfunnel/src/tc_sfunnel.o
3840

3941
#Compile eBPF program only if rulesset are defined at load time
4042
#either via file or ENV
4143
compile(){
4244
cd /opt/sfunnel/src
43-
DEBUG=${DEBUG} FILE=/etc/sfunnel/ruleset make
45+
UNSEG_DEV_IFINDEX=${UNSEG_DEV_IFINDEX} DEBUG=${DEBUG} FILE=/etc/sfunnel/ruleset make
4446
}
4547

4648
#$1: PROG
@@ -94,6 +96,7 @@ echo " \$DEBUG='${DEBUG}'"
9496
echo " \$NETNS='${NETNS}'"
9597
echo " \$N_ATTEMPTS='${N_ATTEMPTS}'"
9698
echo " \$RETRY_DELAY='${RETRY_DELAY}'"
99+
echo " \$UNSEG_DEV_NAME='${UNSEG_DEV_NAME}'"
97100
echo "[INFO] Container info:"
98101
echo " Kernel: $(uname -a)"
99102
echo " Debian: $(cat /etc/debian_version)"
@@ -106,6 +109,14 @@ if [[ "${DEBUG}" == "1" ]]; then
106109
set -x
107110
fi
108111

112+
# Create GSO/TSO/UFO unsegmenting device (work-around
113+
if [[ "${UNSEG_DEV_NAME}" != ""]]; then
114+
ip link add ${UNSEG_DEV_NAME} type dummy
115+
ip link set up dev ${UNSEG_DEV_NAME}
116+
ethtool -K ${UNSEG_DEV_NAME} gso off tso off ufo off
117+
UNSEG_DEV_IFINDEX=$(ip link show ${UNSEG_DEV_NAME} | head -n 1 | awk '{print $1}' | tr -d ':')
118+
fi
119+
109120
#Make sure /etc/sfunnel exists, even if no volume is mounted
110121
mkdir -p /etc/sfunnel
111122

@@ -155,3 +166,4 @@ for IFACE in ${IFACES}; do
155166
done
156167

157168
echo "[INFO] Successfully ${OP_STR}ed BPF program(s) on interfaces {${IFACES}} DIRECTION=${DIRECTION}"
169+

src/Makefile

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
all: compile
22

3+
UNSEG_DEV_IFINDEX ?=
34
FILE ?= ruleset.default
45
CFLAGS = -O2 -Wall -Werror -g
56
ifeq ($(DEBUG), 1)
@@ -8,7 +9,7 @@ endif
89

910
compile:
1011
python3 ../tools/gen.py $(FILE) > ruleset.h
11-
clang $(CFLAGS) -target bpf -c sfunnel.c -o tc_sfunnel.o
12+
clang $(CFLAGS) -DUNSEG_DEV_IFINDEX=$(UNSEG_DEV_IFINDEX) -target bpf -c sfunnel.c -o tc_sfunnel.o
1213

1314
clean:
1415
rm -rf *.o || true

src/sfunnel.c

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@
1414
#include "common.h"
1515
#include "lookup.h"
1616

17+
#define REDIRECT_PKT_BIT 0x1
18+
1719
static __always_inline
1820
int ip4_funnel(struct __sk_buff* skb, __u8* eth, struct iphdr* ip, void* l4,
1921
const __u8 funn_proto,
@@ -317,6 +319,20 @@ static inline int proc_ip4(struct __sk_buff* skb, __u8* eth, struct iphdr* ip){
317319
}
318320
PRINTK("[%p] Matched rule#%u", skb, rule->id);
319321

322+
#ifndef UNSEG_DEV_IFINDEX
323+
//Check that packet is not GSO/TSO/UFO
324+
if(skb->gso_size > 0){
325+
if(skb->mark&REDIRECT_PKT_BIT){
326+
//The packet has been redirected before, but is looped
327+
//back GSOed => drop
328+
return TC_ACT_SHOT;
329+
}
330+
skb->mark |= REDIRECT_PKT_BIT;
331+
return bpf_redirect(UNSEG_DEV_IFINDEX, BPF_F_INGRESS);
332+
}
333+
skb->mark &= ~REDIRECT_PKT_BIT;
334+
#endif //UNSEG_DEV_IFINDEX
335+
320336
//Direct actions
321337
if(rule->actions.drop.execute){
322338
return TC_ACT_SHOT;

0 commit comments

Comments
 (0)