feat: function optimization and enrichment

Makefile.cli.mk

@@ -51,7 +51,7 @@ go-generate: export BPF_CFLAGS := $(BPF_CFLAGS)
 go-generate: export BPF_INC_DIR := $(INC_DIR)
 go-generate: export BPF_SRC_DIR := $(SRC_DIR)
 go-generate:
-	@go generate .gen/fsm.go
+	@go generate .gen/xnet.go
 
 .PHONY: go-test-coverage
 go-test-coverage:

cmd/xnat/main.go

@@ -30,6 +30,7 @@ func newRootCmd(args []string) *cobra.Command {
 		cli.NewOptCmd(),
 		cli.NewNetnsCmd(),
 		cli.NewConvCmd(),
+		cli.NewIFaceCmd(),
 	)
 
 	_ = cmd.PersistentFlags().Parse(args)

kern/include/bpf_config.h

@@ -12,4 +12,6 @@
 
 #define FSM_TRACE_MAP_ENTRIES (16)
 
+#define FSM_IFACE_MAP_ENTRIES (128)
+
 #endif

kern/include/bpf_helpers.h

@@ -147,7 +147,7 @@ INTERNAL(int)
 xpkt_tail_call(skb_t *skb, xpkt_t *pkt, __u32 prog_id)
 {
     int idx = 0;
-    bpf_map_update_elem(&fsm_cxpkt, &idx, pkt, BPF_ANY);
+    bpf_map_update_elem(&fsm_xpkt, &idx, pkt, BPF_ANY);
     bpf_tail_call(skb, &fsm_prog, prog_id);
     return TC_ACT_OK;
 }

kern/include/bpf_xflow.h

@@ -169,8 +169,8 @@ xpkt_flow_proc_frag(xpkt_t *pkt, void *fsm_xflow, flow_t *cflow, flow_t *rflow,
     flow_op_t *ucop, *urop;
     int cidx = 0, ridx = 1;
 
-    ucop = bpf_map_lookup_elem(&fsm_cflop, &cidx);
-    urop = bpf_map_lookup_elem(&fsm_cflop, &ridx);
+    ucop = bpf_map_lookup_elem(&fsm_xflop, &cidx);
+    urop = bpf_map_lookup_elem(&fsm_xflop, &ridx);
     if (ucop == NULL || urop == NULL || pkt->v6) {
         return 0;
     }
@@ -205,7 +205,7 @@ xpkt_flow_init_reverse_op(xpkt_t *pkt, cfg_t *cfg, void *fsm_xflow,
     rflow.proto = flow->proto;
     rflow.v6 = flow->v6;
 
-    rop = bpf_map_lookup_elem(&fsm_cflop, &ridx);
+    rop = bpf_map_lookup_elem(&fsm_xflop, &ridx);
     if (rop == NULL) {
         return 0;
     }
@@ -251,7 +251,7 @@ xpkt_flow_init_ops(skb_t *skb, xpkt_t *pkt, cfg_t *cfg, void *fsm_xflow,
     }
 
     flow = &pkt->flow;
-    op = bpf_map_lookup_elem(&fsm_cflop, &idx);
+    op = bpf_map_lookup_elem(&fsm_xflop, &idx);
     if (op == NULL) {
         return 0;
     }
@@ -293,7 +293,11 @@ xpkt_flow_init_ops(skb_t *skb, xpkt_t *pkt, cfg_t *cfg, void *fsm_xflow,
                 if (cfg->ipv4_trace_nat_on) {
                     FSM_DBG("[DBG] DROP BY NO NAT\n");
                 }
-                xpkt_tail_call(skb, pkt, FSM_CNI_DROP_PROG_ID);
+                if (cfg->ipv4_tcp_proto_allow_nat_escape) {
+                    xpkt_tail_call(skb, pkt, FSM_CNI_PASS_PROG_ID);
+                } else {
+                    xpkt_tail_call(skb, pkt, FSM_CNI_DROP_PROG_ID);
+                }
                 return 0;
             }
         }
@@ -318,7 +322,11 @@ xpkt_flow_init_ops(skb_t *skb, xpkt_t *pkt, cfg_t *cfg, void *fsm_xflow,
                 if (cfg->ipv4_trace_nat_on) {
                     FSM_DBG("[DBG] DROP BY NO NAT\n");
                 }
-                xpkt_tail_call(skb, pkt, FSM_CNI_DROP_PROG_ID);
+                if (cfg->ipv4_udp_proto_allow_nat_escape) {
+                    xpkt_tail_call(skb, pkt, FSM_CNI_PASS_PROG_ID);
+                } else {
+                    xpkt_tail_call(skb, pkt, FSM_CNI_DROP_PROG_ID);
+                }
                 return 0;
             }
         }

kern/include/bpf_xmaps.h

@@ -21,7 +21,7 @@ struct {
 #endif
 
 #ifdef LEGACY_BPF_MAPS
-struct bpf_map_def SEC("maps") fsm_cxpkt = {
+struct bpf_map_def SEC("maps") fsm_xpkt = {
     .type = BPF_MAP_TYPE_PERCPU_ARRAY,
     .key_size = sizeof(__u32),
     .value_size = sizeof(xpkt_t),
@@ -33,7 +33,7 @@ struct {
     __type(key, __u32);
     __type(value, xpkt_t);
     __uint(max_entries, 1);
-} fsm_cxpkt SEC(".maps");
+} fsm_xpkt SEC(".maps");
 #endif
 
 #ifdef LEGACY_BPF_MAPS
@@ -69,7 +69,7 @@ struct {
 #endif
 
 #ifdef LEGACY_BPF_MAPS
-struct bpf_map_def SEC("maps") fsm_cflop = {
+struct bpf_map_def SEC("maps") fsm_xflop = {
     .type = BPF_MAP_TYPE_PERCPU_ARRAY,
     .key_size = sizeof(__u32),
     .value_size = sizeof(flow_op_t),
@@ -81,7 +81,7 @@ struct {
     __type(key, __u32);
     __type(value, flow_op_t);
     __uint(max_entries, 2);
-} fsm_cflop SEC(".maps");
+} fsm_xflop SEC(".maps");
 #endif
 
 #ifdef LEGACY_BPF_MAPS
@@ -205,4 +205,22 @@ struct {
 } fsm_trpt SEC(".maps");
 #endif
 
+#ifdef LEGACY_BPF_MAPS
+struct bpf_map_def SEC("maps") fsm_xifs = {
+    .type = BPF_MAP_TYPE_HASH,
+    .key_size = sizeof(if_name_t),
+    .value_size = sizeof(if_info_t),
+    .max_entries = FSM_IFACE_MAP_ENTRIES,
+    .map_flags = BPF_F_NO_PREALLOC,
+};
+#else /* BTF definitions */
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, if_name_t);
+    __type(value, if_info_t);
+    __uint(max_entries, FSM_IFACE_MAP_ENTRIES);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+} fsm_xifs SEC(".maps");
+#endif
+
 #endif

kern/include/bpf_xtypes.h

@@ -12,8 +12,10 @@ typedef struct xpkt_mesh_cfg_t {
             __u64 ipv6_proto_deny_all : 1;
             __u64 ipv4_tcp_proto_deny_all : 1;
             __u64 ipv4_tcp_proto_allow_all : 1;
+            __u64 ipv4_tcp_proto_allow_nat_escape : 1;
             __u64 ipv4_udp_proto_deny_all : 1;
             __u64 ipv4_udp_proto_allow_all : 1;
+            __u64 ipv4_udp_proto_allow_nat_escape : 1;
             __u64 ipv4_oth_proto_deny_all : 1;
             __u64 ipv4_tcp_nat_by_ip_port_on : 1;
             __u64 ipv4_tcp_nat_by_ip_on : 1;
@@ -265,4 +267,14 @@ typedef struct xpkt_trace_op_t {
     __u8 tc_dir[TC_DIR_MAX];
 } __attribute__((packed)) tr_op_t;
 
+typedef struct xpkt_if_name_t {
+    __u8 len;
+    __u8 name[IFNAMSIZ];
+} __attribute__((packed)) if_name_t;
+
+typedef struct xpkt_if_info_t {
+    __u32 ifi;
+    __u32 addr[IP_ALEN];
+    __u8 mac[ETH_ALEN];
+} __attribute__((packed)) if_info_t;
 #endif

kern/src/xnet.kern.c

@@ -247,7 +247,7 @@ SEC("classifier/sidecar/ingress")
 int sidecar_ingress(skb_t *skb)
 {
     int z = 0;
-    xpkt_t *pkt = bpf_map_lookup_elem(&fsm_cxpkt, &z);
+    xpkt_t *pkt = bpf_map_lookup_elem(&fsm_xpkt, &z);
     if (!pkt) {
         return TC_ACT_SHOT;
     }
@@ -263,7 +263,7 @@ SEC("classifier/sidecar/egress")
 int sidecar_egress(skb_t *skb)
 {
     int z = 0;
-    xpkt_t *pkt = bpf_map_lookup_elem(&fsm_cxpkt, &z);
+    xpkt_t *pkt = bpf_map_lookup_elem(&fsm_xpkt, &z);
     if (!pkt) {
         return TC_ACT_SHOT;
     }

pkg/xnet/bpf/cli/config_set.go

@@ -13,8 +13,10 @@ type configSetCmd struct {
 	ipv6ProtoDenyAll             int8
 	ipv4TCPProtoDenyAll          int8
 	ipv4TCPProtoAllowAll         int8
+	ipv4TCPProtoAllowNatEscape   int8
 	ipv4UDPProtoDenyAll          int8
 	ipv4UDPProtoAllowAll         int8
+	ipv4UDPProtoAllowNatEscape   int8
 	ipv4OTHProtoDenyAll          int8
 	ipv4TCPNatByIpPortOn         int8
 	ipv4TCPNatByIpOn             int8
@@ -62,8 +64,10 @@ func newConfigSet() *cobra.Command {
 	f.Int8Var(&configSet.ipv6ProtoDenyAll, "ipv6_proto_deny_all", -1, "--ipv6_proto_deny_all=0/1")
 	f.Int8Var(&configSet.ipv4TCPProtoDenyAll, "ipv4_tcp_proto_deny_all", -1, "--ipv4_tcp_proto_deny_all=0/1")
 	f.Int8Var(&configSet.ipv4TCPProtoAllowAll, "ipv4_tcp_proto_allow_all", -1, "--ipv4_tcp_proto_allow_all=0/1")
+	f.Int8Var(&configSet.ipv4TCPProtoAllowNatEscape, "ipv4_tcp_proto_allow_nat_escape", -1, "--ipv4_tcp_proto_allow_nat_escape=0/1")
 	f.Int8Var(&configSet.ipv4UDPProtoDenyAll, "ipv4_udp_proto_deny_all", -1, "--ipv4_udp_proto_deny_all=0/1")
 	f.Int8Var(&configSet.ipv4UDPProtoAllowAll, "ipv4_udp_proto_allow_all", -1, "--ipv4_udp_proto_allow_all=0/1")
+	f.Int8Var(&configSet.ipv4UDPProtoAllowNatEscape, "ipv4_udp_proto_allow_nat_escape", -1, "--ipv4_udp_proto_allow_nat_escape=0/1")
 	f.Int8Var(&configSet.ipv4OTHProtoDenyAll, "ipv4_oth_proto_deny_all", -1, "--ipv4_oth_proto_deny_all=0/1")
 	f.Int8Var(&configSet.ipv4TCPNatByIpPortOn, "ipv4_tcp_nat_by_ip_port_on", -1, "--ipv4_tcp_nat_by_ip_port_on=0/1")
 	f.Int8Var(&configSet.ipv4TCPNatByIpOn, "ipv4_tcp_nat_by_ip_on", -1, "--ipv4_tcp_nat_by_ip_on=0/1")
@@ -245,6 +249,12 @@ func (a *configSetCmd) setProto(cfgVal *maps.CfgVal) {
 		cfgVal.Clear(maps.CfgFlagOffsetIPv4TCPProtoAllowAll)
 	}
 
+	if a.ipv4TCPProtoAllowNatEscape == 1 {
+		cfgVal.Set(maps.CfgFlagOffsetIPv4TCPProtoAllowNatEscape)
+	} else if a.ipv4TCPProtoAllowNatEscape == 0 {
+		cfgVal.Clear(maps.CfgFlagOffsetIPv4TCPProtoAllowNatEscape)
+	}
+
 	if a.ipv4UDPProtoDenyAll == 1 {
 		cfgVal.Set(maps.CfgFlagOffsetIPv4UDPProtoDenyAll)
 	} else if a.ipv4UDPProtoDenyAll == 0 {
@@ -257,6 +267,12 @@ func (a *configSetCmd) setProto(cfgVal *maps.CfgVal) {
 		cfgVal.Clear(maps.CfgFlagOffsetIPv4UDPProtoAllowAll)
 	}
 
+	if a.ipv4UDPProtoAllowNatEscape == 1 {
+		cfgVal.Set(maps.CfgFlagOffsetIPv4UDPProtoAllowNatEscape)
+	} else if a.ipv4UDPProtoAllowNatEscape == 0 {
+		cfgVal.Clear(maps.CfgFlagOffsetIPv4UDPProtoAllowNatEscape)
+	}
+
 	if a.ipv4OTHProtoDenyAll == 1 {
 		cfgVal.Set(maps.CfgFlagOffsetIPv4OTHProtoDenyAll)
 	} else if a.ipv4OTHProtoDenyAll == 0 {

pkg/xnet/bpf/cli/iface.go

@@ -0,0 +1,20 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+const ifaceDescription = ``
+
+func NewIFaceCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "iface",
+		Short:   "iface",
+		Long:    ifaceDescription,
+		Aliases: []string{"if"},
+		Args:    cobra.NoArgs,
+	}
+	cmd.AddCommand(newIFaceList())
+
+	return cmd
+}

pkg/xnet/bpf/cli/iface_list.go

@@ -0,0 +1,36 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/flomesh-io/xnet/pkg/xnet/bpf/maps"
+)
+
+const ifaceListDescription = ``
+const ifaceListExample = ``
+
+type ifaceListCmd struct {
+}
+
+func newIFaceList() *cobra.Command {
+	ifaceList := &ifaceListCmd{}
+
+	cmd := &cobra.Command{
+		Use:     "list",
+		Short:   "list ifaces",
+		Long:    ifaceListDescription,
+		Aliases: []string{"l", "ls"},
+		Args:    cobra.MinimumNArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return ifaceList.run()
+		},
+		Example: ifaceListExample,
+	}
+
+	return cmd
+}
+
+func (a *ifaceListCmd) run() error {
+	maps.ShowIFaceEntries()
+	return nil
+}

pkg/xnet/bpf/maps/bpfel.go

@@ -76,6 +76,17 @@ type FsmFlowT struct {
 	V6    uint8
 }
 
+type FsmIfInfoT struct {
+	Ifi  uint32
+	Addr [4]uint32
+	Mac  [6]uint8
+}
+
+type FsmIfNameT struct {
+	Len  uint8
+	Name [16]uint8
+}
+
 type FsmNatKeyT struct {
 	Daddr [4]uint32
 	Dport uint16