Skip to content

xdp-forward: Introduce xdp-fwd-flowtable support #441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 11, 2024
Merged

xdp-forward: Introduce xdp-fwd-flowtable support #441

merged 5 commits into from
Oct 11, 2024

Conversation

LorenzoBianconi
Copy link
Contributor

Introduce xdp-fwd-flowtable sample in order to perform XDP_REDIRECT between net_devices inserted in a netfilter flowtable.

@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 4 times, most recently from 64eeedc to 1779d1e Compare September 15, 2024 20:36
tohojo
tohojo requested changes Sep 26, 2024
View reviewed changes
Copy link
Member

@tohojo tohojo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits, mostly.

But as a bit of a bigger item, the tests don't cover the NAT code at all, so we basically have no way to check if all the fiddly packet header rewriting works. I think we should amend the tests to include each of the different NAT permutations. I know it's a lot of tedious work to test all the permutations, but I think it should be possible to parameterise the test functions so it becomes manageable. WDYT?

@LorenzoBianconi
Copy link
Contributor Author

LorenzoBianconi commented Sep 27, 2024
edited
Loading

A few nits, mostly.

But as a bit of a bigger item, the tests don't cover the NAT code at all, so we basically have no way to check if all the fiddly packet header rewriting works. I think we should amend the tests to include each of the different NAT permutations. I know it's a lot of tedious work to test all the permutations, but I think it should be possible to parameterise the test functions so it becomes manageable. WDYT?

@tohojo what about doing something like:

  • perform dnat and snat at the same time changing IP ad port
  • load a "guard" ebpf program on the second veth that allows just selected ips and ports

In this way we can tests all the possible combinations at the same time, WDYT?

@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 2 times, most recently from bbae4f7 to 6eef168 Compare September 27, 2024 17:38
@tohojo
Copy link
Member

tohojo commented Sep 30, 2024 via email

@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 3 times, most recently from f112a0e to f898bf7 Compare October 2, 2024 13:46
@LorenzoBianconi
Copy link
Contributor Author

lore @.***> writes:

A few nits, mostly. > > But as a bit of a bigger item, the tests don't cover the NAT code at all, so we basically have no way to check if all the fiddly packet header rewriting works. I think we should amend the tests to include each of the different NAT permutations. I know it's a lot of tedious work to test all the permutations, but I think it should be possible to parameterise the test functions so it becomes manageable. WDYT? @tohojo what about doing something like: - perform dnat and snat at the same time changing IP ad port - load a program on the second veth that allows just selected ips and ports In this way we can tests all the possible combinations at the same time, WDYT?
Sure, that sounds reasonable (as long as we run it for both IPv4 and IPv6, of course) :)

I think we can do something even simpler, we can just filter out unexpected packets using some nft rules in the destination namesapce.

@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 3 times, most recently from 9fe3158 to d3e5563 Compare October 2, 2024 16:30
tohojo
tohojo requested changes Oct 7, 2024
View reviewed changes
Copy link
Member

@tohojo tohojo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple more nits :)

@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 2 times, most recently from 428e567 to 71f1d98 Compare October 7, 2024 17:56
tohojo
tohojo reviewed Oct 8, 2024
View reviewed changes
@tohojo
Copy link
Member

tohojo commented Oct 11, 2024

Okay, so the code basically LGTM now. However, we don't have a kernel in CI that is new enough to test this, and when I try to run it in a VM on my own machine the test fails:

root@virtme-ng xdp-forward]# make test
    Executing tests in separate net- and mount namespaces
    Running tests from tests/test-xdp-forward.sh
     [test_ping]                   PASS
     [test_load]                   PASS
     [test_fwd_full]               PASS
     [test_fwd_direct]             PASS
     [test_flowtable]              FAIL
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Command 'nft -f /dev/stdin' exited with status 0
          
          Command 'ip netns exec xdptest-3ac4 nft -f /dev/stdin' exited with status 0
          
          Loaded on interface xdptest-3198
          Loaded on interface xdptest-3ac4
          Command './xdp-forward load -f flowtable xdptest-3198 xdptest-3ac4' exited with status 0
          
          Command 'ip netns exec xdptest-3198 nc -w 1 -4 10.11.2.1 12345' exited with status 1
          Test test_flowtable exited with return code: 1
make: *** [../lib/common.mk:142: test] Error 1

Is it working on your machine?

@LorenzoBianconi
xdp-forward: Introduce xdp-fwd-flowtable bpf sample
03ad047 
Introduce xdp-fwd-flowtable sample in order to perform XDP_REDIRECT
between net_devices inserted in a netfilter flowtable.
xdp-fwd-flowtable relies on bpf_xdp_flow_lookup kfunc in order to
perform the lookup of a given flowtable entry based on a fib tuple of
incoming traffic. At the moment we are able to offload just TCP or UDP
netfilter flowtable entries to the xdp layer. The user is supposed to
configure the flowtable separately.

Signed-off-by: Lorenzo Bianconi <[email protected]>
@LorenzoBianconi
xdp-forward: Add the capability to load xdp_fwd_flowtable sample from…
30e9f7c 
… userspace

Introduce the capability to load xdp-fw-flowtable sample to offload in
xdp the processing of sw netfilter flowtable.

Signed-off-by: Lorenzo Bianconi <[email protected]>
@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 4 times, most recently from 1739847 to bad7e92 Compare October 11, 2024 12:55
@LorenzoBianconi LorenzoBianconi force-pushed the xdp-flowtable branch 3 times, most recently from 0c100a3 to 6f7181c Compare October 11, 2024 14:11
@LorenzoBianconi
Copy link
Contributor Author

LorenzoBianconi commented Oct 11, 2024
edited
Loading

Okay, so the code basically LGTM now. However, we don't have a kernel in CI that is new enough to test this, and when I try to run it in a VM on my own machine the test fails:

root@virtme-ng xdp-forward]# make test
    Executing tests in separate net- and mount namespaces
    Running tests from tests/test-xdp-forward.sh
     [test_ping]                   PASS
     [test_load]                   PASS
     [test_fwd_full]               PASS
     [test_fwd_direct]             PASS
     [test_flowtable]              FAIL
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Actual changes:
          tx-checksum-ip-generic: off
          tx-tcp-segmentation: off [not requested]
          tx-tcp-ecn-segmentation: off [not requested]
          tx-tcp-mangleid-segmentation: off [not requested]
          tx-tcp6-segmentation: off [not requested]
          tx-udp-segmentation: off [not requested]
          tx-checksum-sctp: off
          rx-checksum: off
          Command 'nft -f /dev/stdin' exited with status 0
          
          Command 'ip netns exec xdptest-3ac4 nft -f /dev/stdin' exited with status 0
          
          Loaded on interface xdptest-3198
          Loaded on interface xdptest-3ac4
          Command './xdp-forward load -f flowtable xdptest-3198 xdptest-3ac4' exited with status 0
          
          Command 'ip netns exec xdptest-3198 nc -w 1 -4 10.11.2.1 12345' exited with status 1
          Test test_flowtable exited with return code: 1
make: *** [../lib/common.mk:142: test] Error 1

Is it working on your machine?

@tohojo yes, the issue is due to the different nc version (nc vs ncat) we are using (I am running f40). In your case the server does not start since it does not support --no-shutdown option and the tcp connection just returns a reset. I fixed it using socat instead.
As you suggested, I added the tests for 6.12-rc kernel (in order to not skip flowtable tests) and it works properly. Can you please give it a whirl?

tohojo
tohojo approved these changes Oct 11, 2024
View reviewed changes
Copy link
Member

@tohojo tohojo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, tests work for me as well now, nice work! :)

@tohojo tohojo merged commit f324f05 into xdp-project:master Oct 11, 2024
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tohojo tohojo tohojo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LorenzoBianconi @tohojo