add basic of xdp lb and xdp firewall

yunwei37 · yunwei37 · commit ba6314aa7337 · 2024-09-04T06:48:03.000Z
diff --git a/src/41-xdp-loadbalancer/.gitignore b/src/41-xdp-loadbalancer/.gitignore
@@ -0,0 +1,5 @@
+.output
+uprobe
+merge-btf
+*.btf
+xdp_lb
diff --git a/src/41-xdp-loadbalancer/Makefile b/src/41-xdp-loadbalancer/Makefile
@@ -0,0 +1,141 @@
+# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+OUTPUT := .output
+CLANG ?= clang
+LIBBPF_SRC := $(abspath ../third_party/libbpf/src)
+BPFTOOL_SRC := $(abspath ../third_party/bpftool/src)
+LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a)
+BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool)
+BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool
+LIBBLAZESYM_SRC := $(abspath ../third_party/blazesym/)
+LIBBLAZESYM_OBJ := $(abspath $(OUTPUT)/libblazesym.a)
+LIBBLAZESYM_HEADER := $(abspath $(OUTPUT)/blazesym.h)
+ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \
+			 | sed 's/arm.*/arm/' \
+			 | sed 's/aarch64/arm64/' \
+			 | sed 's/ppc64le/powerpc/' \
+			 | sed 's/mips.*/mips/' \
+			 | sed 's/riscv64/riscv/' \
+			 | sed 's/loongarch64/loongarch/')
+VMLINUX := ../third_party/vmlinux/$(ARCH)/vmlinux.h
+# Use our own libbpf API headers and Linux UAPI headers distributed with
+# libbpf to avoid dependency on system-wide headers, which could be missing or
+# outdated
+INCLUDES := -I$(OUTPUT) -I../third_party/libbpf/include/uapi -I$(dir $(VMLINUX))
+CFLAGS := -g -Wall
+ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
+
+APPS = xdp_lb
+
+CARGO ?= $(shell which cargo)
+ifeq ($(strip $(CARGO)),)
+BZS_APPS :=
+else
+BZS_APPS := 
+APPS += $(BZS_APPS)
+# Required by libblazesym
+ALL_LDFLAGS += -lrt -ldl -lpthread -lm
+endif
+
+# Get Clang's default includes on this system. We'll explicitly add these dirs
+# to the includes list when compiling with `-target bpf` because otherwise some
+# architecture-specific dirs will be "missing" on some architectures/distros -
+# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h,
+# sys/cdefs.h etc. might be missing.
+#
+# Use '-idirafter': Don't interfere with include mechanics except where the
+# build would have failed anyways.
+CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - </dev/null 2>&1 \
+	| sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }')
+
+ifeq ($(V),1)
+	Q =
+	msg =
+else
+	Q = @
+	msg = @printf '  %-8s %s%s\n'					\
+		      "$(1)"						\
+		      "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))"	\
+		      "$(if $(3), $(3))";
+	MAKEFLAGS += --no-print-directory
+endif
+
+define allow-override
+  $(if $(or $(findstring environment,$(origin $(1))),\
+            $(findstring command line,$(origin $(1)))),,\
+    $(eval $(1) = $(2)))
+endef
+
+$(call allow-override,CC,$(CROSS_COMPILE)cc)
+$(call allow-override,LD,$(CROSS_COMPILE)ld)
+
+.PHONY: all
+all: $(APPS)
+
+.PHONY: clean
+clean:
+	$(call msg,CLEAN)
+	$(Q)rm -rf $(OUTPUT) $(APPS)
+
+$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT):
+	$(call msg,MKDIR,$@)
+	$(Q)mkdir -p $@
+
+# Build libbpf
+$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf
+	$(call msg,LIB,$@)
+	$(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1		      \
+		    OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@)		      \
+		    INCLUDEDIR= LIBDIR= UAPIDIR=			      \
+		    install
+
+# Build bpftool
+$(BPFTOOL): | $(BPFTOOL_OUTPUT)
+	$(call msg,BPFTOOL,$@)
+	$(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap
+
+
+$(LIBBLAZESYM_SRC)/target/release/libblazesym.a::
+	$(Q)cd $(LIBBLAZESYM_SRC) && $(CARGO) build --features=cheader,dont-generate-test-files --release
+
+$(LIBBLAZESYM_OBJ): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT)
+	$(call msg,LIB, $@)
+	$(Q)cp $(LIBBLAZESYM_SRC)/target/release/libblazesym.a $@
+
+$(LIBBLAZESYM_HEADER): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT)
+	$(call msg,LIB,$@)
+	$(Q)cp $(LIBBLAZESYM_SRC)/target/release/blazesym.h $@
+
+# Build BPF code
+$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL)
+	$(call msg,BPF,$@)
+	$(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH)		      \
+		     $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES)		      \
+		     -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@)
+	$(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@)
+
+# Generate BPF skeletons
+$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL)
+	$(call msg,GEN-SKEL,$@)
+	$(Q)$(BPFTOOL) gen skeleton $< > $@
+
+# Build user-space code
+$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h
+
+$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT)
+	$(call msg,CC,$@)
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@
+
+$(patsubst %,$(OUTPUT)/%.o,$(BZS_APPS)): $(LIBBLAZESYM_HEADER)
+
+$(BZS_APPS): $(LIBBLAZESYM_OBJ)
+
+# Build application binary
+$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT)
+	$(call msg,BINARY,$@)
+	$(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@
+
+# delete failed targets
+.DELETE_ON_ERROR:
+
+# keep intermediate (.skel.h, .bpf.o, etc) targets
+.SECONDARY:
diff --git a/src/41-xdp-loadbalancer/README.md b/src/41-xdp-loadbalancer/README.md
@@ -0,0 +1 @@
+
diff --git a/src/41-xdp-loadbalancer/xdp_lb.bpf.c b/src/41-xdp-loadbalancer/xdp_lb.bpf.c
@@ -0,0 +1,53 @@
+// xdp_lb.bpf.c
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/in.h>
+
+struct {
+    __uint(type, BPF_MAP_TYPE_ARRAY);
+    __uint(max_entries, 2);  // Two backends
+    __type(key, __u32);
+    __type(value, __u32);    // Backend IPs
+} backends SEC(".maps");
+
+SEC("xdp")
+int xdp_load_balancer(struct xdp_md *ctx) {
+    void *data_end = (void *)(long)ctx->data_end;
+    void *data = (void *)(long)ctx->data;
+
+    struct ethhdr *eth = data;
+    if ((void *)(eth + 1) > data_end)
+        return XDP_PASS;
+
+    if (eth->h_proto != __constant_htons(ETH_P_IP))
+        return XDP_PASS;
+
+    struct iphdr *iph = (struct iphdr *)(eth + 1);
+    if ((void *)(iph + 1) > data_end)
+        return XDP_PASS;
+
+    if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP)
+        return XDP_PASS;
+
+    __u32 key = 0;
+    static __u32 cnt = 0;
+    __u32 *backend_ip = bpf_map_lookup_elem(&backends, &key);
+
+    if (!backend_ip)
+        return XDP_PASS;
+
+    cnt = (cnt + 1) % 2;  // Round-robin
+    key = cnt;
+    backend_ip = bpf_map_lookup_elem(&backends, &key);
+
+    if (backend_ip) {
+        iph->daddr = *backend_ip;  // Redirect to the backend IP
+        iph->check = 0;  // Needs recomputation in real cases
+    }
+
+    return XDP_TX;  // Transmit modified packet back
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/src/41-xdp-loadbalancer/xdp_lb.c b/src/41-xdp-loadbalancer/xdp_lb.c
@@ -0,0 +1,83 @@
+// xdp_lb.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+#include <net/if.h>
+#include <linux/if_link.h>
+#include "xdp_lb.skel.h"  // This header is auto-generated by bpftool
+
+#define IFACE "eth0"  // Replace with your network interface
+
+static int set_up_backends(struct xdp_lb_bpf *skel) {
+    __u32 backend1 = htonl(0xC0A80102);  // 192.168.1.2
+    __u32 backend2 = htonl(0xC0A80103);  // 192.168.1.3
+    __u32 key = 0;
+
+    if (bpf_map_update_elem(bpf_map__fd(skel->maps.backends), &key, &backend1, BPF_ANY) < 0) {
+        fprintf(stderr, "Failed to update backend 1\n");
+        return -1;
+    }
+
+    key = 1;
+    if (bpf_map_update_elem(bpf_map__fd(skel->maps.backends), &key, &backend2, BPF_ANY) < 0) {
+        fprintf(stderr, "Failed to update backend 2\n");
+        return -1;
+    }
+
+    return 0;
+}
+
+int main() {
+    struct xdp_lb_bpf *skel;
+    int err, ifindex;
+
+    // Load and verify the eBPF skeleton
+    skel = xdp_lb_bpf__open();
+    if (!skel) {
+        fprintf(stderr, "Failed to open and load skeleton\n");
+        return 1;
+    }
+
+    // Load eBPF program
+    err = xdp_lb_bpf__load(skel);
+    if (err) {
+        fprintf(stderr, "Failed to load BPF program: %d\n", err);
+        return 1;
+    }
+
+    // Set up the backend IP addresses
+    if (set_up_backends(skel) < 0) {
+        fprintf(stderr, "Failed to set up backend IP addresses\n");
+        return 1;
+    }
+
+    // Get interface index
+    ifindex = if_nametoindex(IFACE);
+    if (ifindex == 0) {
+        perror("if_nametoindex");
+        return 1;
+    }
+
+    // Attach the XDP program
+    err = bpf_xdp_attach(ifindex, bpf_program__fd(skel->progs.xdp_load_balancer), XDP_FLAGS_SKB_MODE, NULL);
+    if (err) {
+        fprintf(stderr, "Failed to attach XDP program: %d\n", err);
+        return 1;
+    }
+
+    printf("XDP Load Balancer is running on interface %s...\n", IFACE);
+    sleep(60);  // Keep running for 60 seconds
+
+    // Detach the XDP program before exiting
+    err = bpf_xdp_detach(ifindex, XDP_FLAGS_SKB_MODE, NULL);
+    if (err) {
+        fprintf(stderr, "Failed to detach XDP program: %d\n", err);
+        return 1;
+    }
+
+    // Clean up
+    xdp_lb_bpf__destroy(skel);
+
+    return 0;
+}
diff --git a/src/42-xdp-firewall/Makefile b/src/42-xdp-firewall/Makefile
diff --git a/src/42-xdp-firewall/README.md b/src/42-xdp-firewall/README.md

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +.output
 +uprobe
 +merge-btf
 +*.btf
 +xdp_lb