bypass network stack for local sockets

Author: nyrahul

docs/localhost-bypass-stack.rst

@@ -6,10 +6,10 @@ What is it?
 A TCP socket will go through all the phases of TCP/IP packet processing even
 when the remote peer is a local TCP socket. The aim of this ebpf code is to
 bypass this network stack processing for TCP client/server communication on
-local sockets.  The sockmap_ primitive added to ebpf allows you to
-parse/redirect the traffic between the sockets.
+local sockets.  The sockmap_ primitive added to ebpf allows to parse/redirect
+the traffic between the sockets.
 
-But why would anyone use TCP sockets locally?
+Why would anyone use TCP sockets locally?
 ---------------------------------------------
 * Apps use TCP sockets for inter-process comm since their processes may be
   local or remote. By using TCP, their code works whether the other process is
@@ -24,7 +24,7 @@ But why would anyone use TCP sockets locally?
   primary/main container. This requires that in some cases (the TLS case
   mentioned) the traffic is proxied through the sidecar.
 
-But why to bypass network stack?
+Why to bypass network stack?
 --------------------------------
 * Mainly for performance reason. In a typical container env, a packet
   may be tossed locally between different sockets before the data finally
@@ -35,15 +35,24 @@ But why to bypass network stack?
 * sockmap_ integrates with kernel's strparser_ and allows one to parse, process
   update the payload before redirecting. Check: ktls-bpf_.
 
-Any side-effects of bypassing?
+Side-effects of bypassing?
 ------------------------------
 * Possibly. If you have tooling which depends on this traffic passing through
   network stack then yes. For e.g., you may have an iptables rule to do xyz.
   This xyz would not work anymore, since the data is directly tossed between
   the sockets.
 
-Solution details
-================
+Solution details: How eBPF helps?
+=================================
+
+Use of sockmap
+--------------
+- Special SOCKMAP map
+- Ways to initialize this sockmap from userspace or kernelspace
+- Redirecting packets
+    - Use of BPF_F_INGRESS flag
+- Parser and verdict eBPF functions
+Draw a picture to specify this
 
 What are the pieces?
 --------------------

run_as_cgroupv2.sh

@@ -13,10 +13,7 @@ chktool timeout
 chktool bpftool
 chktool mountpoint
 
-CGRP_MNT=/tmp/cgroupv2
-FOO=$CGRP_MNT/foo
-PINPT=/sys/fs/bpf/localbypass
-BO=bin/local-socket-bypass-sockops-kern.bo
+CGRP_MNT=/mnt/cgroup-test-work-dir
 BPF_MNT=/sys/fs/bpf
 
 trap 'unload "$BASH_COMMAND"' EXIT
@@ -26,13 +23,17 @@ unload()
     [[ $? -ne 0 ]] && echo "Failed: [$1]"
     echo "unloading..."
     set +e
-    bpftool cgroup detach $FOO sock_ops pinned $PINPT 2>/dev/null
-    umount $CGRP_MNT
-    [[ -d "$CGRP_MNT" ]] && rm -rf $CGRP_MNT
-    umount $BPF_MNT
+
+    if [ -d "$CGRP_MNT" ]; then
+        mountpoint $CGRP_MNT >/dev/null
+        [[ $? -eq 0 ]] && umount $CGRP_MNT
+        [[ -d "$CGRP_MNT" ]] && rm -rf $CGRP_MNT
+    fi
+
+    mountpoint $BPF_MNT >/dev/null
+    [[ $? -eq 0 ]] && umount $BPF_MNT
 }
 
-# Inspired by: https://github.com/torvalds/linux/blob/master/samples/bpf/tcp_bpf.readme
 load()
 {
     mountpoint $BPF_MNT >/dev/null
@@ -41,28 +42,21 @@ load()
     mkdir -p $CGRP_MNT
     mountpoint $CGRP_MNT >/dev/null
     [[ $? -ne 0 ]] && mount -t cgroup2 none $CGRP_MNT
-
-    set -eE -o functrace
-    mkdir -p $FOO 
-    echo $$ >> $FOO/cgroup.procs
-    bpftool prog load $BO $PINPT
-    bpftool cgroup attach $FOO sock_ops pinned $PINPT
-    sleep 1
-    ./bin/local-socket-bypass-user.bin &
-    bypass_pid=$!
 }
 
-load
+#load
+
+./bin/local-socket-bypass-user.bin ./run_localsock.sh
 
 ### Start of Action
 
-python -m SimpleHTTPServer 12345 &
-srv_pid=$!
-sleep 1
-curl http://localhost:12345/
+#python -m SimpleHTTPServer 12345 &
+#srv_pid=$!
+#sleep 1
+#curl http://localhost:12345/
 #curl http://www.baidu.com
-kill $srv_pid $bypass_pid
+#kill $srv_pid $bypass_pid
 
 ### End of Action
 
-timeout --preserve-status 1s bpftool prog tracelog #show whatever logs were captured
+#timeout --preserve-status 1s bpftool prog tracelog #show whatever logs were captured

run_localsock.sh

@@ -1,20 +1,36 @@
 #!/bin/bash
 
-chktool()
+# This is called from src/local-socket-bypass-user.c
+
+trap 'cleanup' EXIT
+
+cleanup()
 {
-    [[ $(which "$1") == "" ]] && echo "need util $1" && exit 2
+    [[ "$srv_pid" != "" ]] && kill $srv_pid
 }
 
-chktool curl
-chktool python
-chktool timeout
-chktool bpftool
-chktool mountpoint
+workload1()
+{
+    python -m SimpleHTTPServer 12345 &
+    srv_pid=$!
+    sleep 1
+    curl http://localhost:12345/
+    #curl http://www.ietf.org/
+}
+
+workload2()
+{
+    echo "TOCLIXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | nc -l 127.0.0.1 12345 &
+    srv_pid=$!
+    sleep 0.5
+    i=1
+    while [ $i -le 20 ]; do
+        echo "TOSRV$i"
+        sleep 0.2
+        ((i++))
+    done | nc -w 1 127.0.0.1 12345
+}
 
-python -m SimpleHTTPServer 12345 &
-srv_pid=$!
-sleep 1
-curl http://localhost:12345/
-kill $srv_pid
+workload2
 
 timeout --preserve-status 1s bpftool prog tracelog #show whatever logs were captured

src/local-socket-bypass-kern.c

@@ -8,46 +8,62 @@
  */
 
 #include <uapi/linux/bpf.h>
+#include <linux/in.h>
 #include <linux/version.h>
 
 #include "bpf_helpers.h"
 
+#define SRV_IDX  0
+#define CLI_IDX  1
+
 struct bpf_map_def SEC("maps") skmap = {
     .type        = BPF_MAP_TYPE_SOCKMAP,
     .key_size    = sizeof(int),
     .value_size  = sizeof(unsigned int),
     .max_entries = 2,
 };
 
-#if 1
 SEC("sk_skb1")
 int prog1(struct __sk_buff *skb)
 {
-    bpf_printk("parser called\n");
+    bpf_printk("lport=%d parser called %d\n", skb->local_port, skb->len);
 	return skb->len;
 }
 
 SEC("sk_skb2")
 int prog2(struct __sk_buff *skb)
 {
-	uint32_t idx = 0;
-    bpf_printk("verdict called\n");
-	return bpf_sk_redirect_map(skb, &skmap, idx, 0);
+    int verdict;
+    __u32 lport = skb->local_port;
+	uint32_t idx = CLI_IDX;
+
+    if (lport == 12345) {
+        idx = SRV_IDX;
+    }
+	verdict = bpf_sk_redirect_map(skb, &skmap, idx, BPF_F_INGRESS);
+    bpf_printk("lport=%d verdict %d\n", lport, skb->len);
+    return verdict;
 }
-#endif
 
 SEC("sockops")
 int sock_map_update(struct bpf_sock_ops *ops)
 {
-    int op;
-    op = (int) ops->op;
+    __u32 lport = ops->local_port;
+    __u32 rport = ops->remote_port;
+    __u32 lip = ops->local_ip4;
+    int op = (int) ops->op;
+
+    if (lip != 0x100007f) {
+        return 0;
+    }
 
     if (op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB || op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) {
-        uint32_t idx = 0;
-        int ret;
-        bpf_printk("Calling UPDATE: loc=0x%x:%d rem=0x%x\n",
-                ops->local_ip4, ops->local_port, ops->remote_ip4);
-        ret = bpf_sock_map_update(ops, &skmap, &idx, BPF_ANY);
+        int idx = CLI_IDX, ret;
+        if (lport == 12345) {
+            idx = SRV_IDX;
+        }
+        bpf_printk("%d UPDATE: lport=%d\n", idx, lport);
+        ret = bpf_sock_map_update(ops, &skmap, &idx, BPF_NOEXIST);
         if (ret) {
             bpf_printk("FAILED bpf_sock_map_update ret=%d\n", ret);
         }

src/local-socket-bypass-user.c

@@ -17,41 +17,6 @@
 #define ERROR(...) { printf(__VA_ARGS__); }
 #define INFO(...)  { printf(__VA_ARGS__); }
 
-#if 0
-void load_prog(void)
-{
-    int err, parse_prog, verdict_prog, sockops_prog;
-    struct bpf_object *obj;
-    struct bpf_map *skmap;
-
-    err = bpf_prog_load("bin/local-socket-bypass-sockops-kern.bo",
-                 BPF_PROG_TYPE_SOCK_OPS, &obj, &sockops_prog);
-    if (err) FATAL("sockops bpf_prog_load failed err:%d\n", err);
-
-    skmap = bpf_object__find_map_by_name(obj, "skmap");
-    if (!skmap) FATAL("cud not find skmap\n");
-
-    g_skmap_fd = bpf_map__fd(skmap);
-    if (g_skmap_fd < 0) FATAL("Could not get the stat map\n");
-
-    /* Load parser, get skmap fd and attach fd to parser */
-    err = bpf_prog_load("bin/local-socket-bypass-parse-kern.bo",
-                 BPF_PROG_TYPE_SK_SKB, &obj, &parse_prog);
-    if (err) FATAL("parse bpf_prog_load failed err:%d\n", err);
-
-    err = bpf_prog_attach(parse_prog, g_skmap_fd, BPF_SK_SKB_STREAM_PARSER, 0);
-    if (err) FATAL("bpf_prog_attach failed err=%d\n", err);
-
-    /* Load verdict, skmap fd we already have and attach fd to verdict */
-    err = bpf_prog_load("bin/local-socket-bypass-verdict-kern.bo",
-                 BPF_PROG_TYPE_SK_SKB, &obj, &verdict_prog);
-    if (err) FATAL("verdict bpf_prog_load failed err:%d\n", err);
-
-    err = bpf_prog_attach(verdict_prog, g_skmap_fd, BPF_SK_SKB_STREAM_VERDICT, 0);
-    if (err) FATAL("bpf_prog_attach failed err=%d\n", err);
-}
-#endif
-
 int prog_attach_type[] = {
     BPF_SK_SKB_STREAM_PARSER,
     BPF_SK_SKB_STREAM_VERDICT,
@@ -79,7 +44,7 @@ void load_prog(void)
     int    ret;
     int    i = 0;
 
-    obj = bpf_object__open("bin/local-socket-bypass-sockops-kern.bo");
+    obj = bpf_object__open("bin/local-socket-bypass-kern.bo");
     err = libbpf_get_error(obj);
     if (err) {
         char err_buf[256];
@@ -105,12 +70,10 @@ void load_prog(void)
     g_skmap_fd = bpf_map__fd(skmap);
     if (g_skmap_fd < 0) FATAL("cud not find map\n");
 
-    ret = bpf_prog_attach(prog_fd[0], g_skmap_fd,
-                    BPF_SK_SKB_STREAM_PARSER, 0);
+    ret = bpf_prog_attach(prog_fd[0], g_skmap_fd, BPF_SK_SKB_STREAM_PARSER, 0);
     if (ret) FATAL("attach sockmap to parser failed\n");
 
-    ret = bpf_prog_attach(prog_fd[1], g_skmap_fd,
-                    BPF_SK_SKB_STREAM_VERDICT, 0);
+    ret = bpf_prog_attach(prog_fd[1], g_skmap_fd, BPF_SK_SKB_STREAM_VERDICT, 0);
     if (ret) FATAL("attach sockmap to verdict failed\n");
 
     ret = bpf_prog_attach(prog_fd[2], cgrp_fd, BPF_CGROUP_SOCK_OPS, 0);
@@ -122,7 +85,8 @@ int main(int argc, char *argv[])
 {
     int ret;
 
-    if (argc < 2) FATAL("Usage: %s <script-to-exec>\n", argv[0]);
+    if (argc < 2)
+        FATAL("Usage: %s <script-to-exec, ./run_localsock.sh>\n", argv[0]);
 
     if (setup_cgroup_environment()) FATAL("setup cgrp failed\n");
     cgrp_fd = create_and_get_cgroup(CGRP_PATH);
@@ -132,6 +96,10 @@ int main(int argc, char *argv[])
     load_prog();
     ret = system(argv[1]);
     INFO("%s ret=%d\n", argv[1], ret);
+    
+    bpf_prog_detach2(prog_fd[2], cgrp_fd, BPF_CGROUP_SOCK_OPS);
+    bpf_prog_detach2(prog_fd[0], g_skmap_fd, BPF_SK_SKB_STREAM_PARSER);
+    bpf_prog_detach2(prog_fd[1], g_skmap_fd, BPF_SK_SKB_STREAM_VERDICT);
 
     cleanup_cgroup_environment();
     close(cgrp_fd);