Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
5f09731
Bump github.com/cilium/ebpf from 0.17.1 to 0.17.3
dependabot[bot] Feb 12, 2025
1e5505b
Merge pull request #1237 from kmesh-net/dependabot/go_modules/github.…
kmesh-bot Feb 24, 2025
b9f2ad7
adapt new kernel enhanced
lec-bit Feb 6, 2025
52efd5d
adapt new kernel, not need bpf_defer_connect and tracepoint
lec-bit Feb 6, 2025
b483787
adapt helper func
lec-bit Feb 12, 2025
5ba7c6e
add kernel module log
lec-bit Feb 12, 2025
9abee7c
optimize
Feb 24, 2025
e77e611
Bump the k8s-io group with 5 updates
dependabot[bot] Feb 24, 2025
b1ced0b
Merge pull request #1250 from kmesh-net/dependabot/go_modules/k8s-io-…
kmesh-bot Feb 25, 2025
f7c0e51
optimize kolog
Feb 25, 2025
d950911
optimize bpf_getsockopt ret judgment
Feb 25, 2025
ededfc7
Merge pull request #1198 from lec-bit/new-kernel
kmesh-bot Feb 25, 2025
4387553
Bump github.com/safchain/ethtool from 0.5.9 to 0.5.10
dependabot[bot] Feb 25, 2025
55a35b9
Merge pull request #1252 from kmesh-net/dependabot/go_modules/github.…
kmesh-bot Feb 26, 2025
74e1ad5
Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0
dependabot[bot] Feb 26, 2025
8ac8faa
Bump github.com/go-jose/go-jose/v3 in the go_modules group
dependabot[bot] Feb 26, 2025
bfa4e00
optimizie xdp auth
weli-l Feb 27, 2025
42b6991
feat: dump authorizationPolicy
yp969803 Feb 5, 2025
2272cd8
Fix typos
hzxuzhonghu Feb 5, 2025
726da17
chore: added unit test for policy dump
yp969803 Feb 6, 2025
f61f561
Merge pull request #1255 from kmesh-net/dependabot/go_modules/go_modu…
kmesh-bot Feb 27, 2025
469c64e
Merge pull request #1254 from kmesh-net/dependabot/go_modules/github.…
kmesh-bot Feb 27, 2025
a97167d
Merge pull request #1222 from yp969803/issue#214
kmesh-bot Feb 27, 2025
a2fc923
Bump google.golang.org/grpc from 1.69.4 to 1.70.0
dependabot[bot] Feb 27, 2025
2a8ca91
Merge pull request #1258 from kmesh-net/dependabot/go_modules/google.…
kmesh-bot Feb 28, 2025
3706b1e
Bump istio.io/api from 1.24.2 to 1.24.3
dependabot[bot] Feb 28, 2025
938599d
Merge pull request #1259 from kmesh-net/dependabot/go_modules/istio.i…
kmesh-bot Mar 3, 2025
eeeb399
add comment for tailcall to userspace
weli-l Mar 5, 2025
5d61b19
Merge pull request #1256 from weli-l/dev/auth_ip_optimize
kmesh-bot Mar 6, 2025
e8d0131
adapt doc
lec-bit Mar 6, 2025
f839eff
Merge pull request #1268 from lec-bit/new-kernel-doc
kmesh-bot Mar 6, 2025
1378205
new kernel bugfix
Mar 12, 2025
1275356
enable auth offload by default
weli-l Mar 13, 2025
e84e265
Merge pull request #1274 from weli-l/dev/auth_ip_optimize
kmesh-bot Mar 13, 2025
49f3290
adapt bpf2go files
Mar 14, 2025
0475704
adapt bpf2go
Mar 14, 2025
4b98e44
update, optimize funcname
Mar 14, 2025
bebaf18
Merge pull request #1273 from lec-bit/new_kernel
kmesh-bot Mar 17, 2025
693e0ec
adapt 6.6
Feb 20, 2025
033deca
fix ko make
Mar 14, 2025
6a42a8d
test
Mar 18, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
run: |
sudo env "PATH=$PATH" bash ./build.sh

# The kernel version of Ubuntu 22.04 is 6.8, so the access control check is enhanced by default.
- name: Setup Enviroments
run: |
echo "PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk" >> $GITHUB_ENV
Expand All @@ -54,12 +55,12 @@ jobs:
- name: golangci-lint
uses: golangci/[email protected]
with:
args: "--config=common/config/.golangci.yaml --out-format colored-line-number"
args: "--build-tags=enhanced --config=common/config/.golangci.yaml --out-format colored-line-number"
skip-pkg-cache: true

- name: Go Test
run: |
sudo env LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:$GITHUB_WORKSPACE/api/v2-c:$GITHUB_WORKSPACE/bpf/deserialization_to_bpf_map PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk go test -race -v -vet=off -coverprofile=coverage.out ./pkg/...
sudo env LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:$GITHUB_WORKSPACE/api/v2-c:$GITHUB_WORKSPACE/bpf/deserialization_to_bpf_map PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk go test -tags=enhanced -race -v -vet=off -coverprofile=coverage.out ./pkg/...

- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
Expand Down
3 changes: 1 addition & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,7 @@ ifeq ($(TAG),)
$(error "TAG cannot be empty")
endif

TMP_FILES := bpf/kmesh/bpf2go/bpf2go.go \
config/kmesh_marcos_def.h \
TMP_FILES := config/kmesh_marcos_def.h \
mk/api-v2-c.pc \
mk/bpf.pc \
bpf/include/bpf_helper_defs_ext.h \
Expand Down
82 changes: 82 additions & 0 deletions bpf/include/bpf_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -223,4 +223,86 @@ static inline void *get_ptr_val_from_map(void *map, __u8 map_type, const void *p
val_tmp; \
})

static inline void record_kmesh_managed_ip(__u32 family, __u32 ip4, __u32 *ip6)
{
int err;
__u32 value = 0;
struct manager_key key = {0};
if (family == AF_INET)
key.addr.ip4 = ip4;
if (family == AF_INET6 && ip6)
IP6_COPY(key.addr.ip6, ip6);

err = bpf_map_update_elem(&map_of_manager, &key, &value, BPF_ANY);
if (err)
BPF_LOG(ERR, KMESH, "record ip failed, err is %d\n", err);
}

static inline void remove_kmesh_managed_ip(__u32 family, __u32 ip4, __u32 *ip6)
{
struct manager_key key = {0};
if (family == AF_INET)
key.addr.ip4 = ip4;
if (family == AF_INET6 && ip6)
IP6_COPY(key.addr.ip6, ip6);

int err = bpf_map_delete_elem(&map_of_manager, &key);
if (err && err != -ENOENT)
BPF_LOG(ERR, KMESH, "remove ip failed, err is %d\n", err);
}

static inline bool conn_from_sim(struct bpf_sock_ops *skops, __u32 ip, __u16 port)
{
__u16 remote_port = GET_SKOPS_REMOTE_PORT(skops);
if (bpf_ntohs(remote_port) != port)
return false;

if (skops->family == AF_INET)
return (bpf_ntohl(skops->remote_ip4) == ip);

return (
skops->remote_ip6[0] == 0 && skops->remote_ip6[1] == 0 && skops->remote_ip6[2] == 0
&& bpf_ntohl(skops->remote_ip6[3]) == ip);
}

static inline bool skops_conn_from_cni_sim_add(struct bpf_sock_ops *skops)
{
// cni sim connect CONTROL_CMD_IP:929(0x3a1)
// 0x3a1 is the specific port handled by the cni to enable Kmesh
return conn_from_sim(skops, CONTROL_CMD_IP, ENABLE_KMESH_PORT);
}

static inline bool skops_conn_from_cni_sim_delete(struct bpf_sock_ops *skops)
{
// cni sim connect CONTROL_CMD_IP:930(0x3a2)
// 0x3a2 is the specific port handled by the cni to disable Kmesh
return conn_from_sim(skops, CONTROL_CMD_IP, DISABLE_KMESH_PORT);
}

static inline void skops_handle_kmesh_managed_process(struct bpf_sock_ops *skops)
{
if (skops_conn_from_cni_sim_add(skops))
record_kmesh_managed_ip(skops->family, skops->local_ip4, skops->local_ip6);
if (skops_conn_from_cni_sim_delete(skops))
remove_kmesh_managed_ip(skops->family, skops->local_ip4, skops->local_ip6);
}

static inline bool is_managed_by_kmesh(struct bpf_sock_ops *skops)
{
struct manager_key key = {0};
if (skops->family == AF_INET)
key.addr.ip4 = skops->local_ip4;
if (skops->family == AF_INET6) {
if (is_ipv4_mapped_addr(skops->local_ip6))
key.addr.ip4 = skops->local_ip6[3];
else
IP6_COPY(key.addr.ip6, skops->local_ip6);
}

int *value = bpf_map_lookup_elem(&map_of_manager, &key);
if (!value)
return false;
return (*value == 0);
}

#endif
40 changes: 34 additions & 6 deletions bpf/include/bpf_helper_defs_ext.h
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,37 @@
* By default, these IDs are in the 5.10 kernel with kmesh kernel patches.
*/

static void *(*bpf_strncpy)(char *dst, __u32 dst_size, char *src) = (void *)171;
static void *(*bpf_strnstr)(void *s1, void *s2, __u32 size) = (void *)172;
static __u64 (*bpf_strnlen)(char *buff, __u32 size) = (void *)173;
static __u64 (*bpf__strncmp)(const char *s1, __u32 s1_size, const char *s2) = (void *)174;
static long (*bpf_parse_header_msg)(struct bpf_mem_ptr *msg) = (void *)175;
static void *(*bpf_get_msg_header_element)(void *name) = (void *)176;
/*
* Description
* Look for the string corresponding to the key in the results of the
* previous bpf_parse_header_msg parsing of the message header, and
* Search for the target substring in the string.
* Return
* If found, return 1; otherwise, return 0.
*/
static long (*bpf_km_header_strnstr)(
struct bpf_sock_addr *ctx, const char *key, int key_sz, const char *subptr, int subptr_sz) = (void *)163;

/*
* Description
* Look for the string corresponding to the key in the results of the
* previous bpf_parse_header_msg parsing of the message header, and
* compare it with the target string. Control whether it is an exact
* match or a prefix match through the opt.
* Return
* If the strings are same, return 0.
*/
static long (*bpf_km_header_strncmp)(const char *key, int key_sz, const char *target, int target_sz, int opt) =
(void *)164;

/*
* Description
* Get the memory pointer from ctx's t_ctx and parse the string information
* stored within. In this use case, t_ctx must be the HTTP protocol message
* header. After parsing, the message information will be stored in a
* red-black tree for subsequent lookup.
* Return
* A HTTP PROTO TYPE is returned on success.
* **PROTO_UNKNOW** is returned if failure.
*/
static long (*bpf_parse_header_msg)(struct bpf_sock_addr *ctx) = (void *)165;
61 changes: 54 additions & 7 deletions bpf/include/common.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#define _COMMON_H_

#include "../../config/kmesh_marcos_def.h"
#include <linux/in.h>
#include <stddef.h>
#include <stdbool.h>
#include <stdint.h>
Expand All @@ -16,8 +17,60 @@

#include "errno.h"

struct bpf_mem_ptr {
void *ptr;
__u32 size;
};

#if ENHANCED_KERNEL
#if KERNEL_KFUNC
extern int bpf_parse_header_msg_func(void *src, int src__sz) __ksym;
extern int bpf_km_header_strnstr_func(void *ctx, int ctx__sz, const char *key, int key__sz, const char *subptr) __ksym;
extern int bpf_km_header_strncmp_func(const char *key, int key__sz, const char *target, int target__sz, int opt) __ksym;
extern int bpf_setsockopt_func(void *bpf_mem, int bpf_mem__sz, int optname, const char *optval, int optval__sz) __ksym;
extern int bpf_getsockopt_func(void *bpf_mem, int bpf_mem__sz, int optname, char *optval, int optval__sz) __ksym;

#define bpf_km_header_strncmp bpf_km_header_strncmp_func

int bpf_km_header_strnstr(void *ctx, const char *key, int key__sz, const char *subptr, int subptr__sz)
{
struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
return bpf_km_header_strnstr_func(&msg_tmp, sizeof(struct bpf_mem_ptr), key, key__sz, subptr);
}

int bpf_parse_header_msg(struct bpf_sock_addr *ctx)
{
struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
return bpf_parse_header_msg_func(&msg_tmp, sizeof(struct bpf_mem_ptr));
}

// Due to the limitation of bpf verifier, optval and optval__sz are required to correspond.
// The strnlen function cannot be used here, so the string is redefined.
int bpf_km_setsockopt(struct bpf_sock_addr *ctx, int level, int optname, const char *optval, int optval__sz)
{
const char kmesh_module_name[] = "kmesh_defer";
if (level != IPPROTO_TCP || optval__sz != sizeof(kmesh_module_name))
return -1;

struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
return bpf_setsockopt_func(
&msg_tmp, sizeof(struct bpf_mem_ptr), optname, (void *)kmesh_module_name, sizeof(kmesh_module_name));
}

int bpf_km_getsockopt(struct bpf_sock_addr *ctx, int level, int optname, char *optval, int optval__sz)
{
if (level != IPPROTO_TCP) {
return -1;
}
struct bpf_mem_ptr msg_tmp = {.ptr = ctx, .size = sizeof(struct bpf_sock_addr)};
return bpf_getsockopt_func(&msg_tmp, sizeof(struct bpf_mem_ptr), optname, (void *)optval, optval__sz);
}

#else
#include <bpf_helper_defs_ext.h>
#define bpf_km_setsockopt bpf_setsockopt
#define bpf_km_getsockopt bpf_getsockopt
#endif
#endif

#define bpf_unused __attribute__((__unused__))
Expand Down Expand Up @@ -121,14 +174,8 @@ static inline bool is_ipv4_mapped_addr(__u32 ip6[4])
(dst)[3] = (src)[3]; \
} while (0)

#if OE_23_03
#define bpf__strncmp bpf_strncmp
#define GET_SKOPS_REMOTE_PORT(sk_ops) (__u16)((sk_ops)->remote_port)
#else
#define GET_SKOPS_REMOTE_PORT(sk_ops) (__u16)((sk_ops)->remote_port >> 16)
#endif

#define GET_SKOPS_LOCAL_PORT(sk_ops) (__u16)((sk_ops)->local_port)
#define GET_SKOPS_LOCAL_PORT(sk_ops) (__u16)((sk_ops)->local_port)

#define MAX_BUF_LEN 100
#define MAX_IP4_LEN 16
Expand Down
2 changes: 1 addition & 1 deletion bpf/include/inner_map_defs.h
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ typedef enum { MAP_TYPE_64, MAP_TYPE_192, MAP_TYPE_296, MAP_TYPE_1600, MAP_TYPE_

#define FLIP_BIT(bitmap, n) ((bitmap)[(n) / 8] ^= (1U << ((n) % 8)))

#endif // __INNER_MAP_H__
#endif // __INNER_MAP_H__
22 changes: 12 additions & 10 deletions bpf/kmesh/ads/cgroup_sock.c
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,17 @@
#include "cluster.h"
#include "bpf_common.h"

#if ENHANCED_KERNEL
#include "route_config.h"
#endif
#if KMESH_ENABLE_IPV4
#if KMESH_ENABLE_HTTP

static const char kmesh_module_name[] = "kmesh_defer";

static inline int sock4_traffic_control(struct bpf_sock_addr *ctx)
{
int ret;

char kmesh_module_name_get[KMESH_MODULE_NAME_LEN] = "";
Listener__Listener *listener = NULL;

if (ctx->protocol != IPPROTO_TCP)
Expand All @@ -39,18 +41,18 @@ static inline int sock4_traffic_control(struct bpf_sock_addr *ctx)
BPF_LOG(DEBUG, KMESH, "bpf find listener addr=[%s:%u]\n", ip2str(&ip, 1), bpf_ntohs(ctx->user_port));

#if ENHANCED_KERNEL
// todo build when kernel support http parse and route
// defer conn
ret = bpf_setsockopt(ctx, IPPROTO_TCP, TCP_ULP, (void *)kmesh_module_name, sizeof(kmesh_module_name));
if (ret)
BPF_LOG(ERR, KMESH, "bpf set sockopt failed! ret:%d\n", ret);
#else // KMESH_ENABLE_HTTP
ret = bpf_km_getsockopt(ctx, IPPROTO_TCP, TCP_ULP, kmesh_module_name_get, KMESH_MODULE_NAME_LEN);
if (CHECK_MODULE_NAME_NULL(ret) || bpf__strncmp(kmesh_module_name_get, KMESH_MODULE_NAME_LEN, kmesh_module_name)) {
ret = bpf_km_setsockopt(ctx, IPPROTO_TCP, TCP_ULP, kmesh_module_name, sizeof(kmesh_module_name));
if (ret)
BPF_LOG(ERR, KMESH, "bpf set sockopt failed! ret %d\n", ret);
return 0;
}
#endif
ret = listener_manager(ctx, listener, NULL);
if (ret != 0) {
BPF_LOG(ERR, KMESH, "listener_manager failed, ret %d\n", ret);
return ret;
}
#endif // KMESH_ENABLE_HTTP

return 0;
}
Expand Down
1 change: 1 addition & 0 deletions bpf/kmesh/ads/include/circuit_breaker.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
#include "bpf_log.h"
#include "kmesh_common.h"
#include "bpf_common.h"
#include "cluster/cluster.pb-c.h"

#ifndef __KMESH_CIRCUIT_BREAKER_H__
#define __KMESH_CIRCUIT_BREAKER_H__
Expand Down
11 changes: 0 additions & 11 deletions bpf/kmesh/ads/include/ctx/sock_ops.h
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,6 @@ typedef struct bpf_sock_ops ctx_buff_t;
name.ipv4 = (ctx)->remote_ip4; \
name.port = (ctx)->remote_port

#if OE_23_03
#define SET_CTX_ADDRESS(ctx, address) \
(ctx)->remote_ip4 = (address)->ipv4; \
(ctx)->remote_port = (address)->port

#define MARK_REJECTED(ctx) \
BPF_LOG(DEBUG, KMESH, "mark reject\n"); \
(ctx)->remote_ip4 = 0; \
(ctx)->remote_port = 0
#else
#define SET_CTX_ADDRESS(ctx, address) \
(ctx)->replylong[2] = (address)->ipv4; \
(ctx)->replylong[3] = (address)->port
Expand All @@ -40,6 +30,5 @@ typedef struct bpf_sock_ops ctx_buff_t;
BPF_LOG(DEBUG, KMESH, "mark reject\n"); \
(ctx)->replylong[2] = 0; \
(ctx)->replylong[3] = 0
#endif

#endif //__BPF_CTX_SOCK_OPS_H
4 changes: 2 additions & 2 deletions bpf/kmesh/ads/include/filter.h
Original file line number Diff line number Diff line change
Expand Up @@ -128,10 +128,10 @@ int filter_manager(ctx_buff_t *ctx)
kmesh_tail_delete_ctx(&ctx_key);

switch (filter->config_type_case) {
#ifndef CGROUP_SOCK_MANAGE
#if ENHANCED_KERNEL
case LISTENER__FILTER__CONFIG_TYPE_HTTP_CONNECTION_MANAGER:
http_conn = KMESH_GET_PTR_VAL(filter->http_connection_manager, Filter__HttpConnectionManager);
ret = bpf_parse_header_msg(ctx_val->msg);
ret = bpf_parse_header_msg(ctx);
if (GET_RET_PROTO_TYPE(ret) != PROTO_HTTP_1_1) {
BPF_LOG(DEBUG, FILTER, "http filter manager,only support http1.1 this version");
break;
Expand Down
Loading
Loading