n-acd: runtime eBPF support detection

Currently, eBPF support is toggled by a compile-time flag
based on whether we expect the system to support it or not.

Make it so that n-acd always attempts to use eBPF, and gracefully
handles failure if it isn't supported (e.g. due to lacking capabilities).

Author: jvaclav-rh

README.md

@@ -41,13 +41,6 @@ meson test
 ninja install
 ```
 
-The following configuration options are available:
-
- * `ebpf`: This boolean controls whether `ebpf` features are used to improve
-           the package filtering performance. If disabled, classic bpf will be
-           used. This feature requires a rather recent kernel (>=3.19).
-           Default is: true
-
 ### Repository:
 
  - **web**:   <https://github.com/nettools/n-acd>

meson.build

@@ -22,6 +22,4 @@ dep_crbtree = sub_crbtree.get_variable('libcrbtree_dep')
 dep_csiphash = sub_csiphash.get_variable('libcsiphash_dep')
 dep_cstdaux = sub_cstdaux.get_variable('libcstdaux_dep')
 
-use_ebpf = get_option('ebpf')
-
 subdir('src')

src/libnacd.sym

@@ -15,6 +15,7 @@ global:
         n_acd_ref;
         n_acd_unref;
         n_acd_get_fd;
+        n_acd_has_bpf;
         n_acd_dispatch;
         n_acd_pop_event;
         n_acd_probe;

src/meson.build

@@ -15,18 +15,9 @@ libnacd_sources = [
         'n-acd.c',
         'n-acd-probe.c',
         'util/timer.c',
+        'n-acd-bpf.c',
 ]
 
-if use_ebpf
-        libnacd_sources += [
-                'n-acd-bpf.c',
-        ]
-else
-        libnacd_sources += [
-                'n-acd-bpf-fallback.c',
-        ]
-endif
-
 libnacd_private = static_library(
         'nacd-private',
         libnacd_sources,
@@ -77,10 +68,8 @@ endif
 test_api = executable('test-api', ['test-api.c'], link_with: libnacd_shared)
 test('API Symbol Visibility', test_api)
 
-if use_ebpf
-        test_bpf = executable('test-bpf', ['test-bpf.c'], dependencies: libnacd_dep)
-        test('eBPF socket filtering', test_bpf)
-endif
+test_bpf = executable('test-bpf', ['test-bpf.c'], dependencies: libnacd_dep)
+test('eBPF socket filtering', test_bpf)
 
 test_loopback = executable('test-loopback', ['test-loopback.c'], dependencies: libnacd_dep)
 test('Echo Suppression via Loopback', test_loopback)

src/n-acd-bpf-fallback.c

@@ -170,6 +170,10 @@ int n_acd_bpf_map_add(int mapfd, struct in_addr *addrp) {
         uint8_t _dummy = 0;
         int r;
 
+        /* If we don't have a map to update, there is nothing to do. */
+        if (mapfd == -1)
+                return 0;
+
         memset(&attr, 0, sizeof(attr));
         attr = (union bpf_attr){
                 .map_fd = mapfd,
@@ -190,6 +194,10 @@ int n_acd_bpf_map_remove(int mapfd, struct in_addr *addrp) {
         union bpf_attr attr;
         int r;
 
+        /* If we don't have a map to update, there is nothing to do. */
+        if (mapfd == -1)
+                return 0;
+
         memset(&attr, 0, sizeof(attr));
         attr = (union bpf_attr){
                 .map_fd = mapfd,

src/n-acd-bpf.c

@@ -284,9 +284,22 @@ int n_acd_ensure_bpf_map_space(NAcd *acd) {
 
         max_map = 2 * acd->max_bpf_map;
 
+        /* If we didn't succeed in creating a map during n_acd_new(),
+         * let's assume we are unable to create it here, and skip it. */
+        if (!n_acd_has_bpf(acd)) {
+                goto out;
+        }
+
+        /* If we are unable to acquire a BPF map due to lacking permissions,
+         * let's fail silently here and possibly try again on next call. */
         r = n_acd_bpf_map_create(&fd_map, max_map);
-        if (r)
+        if (r) {
+                if (r == -EPERM) {
+                        goto out;
+                }
+
                 return r;
+        }
 
         c_rbtree_for_each_entry(probe, &acd->ip_tree, ip_node) {
                 r = n_acd_bpf_map_add(fd_map, &probe->ip);
@@ -308,6 +321,8 @@ int n_acd_ensure_bpf_map_space(NAcd *acd) {
                 close(acd->fd_bpf_map);
         acd->fd_bpf_map = fd_map;
         fd_map = -1;
+
+out:
         acd->max_bpf_map = max_map;
         return 0;
 }
@@ -360,12 +375,13 @@ _c_public_ int n_acd_new(NAcd **acdp, NAcdConfig *config) {
         acd->max_bpf_map = 8;
 
         r = n_acd_bpf_map_create(&acd->fd_bpf_map, acd->max_bpf_map);
-        if (r)
-                return r;
-
-        r = n_acd_bpf_compile(&fd_bpf_prog, acd->fd_bpf_map, (struct ether_addr*) acd->mac);
-        if (r)
-                return r;
+        if (!r) {
+                r = n_acd_bpf_compile(&fd_bpf_prog, acd->fd_bpf_map, (struct ether_addr*) acd->mac);
+                if (r) {
+                        close(acd->fd_bpf_map);
+                        acd->fd_bpf_map = -1;
+                }
+        }
 
         r = n_acd_socket_new(&acd->fd_socket, fd_bpf_prog, config);
         if (r)
@@ -572,6 +588,20 @@ _c_public_ void n_acd_get_fd(NAcd *acd, int *fdp) {
         *fdp = acd->fd_epoll;
 }
 
+/**
+ * n_acd_has_bpf() - query the usage of eBPF
+ * @acd:                        context object to operate on
+ *
+ * Checks whether the ACD probe is using eBPF or not.
+ *
+ * Return: true if the probe is using eBPF, or
+ *         false if the probe failed to configure eBPF
+ *               (e.g. due to missing capabilities)
+ */
+_c_public_ bool n_acd_has_bpf(NAcd *acd) {
+        return acd->fd_bpf_map != -1;
+}
+
 static int n_acd_handle_timeout(NAcd *acd) {
         NAcdProbe *probe;
         uint64_t now;

src/n-acd.c

@@ -93,6 +93,7 @@ NAcd *n_acd_ref(NAcd *acd);
 NAcd *n_acd_unref(NAcd *acd);
 
 void n_acd_get_fd(NAcd *acd, int *fdp);
+bool n_acd_has_bpf(NAcd *acd);
 int n_acd_dispatch(NAcd *acd);
 int n_acd_pop_event(NAcd *acd, NAcdEvent **eventp);
 

src/n-acd.h

@@ -56,6 +56,7 @@ static void test_api_functions(void) {
                 (void *)n_acd_ref,
                 (void *)n_acd_unref,
                 (void *)n_acd_get_fd,
+                (void *)n_acd_has_bpf,
                 (void *)n_acd_dispatch,
                 (void *)n_acd_pop_event,
                 (void *)n_acd_probe,

src/test-api.c

@@ -19,6 +19,9 @@
 #include "n-acd-private.h"
 #include "test.h"
 
+// https://mesonbuild.com/Unit-tests.html#skipped-tests-and-hard-errors
+#define RETURN_TEST_SKIPPED 77
+
 #define ETHER_ARP_PACKET_INIT(_op, _mac, _sip, _tip) {                  \
                 .ea_hdr = {                                             \
                         .ar_hrd = htobe16(ARPHRD_ETHER),                \
@@ -43,11 +46,15 @@
                 .arp_tpa[3] =  be32toh((_tip)->s_addr) & 0xff,          \
         }
 
-static void test_map(void) {
+static int test_map(void) {
         int r, mapfd = -1;
         struct in_addr addr = { 1 };
 
         r = n_acd_bpf_map_create(&mapfd, 8);
+        if (r == -EPERM) {
+                return RETURN_TEST_SKIPPED;
+        }
+
         c_assert(r >= 0);
         c_assert(mapfd >= 0);
 
@@ -67,6 +74,7 @@ static void test_map(void) {
         c_assert(r == -ENOENT);
 
         close(mapfd);
+        return 0;
 }
 
 static void verify_success(struct ether_arp *packet, int out_fd, int in_fd) {
@@ -92,7 +100,7 @@ static void verify_failure(struct ether_arp *packet, int out_fd, int in_fd) {
         c_assert(errno == EAGAIN);
 }
 
-static void test_filter(void) {
+static int test_filter(void) {
         uint8_t buf[sizeof(struct ether_arp) + 1] = {};
         struct ether_addr mac1 = { { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 } };
         struct ether_addr mac2 = { { 0x01, 0x02, 0x03, 0x04, 0x05, 0x07 } };
@@ -103,6 +111,10 @@ static void test_filter(void) {
         int r, mapfd = -1, progfd = -1, pair[2];
 
         r = n_acd_bpf_map_create(&mapfd, 1);
+        if (r == -EPERM) {
+                return RETURN_TEST_SKIPPED;
+        }
+
         c_assert(r >= 0);
 
         r = n_acd_bpf_compile(&progfd, mapfd, &mac1);
@@ -214,13 +226,21 @@ static void test_filter(void) {
         close(pair[1]);
         close(progfd);
         close(mapfd);
+
+        return 0;
 }
 
 int main(int argc, char **argv) {
+        int r;
         test_setup();
 
-        test_map();
-        test_filter();
+        if ((r = test_map())) {
+                return r;
+        }
+
+        if ((r = test_filter())) {
+                return r;
+        }
 
         return 0;
 }