Add support for src IPv6, src port and src IPv6 sets
#173
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix out of bound access of the IPv6 address prefix if /128 is used.
Similarly to the helpers defined in tests/harness/filters.c, add a new function to create a test set: bf_test_set_get().
`/usr/bin/env python` should not be used as genpkts.py hasn't been tested with Python2, look for Python 3 instead.
Use find_package(Python3) to locate the Python 3 interpreter on the system, intead of relying on genpkts.py's shebang. This way CMake will warn early about a missing dependency.
This is a very specific set type expected to be used internally at Meta. Eventually, generic sets will allow for any set key to be dynamically generated.
Add BF_MATCHER_SRCIP6PORT to match against a set of (source IPv6, source port) tuples set. The BPF bytecode will ensure the packet contains an IPv6 and a TCP or UDP header to filter on.
Tests the new BF_MATCHER_SRCIP6PORT matcher using 200k entries in a set.
Serialize all the element of a set in a single marsh, instead of creating a marsh for every single element. The bigger the set the greater the performance gain. Tested on a 200k elements set with a performance gain of ~10000x. Because the type of the set is stored in the serialized data, there is no need for each element to have its own container.
bf_cgen_dump() has a negative performance impact even if nothing is printed (as DUMP() uses bf_dbg() which is also gated to the verbose mode). Instead, only call bf_cgen_dump() if the verbose mode is enabled.
Use offsetof() instead of bf_btf_get_field_off() for ingress_ifindex field of the xdp_md structure, this change saves us from searching for a specific symbol name in the kernel BTF.
Use BPF_MAP_UPDATE_BATCH to fill the BPF maps used to define the filtering sets, instead of inserting every element one after the other.
The child process blocks once the pipe buffers (stdout and stderr used in the subprocess) are full, leading to confusing hangs. Set the buffers size to 1MiB preemptively. This should be enough are the process structures are used for testing. If this issue resurfaces, more control should be provided to the user to increase the buffers size or set the buffers as non blocking (or flush the buffers).
The test harness could be used outside of bpfilter to run custom benchmarks on bpfilter. Make the harness binary a static library.
Add support for sets containing source IPv6 addresses. This implement is subpar but is required for benchmarking. Eventually, bpfilter will support generic sets (user-defined sets with custom keys) and static set types will be removed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Those sets are required for benchmarking purpose until a better solution is available (generic sets). This change adds support for sets using
src IPv6, src portandsrc IPv6as keys.