feat: use bpf_sk_assign at tproxy_wan_ingress #383
Merged
Commits on Jan 1, 2024
-
bpf: Remove most occurance of "tproxy_response"
As we are going to implement tproxy hijack via bpf_sk_assign, tproxy response won't reach wan iface at all, unless wan iface == lan iface. The only remaining "tproxy_response" is the place returning TC_ACT_PIPE to hand packets over from tproxy_wan_egress to tproxy_lan_egress. This commit also deletes rev-NAT logic for tproxy response. This commit tries to make a minimum change, otherwise file diff is too confusing to reviewers. I'll clean it up in the next patch.
-
bpf: Clean up tproxy_response condition branch
This commit merely removes the `if (false)` branch at: ``` if (false) { // Comments } else { ... } ``` The file diff becomes completely messed up, so I split it into a separate patch without any functional change. -
bpf: Replace NAT by bpf_sk_assign
Note the necessity of separation of `assign_socket_tcp` and `assign_socket_udp`: As `struct bpf_sock *` has different verifier types for tcp and udp, the code below can't pass verifier: ``` static __always_inline int assign_socket(struct __sk_buff *skb, struct bpf_sock_tuple *tuple, __u32 len, __u8 nexthdr) { struct bpf_sock *sk; switch (nexthdr) { case IPPROTO_TCP: sk = bpf_sk_lookup_tcp(skb, tuple, len, BPF_F_CURRENT_NETNS, 0); case IPPROTO_UDP: sk = bpf_sk_lookup_udp(skb, tuple, len, BPF_F_CURRENT_NETNS, 0); } if (!sk) { return -1; } int res = bpf_sk_assign(skb, sk, 0); bpf_sk_release(sk); return res; } ``` -
bpf: Remove tcp_dst_map and references
We no longer need tcp_dst_map for NAT. Relevant Golang logic is also removed. One thing need to mention is "dst_routing_result" struct. Although tcp_dst_map is gone, dst_routing_result struct is still in use under userspace at https://github.com/daeuniverse/dae/blob/cab1e4290967340923d7d5ca52b80f781711c18e/control/udp.go#L69C17-L69C17. Therefore, this commit remains this struct and make some efforts to ensure bpf objects are compiled with it.
-
-
bpf: Don't encap UDP on wan_egress
Previously, wan_egress has to encap UDP packets with routing info, but it's no more necessary as we are in favor of bpf_sk_assign without NAT.
-
sysctl net.ipv4.conf.$wan.accept_local=1
This is a must-have, otherwise packets being bpf_sk_assigned and routed to local on wan will be dropped by kernel during fib_lookup: ``` // https://github.com/torvalds/linux/blob/v6.5/net/ipv4/fib_frontend.c#L381 static int __fib_validate_source() ... if (res.type != RTN_UNICAST && (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev))) goto e_inval; ... ```
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.