Merge pull request #141 from r-caamano/v0.5.10_release_candidate

Fixed potential issue in high performance compute env where multiple …
r-caamano · Feb 21, 2024 · b9f3180 · b9f3180
2 parents edefc9e + 621317e
commit b9f3180
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.5.10] - 2024-02-09
+
+###
+
+- Fixed a possible issue where in high performance compute environments there could be more than one packet being processed by the TC filters there could be a 
+  mismatched rule where if a new packet matches a rule it could cause other packets in flight to be processed by the same rule.
+
 # [0.5.9] - 2024-02-09
 
 ###

diff --git a/src/zfw.c b/src/zfw.c
@@ -152,7 +152,7 @@ char *tc_interface;
 char *log_file_name;
 char *object_file;
 char *direction_string;
-const char *argp_program_version = "0.5.9";
+const char *argp_program_version = "0.5.10";
 struct ring_buffer *ring_buffer;
 
 __u8 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_tc_ingress.c b/src/zfw_tc_ingress.c
@@ -164,7 +164,14 @@ struct match_tracker {
     struct tproxy_key matched_keys[MATCHED_KEY_DEPTH];
 };
 
-
+/*Value to matched_map*/
+struct match_key {
+    __u32 saddr;
+    __u32 daddr;
+    __u16 sport;
+    __u16 dport;
+    __u32 ifindex;
+};
 
 /*value to ifindex_ip_map*/
 struct ifindex_ip4 {
@@ -232,11 +239,12 @@ struct {
 then used to search for port mappings.  This was required when source filtering was 
 added to accommodate the additional instructions per ebpf program.  The search now spans
 5 ebpf programs  */
+
 struct {
-    __uint(type, BPF_MAP_TYPE_ARRAY);
-    __uint(key_size, sizeof(unsigned int));
+    __uint(type, BPF_MAP_TYPE_LRU_HASH);
+    __uint(key_size, sizeof(struct match_key));
     __uint(value_size, sizeof(struct match_tracker));
-    __uint(max_entries, MATCHED_INT_DEPTH);
+    __uint(max_entries, 65535);
     __uint(pinning, LIBBPF_PIN_BY_NAME);
 } matched_map SEC(".maps");
 
@@ -424,19 +432,19 @@ future use*/
 }*/
 
 /*function to update the matched_map locally from ebpf*/
-static inline void insert_matched_key(struct match_tracker matched_keys, unsigned int key){
+static inline void insert_matched_key(struct match_tracker matched_keys, struct match_key key){
      bpf_map_update_elem(&matched_map, &key, &matched_keys,0);
 }
 
 /*Function to get stored matched tracker*/
-static inline struct match_tracker *get_matched_keys(unsigned int key){
+static inline struct match_tracker *get_matched_keys(struct match_key key){
     struct match_tracker *mt;
     mt = bpf_map_lookup_elem(&matched_map, &key);
 	return mt;
 }
 
 /*Function to get stored matched key count*/
-static inline __u16 get_matched_count(unsigned key){
+static inline __u16 get_matched_count(struct match_key key){
     struct match_tracker *mt;
     __u16 mc = 0;
     mt = bpf_map_lookup_elem(&matched_map,&key);
@@ -447,9 +455,8 @@ static inline __u16 get_matched_count(unsigned key){
 }
 
 /*Function to clear matched tracker*/
-static inline void clear_match_tracker(__u32 key){
-    struct match_tracker mt = {0};
-    bpf_map_update_elem(&matched_map, &key, &mt,0);
+static inline void clear_match_tracker(struct match_key key){
+    bpf_map_delete_elem(&matched_map, &key);
 }
 
 static inline void send_event(struct bpf_event *new_event){
@@ -993,8 +1000,8 @@ int bpf_sk_splice(struct __sk_buff *skb){
             }
         }
     }
-    //init the match_count_map
-    clear_match_tracker(skb->ifindex);
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    clear_match_tracker(mkey);
     return TC_ACT_PIPE;
 
     assign:
@@ -1043,9 +1050,16 @@ int bpf_sk_splice1(struct __sk_buff *skb){
     __u16 smaxlen = 32; /* max number ip ipv4 prefixes */
     /*Main loop to lookup tproxy prefix matches in the zt_tproxy_map*/
     struct match_tracker key_tracker = {0,{}};
-    insert_matched_key(key_tracker, skb->ifindex);
-    struct match_tracker *tracked_key_data = get_matched_keys(skb->ifindex);
-     if(!tracked_key_data){
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    insert_matched_key(key_tracker, mkey);
+    struct match_tracker *tracked_key_data = get_matched_keys(mkey);
+    /*if(tracked_key_data){
+        bpf_printk("count=%d",tracked_key_data->count );
+    }
+    else{
+        bpf_printk("FALSE");
+    }*/
+    if(!tracked_key_data){
        return TC_ACT_SHOT;
     }
     for (__u16 dcount = 0;dcount <= maxlen; dcount++){
@@ -1114,7 +1128,8 @@ int bpf_sk_splice2(struct __sk_buff *skb){
     __u16 maxlen = 8; /* max number ip ipv4 prefixes */
     __u16 smaxlen = 32; /* max number ip ipv4 prefixes */
     /*Main loop to lookup tproxy prefix matches in the zt_tproxy_map*/
-    struct match_tracker *tracked_key_data = get_matched_keys(skb->ifindex);
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    struct match_tracker *tracked_key_data = get_matched_keys(mkey);
     if(!tracked_key_data){
        return TC_ACT_SHOT;
     }
@@ -1185,7 +1200,8 @@ int bpf_sk_splice3(struct __sk_buff *skb){
     __u16 maxlen = 8; /* max number ip ipv4 prefixes */
     __u16 smaxlen = 32; /* max number ip ipv4 prefixes */
     /*Main loop to lookup tproxy prefix matches in the zt_tproxy_map*/
-    struct match_tracker *tracked_key_data = get_matched_keys(skb->ifindex);
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    struct match_tracker *tracked_key_data = get_matched_keys(mkey);
     if(!tracked_key_data){
        return TC_ACT_SHOT;
     }
@@ -1255,7 +1271,8 @@ int bpf_sk_splice4(struct __sk_buff *skb){
     __u16 maxlen = 8; /* max number ip ipv4 prefixes */
     __u16 smaxlen = 32; /* max number ip ipv4 prefixes */
     /*Main loop to lookup tproxy prefix matches in the zt_tproxy_map*/
-    struct match_tracker *tracked_key_data = get_matched_keys(skb->ifindex);
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    struct match_tracker *tracked_key_data = get_matched_keys(mkey);
     if(!tracked_key_data){
        return TC_ACT_SHOT;
     }
@@ -1358,18 +1375,20 @@ int bpf_sk_splice5(struct __sk_buff *skb){
     }   
     struct tproxy_tuple *tproxy;
     struct match_tracker *key_tracker;
-    __u16 match_count = get_matched_count(skb->ifindex);
+    struct match_key mkey = {tuple->ipv4.saddr, tuple->ipv4.daddr, tuple->ipv4.sport, tuple->ipv4.dport, skb->ifindex};
+    __u16 match_count = get_matched_count(mkey);
     if (match_count > MATCHED_KEY_DEPTH){
        match_count = MATCHED_KEY_DEPTH;
     }
     for(__u16 count =0; count < match_count; count++)
     {
-        key_tracker = get_matched_keys(skb->ifindex);
+        key_tracker = get_matched_keys(mkey);
         if(key_tracker){
            key = key_tracker->matched_keys[count];
         }else{
             break;
         }
+
         if((tproxy = get_tproxy(key)) && tuple)
         {
             __u16 max_entries = tproxy->index_len;