kaffa/XDP-Firewall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for offload/hardware mode.

Browse Source
This commit is contained in:
gamemann
2020-12-18 01:51:35 +00:00
parent 499a3e665a
commit f30f992468
2 changed files with 51 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -8,6 +8,7 @@ Additionally, if the host's NIC doesn't support XDP-native, the program will att
The following command line arguments are supported: The following command line arguments are supported:
* `--config -c` => Location to config file. Default => **/etc/xdpfw/xdpfw.conf**. * `--config -c` => Location to config file. Default => **/etc/xdpfw/xdpfw.conf**.
* `--offload -o` => Tries to load the XDP program in hardware/offload mode.
* `--list -l` => List all filtering rules scanned from config file. * `--list -l` => List all filtering rules scanned from config file.
* `--help -h` => Print help menu for command line options. * `--help -h` => Print help menu for command line options.

82
src/xdpfw_loader.c
View File

@@ -23,10 +23,12 @@
static char *configFile; static char *configFile;
static int help = 0; static int help = 0;
static int list = 0; static int list = 0;
static int offload = 0;
const struct option opts[] = const struct option opts[] =
{ {
{"config", required_argument, NULL, 'c'}, {"config", required_argument, NULL, 'c'},
{"offload", no_argument, &offload, 'o'},
{"list", no_argument, &list, 'l'}, {"list", no_argument, &list, 'l'},
{"help", no_argument, &help, 'h'}, {"help", no_argument, &help, 'h'},
{NULL, 0, NULL, 0} {NULL, 0, NULL, 0}
@@ -55,6 +57,11 @@ void parse_command_line(int argc, char *argv[])
break; break;
case 'o':
offload = 1;
break;
case 'l': case 'l':
list = 1; list = 1;
@@ -193,43 +200,54 @@ static int xdp_attach(int ifindex, uint32_t *xdp_flags, int prog_fd)
{ {
int err; int err;
err = bpf_set_link_xdp_fd(ifindex, prog_fd, *xdp_flags); if (offload)
if (err == -EEXIST && !(*xdp_flags & XDP_FLAGS_UPDATE_IF_NOEXIST))
{ {
fprintf(stdout, "Trying to load in offload/hardware mode...\n");
uint32_t oldflags = *xdp_flags; *xdp_flags = XDP_FLAGS_UPDATE_IF_NOEXIST | XDP_FLAGS_HW_MODE;
*xdp_flags &= ~XDP_FLAGS_MODES;
*xdp_flags |= (oldflags & XDP_FLAGS_SKB_MODE) ? XDP_FLAGS_DRV_MODE : XDP_FLAGS_SKB_MODE;
err = bpf_set_link_xdp_fd(ifindex, -1, *xdp_flags);
if (!err)
{
err = bpf_set_link_xdp_fd(ifindex, prog_fd, oldflags);
}
}
// Check for no XDP-Native support.
if (err)
{
fprintf(stdout, "XDP-Native may not be supported with this NIC. Using SKB instead.\n");
// Remove DRV Mode flag.
if (*xdp_flags & XDP_FLAGS_DRV_MODE)
{
*xdp_flags &= ~XDP_FLAGS_DRV_MODE;
}
// Add SKB Mode flag.
if (!(*xdp_flags & XDP_FLAGS_SKB_MODE))
{
*xdp_flags |= XDP_FLAGS_SKB_MODE;
}
err = bpf_set_link_xdp_fd(ifindex, prog_fd, *xdp_flags); err = bpf_set_link_xdp_fd(ifindex, prog_fd, *xdp_flags);
} }
else
{
err = bpf_set_link_xdp_fd(ifindex, prog_fd, *xdp_flags);
if (err == -EEXIST && !(*xdp_flags & XDP_FLAGS_UPDATE_IF_NOEXIST))
{
uint32_t oldflags = *xdp_flags;
*xdp_flags &= ~XDP_FLAGS_MODES;
*xdp_flags |= (oldflags & XDP_FLAGS_SKB_MODE) ? XDP_FLAGS_DRV_MODE : XDP_FLAGS_SKB_MODE;
err = bpf_set_link_xdp_fd(ifindex, -1, *xdp_flags);
if (!err)
{
err = bpf_set_link_xdp_fd(ifindex, prog_fd, oldflags);
}
}
// Check for no XDP-Native support.
if (err)
{
fprintf(stdout, "XDP-Native may not be supported with this NIC. Using SKB instead.\n");
// Remove DRV Mode flag.
if (*xdp_flags & XDP_FLAGS_DRV_MODE)
{
*xdp_flags &= ~XDP_FLAGS_DRV_MODE;
}
// Add SKB Mode flag.
if (!(*xdp_flags & XDP_FLAGS_SKB_MODE))
{
*xdp_flags |= XDP_FLAGS_SKB_MODE;
}
err = bpf_set_link_xdp_fd(ifindex, prog_fd, *xdp_flags);
}
}
if (err < 0) if (err < 0)
{ {