lx1036
diff --git a/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/acl.c
Lines changed: 22 additions & 12 deletions b/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/acl.c
Lines changed: 22 additions & 12 deletions
diff --git a/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/bpf.sh
Lines changed: 1 addition & 7 deletions b/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/bpf.sh
Lines changed: 1 addition & 7 deletions
diff --git a/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/main.go
Lines changed: 146 additions & 8 deletions b/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/xdp-acl/main.go
Lines changed: 146 additions & 8 deletions
@@ -103,18 +103,18 @@ static __always_inline int xdp_acl_ipv4_port(struct xdp_md *ctx) {
 
     struct iphdr *ipv4h = (data + sizeof(struct ethhdr));
     if ((void *) (ipv4h + 1) > data_end) {
-//        bpf_printk("fail to lookup from servers map. (void *) (ipv4h + 1) > data_end"); // 这里不能打印日志
+        bpf_printk("fail to lookup from servers map. (void *) (ipv4h + 1) > data_end"); // 这里不能打印日志
         return XDP_DROP;
     }
     if (ipv4h->ihl != 5) { // 必然是 5，感觉这种检查意义不大
-        // bpf_printk("fail to lookup from servers map. ipv4h->ihl != 5");
+        bpf_printk("fail to lookup from servers map. ipv4h->ihl != 5");
         return XDP_PASS;
     }
 
     // 这个逻辑是为了调试，因为 ecs eth0 网卡一直都有流量，这里限定另一台 ecs saddr 发 tcp 包
-    if (ipv4h->saddr != bpf_htonl(0xac100a02)) { /* 172.16.10.2 */
-        return XDP_PASS;
-    }
+//    if (ipv4h->saddr != bpf_htonl(0xac100a02)) { /* 172.16.10.2 */
+//        return XDP_PASS;
+//    }
 
     // 1.因为 eth0 可能绑定多个 ip 地址，dstIP 必须是指定的 ip，必须做检查过滤
     __u32 key = 0;
@@ -133,48 +133,55 @@ static __always_inline int xdp_acl_ipv4_port(struct xdp_md *ctx) {
             break; // break 起作用的
         }
 
-        bpf_printk("target_ip not found %d", i);
+//        bpf_printk("target_ip not found %d", i);
     }
 
     // bpf_printk("target_ip 0x%x", server->target_ips[0]);
 
     if (!found) {
-        bpf_printk("dst ip: 0x%x is not target ip, skip it. target_ip 0x%x", ipv4h->daddr,
-                   server->target_ips[0]); // 使用 u32toIP() 报错
+        // 使用 u32toIP() 报错
+//        bpf_printk("dst ip: 0x%x is not target ip, skip it. target_ip 0x%x", ipv4h->daddr, server->target_ips[0]);
         return XDP_PASS;
     }
 
-    bpf_debug_printk("dst ip: 0x%x is a target ip, acl it.", ipv4h->daddr); // XDPACL_DEBUG 参数起作用的, %pI4 不行
+//    bpf_debug_printk("dst ip: 0x%x is a target ip, acl it.", ipv4h->daddr); // XDPACL_DEBUG 参数起作用的, %pI4 不行
 
     if (ipv4h->protocol != IPPROTO_TCP && ipv4h->protocol != IPPROTO_UDP) {
         bpf_printk("protocol: %x is not tcp or udp, skip it.", ipv4h->protocol);
         return XDP_PASS;
     }
 
+    // 这样可以不用区分 tcphdr 和 udphdr
     struct ports *port;
     port = data + sizeof(struct ethhdr) + sizeof(struct iphdr);
     if ((void *) (port + 1) > data_end) {
         bpf_printk("fail to fetch tcp/udp ports, skip it.");
         return XDP_PASS;
     }
 
+    // 这个逻辑是为了调试，因为 lo 网卡一直都有 tcp 包，把 ->9090 包过滤出来
+    if (bpf_ntohs(port->dest) != 9090) {
+        return XDP_PASS;
+    }
+
     // unsigned short, __u16 -> unsigned int, __u32
-    // __u32 dst_port = bpf_ntohs(port->dest); // network to host shorts
     struct endpoint endpoint = {}; // 对象初始化
-    endpoint.dport = port->dest;
+    // network to host shorts, 不加 bpf_ntohs() dport 为 0x8223, 而是加上 hex(9090)=0x2382, 需要注意!!!
+    endpoint.dport = bpf_ntohs(port->dest);
     endpoint.protocol = ipv4h->protocol;
     // bpftool map dump name endpoints | jq
     struct action *action;
     action = bpf_map_lookup_elem(&endpoints, &endpoint); // 这里报错一直查找不到对应的 endpoint???
     if (!action) {
+        bpf_printk("dport: %x, protocol: %x", endpoint.dport, endpoint.protocol);
         // fail to lookup endpoints map, dport: 9090, protocol: 6, action:0
         bpf_printk("fail to lookup endpoints map, dport: %d, protocol: %x, action:%x", bpf_ntohs(port->dest),
                    ipv4h->protocol, action);
         return XDP_PASS;
     }
 
     if (action->action == 0) { // deny
-        bpf_printk("action of protocol:%x port:%d is deny, drop it.", ipv4h->protocol, port->dest);
+        bpf_printk("action of protocol:%x port:%d is deny, drop it.", ipv4h->protocol, bpf_ntohs(port->dest));
         return XDP_DROP;
     }
 
@@ -186,6 +193,9 @@ static __always_inline int xdp_acl_ipv4_port(struct xdp_md *ctx) {
  * 根据 protocol/svcPort 来判断 action(XDP_PASS/XDP_DROP)
  *
  * 但是没有验证通过!!! 这里报错一直查找不到对应的 endpoint???
+ *
+ * TODO: 根据 bitmap 来寻找 action rule, 减少内存
  */
 
 SEC("xdp_acl")
 
@@ -1,12 +1,6 @@
 #!/bin/bash
 
-
-apt-get update -y
-apt-get install -y gcc-multilib libbpf-dev clang linux-tools-`uname -r` jq
-
-# 这里安装 libbpf-dev 包后，代码里可以直接 include linux 头文件
-clang -O2 -Wall -target bpf -c acl.c -o acl.o
-
+# 本地运行时，不会走 eth0-acl 网卡，而是 lo 网卡 127.0.0.1.9091 > 127.0.0.1.9090
 
 ip link add dev eth0-acl type dummy
 ip link set dev eth0-acl up
 
@@ -2,6 +2,7 @@ package main
 
 import (
     "encoding/binary"
+    "flag"
     "github.com/cilium/ebpf"
     "github.com/cilium/ebpf/btf"
     "github.com/cilium/ebpf/link"
@@ -16,14 +17,47 @@ import (
 
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go bpf acl.c -- -I.
 
+const (
+    INADDR_TEST = "127.0.0.1"
+    BindPort    = 9090
+
+    DATA = "testing"
+)
+
 // go generate .
-// CGO_ENABLED=0 go run .
+// CGO_ENABLED=0 go run . --action=1
+// CGO_ENABLED=0 go run . --action=0
 func main() {
     logrus.SetReportCaller(true)
 
+    actionArg := flag.Int("action", 1, "for xdp")
+    iface := flag.String("iface", "lo", "the interface to attach this program to")
+    flag.Parse()
+
     stopCh := make(chan os.Signal, 1)
     signal.Notify(stopCh, os.Interrupt, syscall.SIGTERM)
 
+    serverFd := startServer()
+    defer unix.Close(serverFd)
+    clientFd := connectToFd(serverFd)
+    defer unix.Close(clientFd)
+    // connect 已经建立 tcp connection，从全队列(accept)里取出一个 connection socket
+    clientServerFd, _, err := unix.Accept(serverFd)
+    if err != nil {
+        logrus.Fatalf("Accept err: %v", err)
+    }
+    defer unix.Close(clientServerFd)
+    if _, err = unix.Write(clientFd, []byte(DATA)); err != nil {
+        logrus.Fatalf("unix.Write err: %v", err)
+    }
+    cbuf := make([]byte, 1024)
+    n, _, _, _, err := unix.Recvmsg(clientServerFd, cbuf, nil, 0)
+    if err != nil {
+        logrus.Fatalf("unix.Recvmsg err: %v", err)
+    }
+    cbuf = cbuf[:n]
+    logrus.Infof("server recvmsg from client: %s", string(cbuf))
+
     // Load pre-compiled programs and maps into the kernel.
     btfSpec, err := btf.LoadKernelSpec()
     if err != nil {
@@ -58,12 +92,11 @@ func main() {
         logrus.Error(err)
     }
 
-    ip1 := "172.16.10.3"
     var addr uint32
     if IsLittleEndian() {
-        addr = binary.LittleEndian.Uint32(net.ParseIP(ip1).To4()) // byte[]{a,b,c,d} -> dcba
+        addr = binary.LittleEndian.Uint32(net.ParseIP(INADDR_TEST).To4()) // byte[]{a,b,c,d} -> dcba
     } else {
-        addr = binary.BigEndian.Uint32(net.ParseIP(ip1).To4()) // byte[]{a,b,c,d} -> abcd
+        addr = binary.BigEndian.Uint32(net.ParseIP(INADDR_TEST).To4()) // byte[]{a,b,c,d} -> abcd
     }
     // serverIPs := bpfServerIps{
     // 	TargetIps: [4]uint32{
@@ -80,10 +113,10 @@ func main() {
 
     endpoint := bpfEndpoint{
         Protocol: unix.IPPROTO_TCP,
-        Dport:    uint16(9090),
+        Dport:    uint16(BindPort),
     }
     action := bpfAction{
-        Action: uint8(0),
+        Action: uint8(*actionArg),
     }
     if err := objs.bpfMaps.Endpoints.Put(endpoint, action); err != nil {
         logrus.Error(err)
@@ -95,7 +128,7 @@ func main() {
     }
     logrus.Infof("%+v", action1)
 
-    ifaceObj, err := net.InterfaceByName("eth0")
+    ifaceObj, err := net.InterfaceByName(*iface)
     if err != nil {
         logrus.Fatalf("loading objects: %v", err)
     }
@@ -109,12 +142,117 @@ func main() {
     }
     defer l.Close()
 
+    if _, err = unix.Write(clientFd, []byte(DATA)); err != nil {
+        logrus.Fatalf("unix.Write err: %v", err)
+    }
+    cbuf2 := make([]byte, 1024)
+    n2, _, _, _, err := unix.Recvmsg(clientServerFd, cbuf2, nil, 0)
+    if err != nil {
+        logrus.Fatalf("unix.Recvmsg err: %v", err)
+    }
+    cbuf2 = cbuf2[:n2]
+    logrus.Infof("server recvmsg from client: %s", string(cbuf2))
+
     // Wait
     <-stopCh
 }
 
+func connectToFd(serverFd int) int {
+    socketType, err := unix.GetsockoptInt(serverFd, unix.SOL_SOCKET, unix.SO_TYPE)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    //tcpSaveSyn, err := unix.GetsockoptInt(serverFd, unix.SOL_TCP, unix.TCP_SAVE_SYN)
+
+    serverSockAddr, err := unix.Getsockname(serverFd)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    clientFd, err := unix.Socket(unix.AF_INET, socketType, 0)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+    setSocketTimeout(clientFd, 5000)
+
+    ip := net.ParseIP(INADDR_TEST)
+    sa := &unix.SockaddrInet4{
+        Port: BindPort + 1,
+        Addr: [4]byte{},
+    }
+    copy(sa.Addr[:], ip)
+    err = unix.Bind(clientFd, sa)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    // 非阻塞的
+    err = unix.Connect(clientFd, serverSockAddr)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    return clientFd
+}
+
+func startServer() int {
+    serverFd, err := unix.Socket(unix.AF_INET, unix.SOCK_STREAM, 0)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+    setSocketTimeout(serverFd, 5000)
+
+    err = unix.SetsockoptInt(serverFd, unix.SOL_SOCKET, unix.SO_REUSEADDR, 1)
+    if err != nil {
+        logrus.Fatalf("unix.SO_REUSEADDR error: %v", err)
+    }
+
+    ip := net.ParseIP(INADDR_TEST)
+    sa := &unix.SockaddrInet4{
+        Port: BindPort,
+        Addr: [4]byte{},
+    }
+    copy(sa.Addr[:], ip)
+    err = unix.Bind(serverFd, sa)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    err = unix.Listen(serverFd, 1)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    return serverFd
+}
+
+func setSocketTimeout(fd, timeoutMs int) {
+    var timeVal *unix.Timeval
+    if timeoutMs > 0 {
+        timeVal = &unix.Timeval{
+            Sec:  int64(timeoutMs / 1000),
+            Usec: int64(timeoutMs % 1000 * 1000),
+        }
+    } else {
+        timeVal = &unix.Timeval{
+            Sec: 3,
+        }
+    }
+
+    err := unix.SetsockoptTimeval(fd, unix.SOL_SOCKET, unix.SO_RCVTIMEO, timeVal)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+
+    err = unix.SetsockoptTimeval(fd, unix.SOL_SOCKET, unix.SO_SNDTIMEO, timeVal)
+    if err != nil {
+        logrus.Fatal(err)
+    }
+}
+
 func IsLittleEndian() bool {
-    var val int32 = 0x1
+    val := int32(0x1)
 
     return *(*byte)(unsafe.Pointer(&val)) == 1
 }