lx1036
diff --git a/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/tproxy/socket-bypass-tcpip/socket_bypass_tcpip_test.go
Lines changed: 52 additions & 11 deletions b/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/tproxy/socket-bypass-tcpip/socket_bypass_tcpip_test.go
Lines changed: 52 additions & 11 deletions
diff --git a/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/tproxy/socket-bypass-tcpip/test_socket_bypass_tcpip.c
Lines changed: 65 additions & 18 deletions b/‎go/k8s/bpf/xdp-l4lb/xdp-cilium-l4lb/cilium/test/tproxy/socket-bypass-tcpip/test_socket_bypass_tcpip.c
Lines changed: 65 additions & 18 deletions
@@ -7,11 +7,11 @@ import (
     "github.com/sirupsen/logrus"
     "github.com/stretchr/testify/suite"
     "golang.org/x/sys/unix"
+    "net"
     "os"
     "os/signal"
     "syscall"
     "testing"
-    "net"
 )
 
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go bpf test_socket_bypass_tcpip.c -- -I.
@@ -28,6 +28,10 @@ const (
     EXT_PORT = 7007
 )
 
+/**
+没有验证成功!!!
+*/
+
 func init() {
     logrus.SetReportCaller(true)
 }
@@ -37,7 +41,7 @@ type SocketBypassTCPIPSuite struct {
 
     objs       *bpfObjects
     cgroupLink link.Link
-    skMsgLink  link.Link
+    skMsgLink  *ProgAttachSkMsg
 }
 
 func TestSocketBypassTCPIPSuite(t *testing.T) {
@@ -75,7 +79,8 @@ func (s *SocketBypassTCPIPSuite) SetupSuite() {
     }
     s.cgroupLink = l1
 
-    // bpftool prog attach id progID msg_verdict id mapID
+    // `bpftool prog attach id progID msg_verdict id mapID` attach a sockops map
+    // https://github.com/cilium/cilium/blob/1c466d26ff0edfb5021d024f755d4d00bc744792/pkg/sockops/sockops.go#L47-L60
     l2, err := AttachSkMsg(objs.bpfPrograms.BpfTcpipBypass, objs.bpfMaps.SockOpsMap)
     if err != nil {
         logrus.Errorf("AttachSkMsg err: %v", err)
@@ -101,8 +106,10 @@ func (s *SocketBypassTCPIPSuite) TearDownSuite() {
     }
 }
 
+// CGO_ENABLED=0 go test -v -testify.m ^TestSocketBypass$ .
+// `netstat -tulpn`
 func (s *SocketBypassTCPIPSuite) TestSocketBypass() {
-    // only TCP
+    // only TCP, listen at 127.0.0.1:7007
     serverFd, err := makeServer(unix.SOCK_STREAM, nil, EXT_IP4, EXT_PORT)
     if err != nil {
         return
@@ -115,7 +122,7 @@ func (s *SocketBypassTCPIPSuite) TestSocketBypass() {
     tcpEcho(clientFd, serverFd, "testing")
 }
 
-// 127.0.0.1:5432 connect 127.0.0.1:7007
+// 127.0.0.1:5432 > 127.0.0.1:7007
 func makeClient(socketType int, ip string, port int) int {
     var err error
     var sockfd int
@@ -201,7 +208,7 @@ func makeServer(socketType int, reuseportProg *ebpf.Program, ip string, port int
         }
     }
 
-    // bind 127.0.0.1:8008
+    // bind 127.0.0.1:7007
     ipAddr := net.ParseIP(ip)
     sa := &unix.SockaddrInet4{
         Port: port,
@@ -304,18 +311,52 @@ func tcpEcho(clientFd, serverFd int, echoData string) {
     }
 }
 
-func AttachSkMsg(prog *ebpf.Program, bpfMap *ebpf.Map) (link.Link, error) {
+type ProgAttachSkMsg struct {
+    mapId      ebpf.MapID
+    program    *ebpf.Program
+    attachType ebpf.AttachType
+}
+
+func (skMsg *ProgAttachSkMsg) Close() error {
+    err := link.RawDetachProgram(link.RawDetachProgramOptions{
+        Target:  int(skMsg.mapId),
+        Program: skMsg.program,
+        Attach:  skMsg.attachType,
+    })
+    if err != nil {
+        return fmt.Errorf("close cgroup: %s", err)
+    }
+    return nil
+}
+
+func AttachSkMsg(prog *ebpf.Program, bpfMap *ebpf.Map) (*ProgAttachSkMsg, error) {
     if t := prog.Type(); t != ebpf.SkMsg {
-        return nil, fmt.Errorf("invalid program type %s, expected XDP", t)
+        return nil, fmt.Errorf("invalid program type %s, expected SkMsg", t)
+    }
+
+    info, err := bpfMap.Info()
+    if err != nil {
+        return nil, err
+    }
+    mapId, ok := info.ID()
+    if !ok {
+        return nil, fmt.Errorf("invalid map id: %d", mapId)
     }
 
-    rawLink, err := link.AttachRawLink(link.RawLinkOptions{
-        Target:  bpfMap.FD(),
+    err = link.RawAttachProgram(link.RawAttachProgramOptions{
+        Target:  int(mapId),
         Program: prog,
         Attach:  ebpf.AttachSkMsgVerdict,
+        Flags:   0,
     })
 
-    return rawLink, err
+    skMsg := &ProgAttachSkMsg{
+        mapId:      mapId,
+        program:    prog,
+        attachType: ebpf.AttachSkMsgVerdict,
+    }
+
+    return skMsg, nil
 }
 
 func joinCgroup(path string) string {
 
@@ -5,21 +5,46 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_endian.h>
 
+#ifndef barrier
+# define barrier()		asm volatile("": : :"memory")
+#endif
+
+static __always_inline void bpf_barrier(void)
+{
+    /* Workaround to avoid verifier complaint:
+     * "dereference of modified ctx ptr R5 off=48+0, ctx+const is allowed,
+     *        ctx+const+const is not"
+     */
+    barrier();
+}
+
+#ifndef __READ_ONCE
+# define __READ_ONCE(X)		(*(volatile typeof(X) *)&X)
+#endif
+
+#ifndef READ_ONCE
+# define READ_ONCE(X)						\
+			({ typeof(X) __val = __READ_ONCE(X);	\
+			   bpf_barrier();			\
+			   __val; })
+#endif
+
 struct sock_key {
     __u32 sip4;
     __u32 dip4;
     __u8 family;
-//    __u8  pad1;
-//    __u16 pad2;
+    __u8  pad1;
+    __u16 pad2;
 //    // this padding required for 64bit alignment
 //    // else ebpf kernel verifier rejects loading
 //    // of the program
-//    __u32 pad3;
+    __u32 pad3;
     __u32 sport;
     __u32 dport;
-};
-//} __attribute__((packed));
+//};
+} __attribute__((packed));
 
+// `bpftool map dump name sock_ops_map -j | jq`
 struct {
     __uint(type, BPF_MAP_TYPE_SOCKHASH);
     __uint(max_entries, 65535);
@@ -30,10 +55,15 @@ struct {
 
 static __always_inline void sk_msg_extract4_key(struct sk_msg_md *msg, struct sock_key *key) {
     key->family = 1;
-    key->sip4 = msg->remote_ip4;
-    key->dip4 = msg->local_ip4;
-    key->sport = msg->remote_port >> 16;
-    key->dport = bpf_htonl(msg->local_port) >> 16;
+//    key->sip4 = msg->remote_ip4;
+//    key->dip4 = msg->local_ip4;
+//    key->sport = msg->remote_port >> 16;
+//    key->dport = bpf_htonl(msg->local_port) >> 16;
+
+    key->sip4 = msg->local_ip4;
+    key->dip4 = msg->remote_ip4;
+    key->sport = bpf_htonl(msg->local_port) >> 16;
+    key->dport = (msg->remote_port) >> 16;
 }
 
 // hook sendmsg call on a socket, @see SEC("cgroup/sendmsg4")
@@ -45,8 +75,9 @@ int bpf_tcpip_bypass(struct sk_msg_md *msg)
     struct sock_key key = {};
     sk_msg_extract4_key(msg, &key);
     // bpf_msg_redirect_map()
-    bpf_msg_redirect_hash(msg, &sock_ops_map, &key, BPF_F_INGRESS);
-    return SK_PASS;
+    bpf_printk("total size of sk_msg is %d, port %d --> %d", msg->size, bpf_ntohl(msg->remote_port), msg->local_port);
+    return (int)bpf_msg_redirect_hash(msg, &sock_ops_map, &key, BPF_F_INGRESS);
+//    return SK_PASS;
 }
 
 static __always_inline void bpf_sock_ops_ipv4(struct bpf_sock_ops *skops) {
@@ -55,19 +86,35 @@ static __always_inline void bpf_sock_ops_ipv4(struct bpf_sock_ops *skops) {
 
     // keep ip and port in network byte order
     key.family = 1; // 只有指针才是 key->family, @see sk_msg_extract4_key(), 这里为何是 1???
-    key.sip4 = skops->local_ip4; // 为何这里互换???
-    key.dip4 = skops->remote_ip4;
-    // local_port is in host byte order, and remote_port is in network byte order
-    key.sport = bpf_htonl(skops->local_port) >> 16; // ???
-    key.dport = skops->remote_port >> 16;
+//    key.sip4 = skops->local_ip4; // 为何这里互换???
+//    key.dip4 = skops->remote_ip4;
+//    // local_port is in host byte order, and remote_port is in network byte order
+//    key.sport = (bpf_htonl(skops->local_port) >> 16); // ???
+//    /* clang-7.1 or higher seems to think it can do a 16-bit read here
+//	 * which unfortunately most kernels (as of October 2019) do not
+//	 * support, which leads to verifier failures. Insert a READ_ONCE
+//	 * to make sure that a 32-bit read followed by shift is generated.
+//	 */
+//    key.dport = (skops->remote_port) >> 16;
+
 
+    key.dip4 = skops->local_ip4;
+    key.dport = (bpf_htonl(skops->local_port) >> 16);
+    key.sip4 = skops->remote_ip4;
+    key.sport = (skops->remote_port) >> 16;
+
+    /**
+     * 这里没有报错，但是 map 里为空: `bpftool map dump name sock_ops_map -j | jq`
+     */
     ret = (int)bpf_sock_hash_update(skops, &sock_ops_map, &key, BPF_NOEXIST);
     if (ret != 0) {
         bpf_printk("sock_hash_update() failed, ret: %d", ret);
     }
 
 //    __u32 remote_port;    /* Stored in network byte order */ 因为是 network byte order，且是 u32，所以必须 bpf_ntohl()
 //    __u32 local_port;    /* stored in host byte order */
+    // sockmap: op 4, port 5432 --> 7007, client 端是 5432, server 端是 7007
+    // sockmap: op 5, port 7007 --> 5432
     bpf_printk("sockmap: op %d, port %d --> %d", skops->op, skops->local_port, bpf_ntohl(skops->remote_port));
 }
 
@@ -82,8 +129,8 @@ int bpf_sockops_v4(struct bpf_sock_ops *skops)
      * active: source socket sending SYN
      * passive: destination socket responding with ACK for the SYN
      */
-    case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB:
-    case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB:
+    case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB: // 4
+    case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: // 5
         if (family == AF_INET) { // only ipv4
             bpf_sock_ops_ipv4(skops);
         }