Skip to content

Commit

Permalink
Tc
Browse files Browse the repository at this point in the history
  • Loading branch information
@msune
msune committed Sep 16, 2024
1 parent d8cea3a commit 466d136
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 22 deletions.
50 changes: 50 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,56 @@ jobs:
grep "Recompiling sfunnel BPF program" output || (echo "ERROR: unable to validate it loads custom file ruleset DEBUG=1" && exit 1)
grep "$RULE" output || (echo "ERROR: unable to validate it loads custom file ruleset DEBUG=1" && exit 1)
- name: "[TEST] Run container with IFACES=invalid ..."
run: |
set -o pipefail
docker run --privileged -e DEBUG=1 -e IFACES=invalid | tee output
if [ ${PIPESTATUS[0]} -eq 0 ]; then
echo "ERROR: container succeded when it should have FAILED!"
exit 1
fi
- name: "[TEST] Run container with DIRECTION=invalid ..."
run: |
set -o pipefail
docker run --privileged -e DEBUG=1 -e DIRECTION=invalid | tee output
if [ ${PIPESTATUS[0]} -eq 0 ]; then
echo "ERROR: container succeded when it should have FAILED!"
exit 1
fi
grep "FATAL: Invalid traffic direction" output || (echo "ERROR: unable to validate container correctly fails when DIRECTION is invalid" && exit 1)
- name: "[TEST] Run container with DIRECTION=ingress ..."
run: |
set -o pipefail
docker run --privileged -e DEBUG=1 -e DIRECTION=ingress | tee output
if [ ${PIPESTATUS[0]} -ne 0 ]; then
echo "ERROR: container execution FAILED!"
exit 1
fi
(grep "Attaching BPF program" output | grep "direction 'ingress'") || (echo "ERROR: unable to validate container attaches to DIRECTION=ingress" && exit 1)
- name: "[TEST] Run container with DIRECTION=egress ..."
run: |
set -o pipefail
docker run --privileged -e DEBUG=1 -e DIRECTION=egress | tee output
if [ ${PIPESTATUS[0]} -ne 0 ]; then
echo "ERROR: container execution FAILED!"
exit 1
fi
(grep "Attaching BPF program" output | grep "direction 'egress'") || (echo "ERROR: unable to validate container attaches to DIRECTION=egress" && exit 1)
- name: "[TEST] Run container with DIRECTION=both ..."
run: |
set -o pipefail
docker run --privileged -e DEBUG=1 -e DIRECTION=both | tee output
if [ ${PIPESTATUS[0]} -ne 0 ]; then
echo "ERROR: container execution FAILED!"
exit 1
fi
(grep "Attaching BPF program" output | grep "direction 'ingress'") || (echo "ERROR: unable to validate container attaches to DIRECTION=both" && exit 1)
(grep "Attaching BPF program" output | grep "direction 'egress'") || (echo "ERROR: unable to validate container attaches to DIRECTION=both" && exit 1)
- name: "Push to ghcr"
run: |
cd sfunnel
Expand Down
72 changes: 50 additions & 22 deletions docker/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ DEBUG=${DEBUG:-0}
N_ATTEMPTS=${N_ATTEMPTS:-6}
RETRY_DELAY=${RETRY_DELAY:-3}

DIRECTION=${DIRECTION:-ingress}
_IFACES=$(ls /sys/class/net | tr "\n" " " | sed 's/\s*$//g')
IFACES=${IFACES:-$_IFACES}

Expand All @@ -21,18 +22,45 @@ compile(){

#$1: PROG
#$2: IFACE
#$3: direction {ingress, egress}
load_prog(){
tc qdisc add dev $2 clsact
tc filter add dev $2 ingress bpf da obj $1 sec funnel verbose
for ((i=1; i<${N_ATTEMPTS}; i++)); do
echo "[INFO] Attaching BPF program '${1}' to '${2}' direction '${3}'..."
tc filter add dev ${2} ${3} bpf da obj ${1} sec funnel verbose
if [[ "$?" == "1" ]]; then
echo "[WARNING] attempt ${i} failed on iface '${2}', direction '${3}', prog '${1}'. Retrying in ${RETRY_DELAY} seconds..."
sleep ${RETRY_DELAY}
else
break;
fi
done

if [[ ${i} -ge ${N_ATTEMPTS} ]]; then
echo "[ERROR] unable to attach BPF program to '${2}'!"
exit 1
fi

echo ""
}

# Check direction is valid
case "${DIRECTION}" in
ingress | egress | both)
;;
*)
echo "FATAL: Invalid traffic direction '${DIRECTION}'. Allowed values {ingress, egress, both}."
exit 1
;;
esac

# Splash and useful info
echo "[INFO] sfunnel $(cat /opt/sfunnel/VERSION)"
echo "[INFO] ENVs:"
echo " \$DEBUG='$DEBUG'"
echo " \$N_ATTEMPTS='$N_ATTEMPTS'"
echo " \$RETRY_DELAY='$RETRY_DELAY'"
echo " \$IFACES='$IFACES'"
echo " \$DEBUG='${DEBUG}'"
echo " \$DIRECTION='${DIRECTION}'"
echo " \$N_ATTEMPTS='${N_ATTEMPTS}'"
echo " \$RETRY_DELAY='${RETRY_DELAY}'"
echo " \$IFACES='${IFACES}'"
echo "[INFO] Container info:"
echo " Kernel: $(uname -a)"
echo " Debian: $(cat /etc/debian_version)"
Expand All @@ -46,9 +74,9 @@ if [[ "${DEBUG}" == "1" ]]; then
fi

#If SFUNNEL_RULESET is defined, create the file
if [[ "$SFUNNEL_RULESET" != "" ]]; then
echo "[INFO] SFUNNEL_RULESET='$SFUNNEL_RULESET'"
echo $SFUNNEL_RULESET > /opt/sfunnel/src/ruleset
if [[ "${SFUNNEL_RULESET}" != "" ]]; then
echo "[INFO] SFUNNEL_RULESET='${SFUNNEL_RULESET}'"
echo ${SFUNNEL_RULESET} > /opt/sfunnel/src/ruleset
fi

#Log the ruleset that will be used
Expand All @@ -73,18 +101,18 @@ fi

#Load
echo ""
echo -e "[INFO] Attaching BPF program '$PROG' to IFACES={$IFACES} using clsact qdisc...\n"
for IFACE in $IFACES; do
for ((i=1; i<=$N_ATTEMPTS; i++)); do
echo "[INFO] Attaching BPF program to '$IFACE'..."
load_prog $PROG $IFACE && break
echo "[WARNING] attempt $i failed on iface '$IFACE'. Retrying in $RETRY_DELAY seconds..."
sleep 5
done
if [[ $i -ge $N_ATTEMPTS ]]; then
echo "[ERROR] unable to attach BPF program to '$IFACE'!"
exit 1
echo -e "[INFO] Attaching BPF program '${PROG}' to IFACES={$IFACES} using clsact qdisc...\n"
for IFACE in ${IFACES}; do
#Create clsact qdisc once; allow to reuse existing one
tc qdisc add dev ${IFACE} clsact || echo "[WARNING] unable to create clsact; already present?"

if [[ ${DIRECTION} != "egress" ]]; then
load_prog ${PROG} ${IFACE} ingress
fi
echo -e "[INFO] Successfully attached BPF program to '$IFACE'.\n"
if [[ ${DIRECTION} != "ingress" ]]; then
load_prog ${PROG} ${IFACE} egress
fi

echo -e "[INFO] Successfully attached BPF program(s) to '${IFACE}'.\n"
done
echo "[INFO] Successfully attached '$PROG' to interfaces {$IFACES}"
echo "[INFO] Successfully attached '${PROG}' to interfaces {${IFACES}}"

0 comments on commit 466d136

Please sign in to comment.