This patch implements both tc and filter chains.
We also need to align tc filter delition implementation
with iprote2 to delete filters withichain by passing
additional bits during filter deletion call.
This patch adds support for tc police action. And codes of fw filter
have been refactored with the police action for reducing redundant
codes.
Signed-off-by: Wu Zongyong <wuzongyong@linux.alibaba.com>
In order to support BPF_SYSCALL `PROG_GET_FD_BY_ID` -- the ID of the
eBPF must be available.
Add the additional enumerations and handle them when parsing the BPF
filter.
This patch replaces TcU32Sel and TcU32Key that are copied from nl
package with type aliases for the original types. This eliminates the
usages of unsafe packages and redundant copied structs that are
identical to the original ones.
Type aliases are newly introduced in Go 1.9 and it is not backward
compatibile. Therefore this patch shall be merged only if the project is
entirely migrated to Go 1.9. Currently we are building this project
with Go 1.10 and Go 1.11, so it is reasonable to require Go version
greater than 1.9.
See #206 and #261, which is the previous life of this patch.
This patch also moves TcU32Sel, TcU32Key and U32 structs from filter.go
to filter_linux.go to make it possible to build on macOS. See #243 for
more details.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds "Hash" attribute that represents the ID of the hash
table with which the filter is associated to U32 struct. If the hash
table is not created yet, a new hash table is created with the
specified ID.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds "Divisor" attribute that represents the divisor of the
hash table buckets to U32 struct.
With "Divisor" attribute, only a hash table without its associated
filters can be created. This new capability allows users to construct
the more flexible filter configurations with the hash table that has
the divisor greater than 1, for instance.
Although a hash table is created through the same interfaces as the
filters, it cannot be listed or deleted though the same interfaces as
the filters at this moment. Only real filters can be listed with
FilterList and deleted with FilterDel.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
This patch adds the advanced u32 match feature support with the
selection keys. It enables the users to crate a complex filter as follow
for instance:
$ tc filter add dev eth0 parent 1: prio 1 u32 match ip dport 80 0xff \
match u32 0x146ca 0xffff at 32 flowid 1:46cb
To expose TcU32Sel and TcU32Key defined in nl package, this patch copies
them to filte.go and their values that require Big-endianness are
handled appropriately in FilterAdd function in filter_linux.go.
Signed-off-by: Taku Fukushima <taku@soracom.jp>
New in kernel 4.5 is a type of qdisc for lightweight (no qdisc lock)
ingress/egress parsing, called clsact. Add support for such a qdisc
type.
One primary consumer of clsact is the bpf filter, add support for that
as well.
Current U32 filter only supports redirect action, but the U32 can
support a lot more. Refactor a bit the action generating/parsing logic
to be more generic and add BPF action support.
When creating a U32 filter, one can supply an array of Actions, which
will be executed by the U32 filter in order:
* The new MirredAction implements the same functionality as RedirIndex
field in the U32 filter, with that static field kept in the struct for
backwards compatibility.
* A new BpfAction type is added which allows a program with an open bpf
file descriptor (implementation is out of scope of this patch) to be
added as well.
Add a test for the above use case which includes one of each type of
action.
