forked from daeuniverse/dae
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Experimental] Stack bypass #7
Open
jschwinger233
wants to merge
28
commits into
main
Choose a base branch
from
gray/exp/wan-redirect-to-dae0
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
deae952
to
2ba0dbb
Compare
- listen tcp inside daens - setup routing inside daens - attach new bpf prog to dae0 + dae0peer
dcfdf0f
to
8ee97ea
Compare
Avoid spammy dmesg reported by @umlka: [ 16.726876] dae0peer: Caught tx_queue_len zero misconfig [ 16.786837] dae0: Caught tx_queue_len zero misconfig
e5dd583
to
f0ad777
Compare
f0ad777
to
34bb2ac
Compare
34bb2ac
to
3f8274e
Compare
3f8274e
to
7265674
Compare
c533215
to
e7525dc
Compare
skb->mark will be reset when going across netns (skb_scrub_packet), so this commit sets a special value in cb[0] which can survive bpf_redirect and netns crossing. This solves issues like: level=warning msg="No AddrPort presented: reading map: key [[::ffff:0.0.0.0]:68, 17, 255.255.255.255:67]: lookup: key does not exist"
e7525dc
to
a1a4012
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
劫持路径的 stack bypass 实现。
之前的问题集中在:
这个 PR 试图把“劫持路径”(“分流路径”)绕过内核栈,并且保持 datapath 对称,希望能解决大部分问题。
Datapath
0.5 wan: 注意劫持路径请求和回复是非对称的,而且从 wan0 到 dae 的网络栈造成了大部分问题
0.5 lan for udp: 请求和回复也是非对称的,而且 dae0 的 lladdr + sysctl 可能被 systemd 修改也造成了不少问题
新的 wan datapath:注意 wan0 和 dae0 之间在双向都是通过 bpf_redirect 跳过内核栈,所以不需要配置 nft 和 sysctl。
新 lan datapath: lan0 和 dae0 之间也是 bpf_redirect
新路径是完全对称路径,希望能尽量减少潜在的问题。
Implementation
需要四个 tc bpf prog:
a. 只在 dae netns 里监听 :12345
b. 不需要监听 dae0 lladdr,现在只需要 dae0-peer 的 lladdr,但它在 dae netns 里面,应该不会被修改(应该吧。。。)
c. 删除 autoConfigFirewall flag,因为不需要配置 nft
d. ip rule 只需要在 dae netns 里设置
Code Walkthrough
Checklist
Full Changelogs
Issue Reference
Closes #[issue number]
Test Result