Merge pull request #687 from TrekkieCoder/main

gh-48 Initial support for L7 proxy w/wo sockmap
loxilb-io · Jun 1, 2024 · d95b2b2 · d95b2b2
2 parents 2b57ba5 + 90e789d
commit d95b2b2
Show file tree

Hide file tree

Showing 10 changed files with 58 additions and 35 deletions.
diff --git a/Makefile b/Makefile
@@ -31,6 +31,9 @@ docker-cp: build
 	docker cp /opt/loxilb/llb_ebpf_emain.o $(loxilbid):/opt/loxilb/llb_ebpf_emain.o
 	docker cp /opt/loxilb/llb_xdp_main.o $(loxilbid):/opt/loxilb/llb_xdp_main.o
 	docker cp /opt/loxilb/llb_kern_sock.o $(loxilbid):/opt/loxilb/llb_kern_sock.o
+	docker cp /opt/loxilb/llb_kern_sockmap.o $(loxilbid):/opt/loxilb/llb_kern_sockmap.o
+	docker cp /opt/loxilb/llb_kern_sockstream.o $(loxilbid):/opt/loxilb/llb_kern_sockstream.o
+	docker cp /opt/loxilb/llb_kern_sockdirect.o $(loxilbid):/opt/loxilb/llb_kern_sockdirect.o
 	docker cp loxilb-ebpf/kernel/loxilb_dp_debug  $(loxilbid):/usr/local/sbin/
 	docker cp loxilb-ebpf/libbpf/src/libbpf.so.0.8.1 $(loxilbid):/usr/lib64/
 	docker cp loxilb-ebpf/utils/loxilb_dp_tool $(loxilbid):/usr/local/sbin/

diff --git a/cicd/k3s-incluster/loxilb.yml b/cicd/k3s-incluster/loxilb.yml
@@ -58,7 +58,7 @@ spec:
       - name: loxilb-app
         image: "ghcr.io/loxilb-io/loxilb:latest"
         imagePullPolicy: IfNotPresent
-        command: [ "/root/loxilb-io/loxilb/loxilb", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel.|cali.|tunl.|vxlan[.]calico", "--localvip" ]
+        command: [ "/root/loxilb-io/loxilb/loxilb", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel.|cali.|tunl.|vxlan[.]calico", "--localsockpolicy" ]
         ports:
         - containerPort: 11111
         - containerPort: 179

diff --git a/cicd/tcplb-local/config.sh b/cicd/tcplb-local/config.sh
@@ -6,7 +6,7 @@ echo "#########################################"
 echo "Spawning all hosts"
 echo "#########################################"
 
-spawn_docker_host --dock-type loxilb --dock-name llb1 --extra-args "--localvip"
+spawn_docker_host --dock-type loxilb --dock-name llb1 --extra-args "--localsockpolicy"
 spawn_docker_host --dock-type host --dock-name l3h1
 spawn_docker_host --dock-type host --dock-name l3ep1
 spawn_docker_host --dock-type host --dock-name l3ep2

diff --git a/common/common.go b/common/common.go
@@ -489,6 +489,8 @@ const (
 	LBModeFullNAT
 	// LBModeDSR - DSR Mode
 	LBModeDSR
+	// LBModeFullProxy
+	LBModeFullProxy
 )
 
 // LbServiceArg - Information related to load-balancer service

diff --git a/loxilb-ebpf b/loxilb-ebpf
diff --git a/options/options.go b/options/options.go
@@ -32,5 +32,6 @@ var Opts struct {
 	K8sAPI            string         `long:"k8s-api" description:"Enable k8s watcher(experimental)" default:"none"`
 	IPVSCompat        bool           `long:"ipvs-compat" description:"Enable ipvs-compat(experimental)"`
 	FallBack          bool           `long:"fallback" description:"Fallback to system default networking(experimental)"`
-	LocalVIP          bool           `long:"localvip" description:"support vip availability from lb node(experimental)"`
+	LocalSockPolicy   bool           `long:"localsockpolicy" description:"support local socket policies (experimental)"`
+	SockMapSupport    bool           `long:"sockmapsupport" description:"Support sockmap based L4 proxying (experimental)"`
 }
diff --git a/pkg/loxinet/dpbroker.go b/pkg/loxinet/dpbroker.go
@@ -250,6 +250,7 @@ const (
 	DpHsnat
 	DpHdnat
 	DpFullNat
+	DpFullProxy
 )
 
 // NatSel - type of nat end-point selection algorithm

diff --git a/pkg/loxinet/dpebpf_linux.go b/pkg/loxinet/dpebpf_linux.go
@@ -261,7 +261,7 @@ func DpEbpfSetLogLevel(logLevel tk.LogLevelT) {
 }
 
 // DpEbpfInit - initialize the ebpf dp subsystem
-func DpEbpfInit(clusterEn, rssEn, egrHooks, localVIP bool, nodeNum int, logLevel tk.LogLevelT) *DpEbpfH {
+func DpEbpfInit(clusterEn, rssEn, egrHooks, localSockPolicy, sockMapEn bool, nodeNum int, logLevel tk.LogLevelT) *DpEbpfH {
 	var cfg C.struct_ebpfcfg
 
 	if clusterEn {
@@ -274,11 +274,16 @@ func DpEbpfInit(clusterEn, rssEn, egrHooks, localVIP bool, nodeNum int, logLevel
 	} else {
 		cfg.egr_hooks = 0
 	}
-	if localVIP {
+	if localSockPolicy {
 		cfg.have_sockrwr = 1
 	} else {
 		cfg.have_sockrwr = 0
 	}
+	if sockMapEn {
+		cfg.have_sockmap = 1
+	} else {
+		cfg.have_sockmap = 0
+	}
 
 	cfg.nodenum = C.int(nodeNum)
 	cfg.loglevel = 1
@@ -367,9 +372,7 @@ func (e *DpEbpfH) DpEbpfUnInit() {
 		C.free(unsafe.Pointer(section))
 	}
 
-	if mh.locVIP {
-		C.llb_unload_kern_sock()
-	}
+	C.llb_unload_kern_all()
 }
 
 func convNetIP2DPv6Addr(addr unsafe.Pointer, goIP net.IP) {
@@ -933,6 +936,8 @@ func DpNatLbRuleMod(w *NatDpWorkQ) int {
 			dat.ca.act_type = C.DP_SET_SNAT
 		} else if w.NatType == DpDnat || w.NatType == DpFullNat {
 			dat.ca.act_type = C.DP_SET_DNAT
+		} else if w.NatType == DpFullProxy {
+			dat.ca.act_type = C.DP_SET_FULLPROXY
 		} else {
 			tk.LogIt(tk.LogDebug, "[DP] LB rule %s add[NOK] - EbpfErrNat4Add\n", w.ServiceIP.String())
 			return EbpfErrNat4Add

diff --git a/pkg/loxinet/loxinet.go b/pkg/loxinet/loxinet.go
@@ -59,26 +59,27 @@ const (
 )
 
 type loxiNetH struct {
-	dpEbpf *DpEbpfH
-	dp     *DpH
-	zn     *ZoneH
-	zr     *Zone
-	mtx    sync.RWMutex
-	ticker *time.Ticker
-	tDone  chan bool
-	sigCh  chan os.Signal
-	wg     sync.WaitGroup
-	bgp    *GoBgpH
-	sumDis bool
-	pProbe bool
-	has    *CIStateH
-	logger *tk.Logger
-	ready  bool
-	self   int
-	rssEn  bool
-	eHooks bool
-	locVIP bool
-	pFile  *os.File
+	dpEbpf      *DpEbpfH
+	dp          *DpH
+	zn          *ZoneH
+	zr          *Zone
+	mtx         sync.RWMutex
+	ticker      *time.Ticker
+	tDone       chan bool
+	sigCh       chan os.Signal
+	wg          sync.WaitGroup
+	bgp         *GoBgpH
+	sumDis      bool
+	pProbe      bool
+	has         *CIStateH
+	logger      *tk.Logger
+	ready       bool
+	self        int
+	rssEn       bool
+	eHooks      bool
+	lSockPolicy bool
+	sockMapEn   bool
+	pFile       *os.File
 }
 
 // NodeWalker - an implementation of node walker interface
@@ -216,7 +217,8 @@ func loxiNetInit() {
 	mh.eHooks = opts.Opts.EgrHooks
 	mh.sumDis = opts.Opts.CSumDisable
 	mh.pProbe = opts.Opts.PassiveEPProbe
-	mh.locVIP = opts.Opts.LocalVIP
+	mh.lSockPolicy = opts.Opts.LocalSockPolicy
+	mh.sockMapEn = opts.Opts.SockMapSupport
 	mh.sigCh = make(chan os.Signal, 5)
 	signal.Notify(mh.sigCh, os.Interrupt, syscall.SIGCHLD, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
 
@@ -241,11 +243,11 @@ func loxiNetInit() {
 	}
 
 	if !opts.Opts.BgpPeerMode {
-		if mh.locVIP {
+		if mh.lSockPolicy {
 			RunCommand(MkMountCG2, false)
 		}
 		// Initialize the ebpf datapath subsystem
-		mh.dpEbpf = DpEbpfInit(clusterMode, mh.rssEn, mh.eHooks, mh.locVIP, mh.self, -1)
+		mh.dpEbpf = DpEbpfInit(clusterMode, mh.rssEn, mh.eHooks, mh.lSockPolicy, mh.sockMapEn, mh.self, -1)
 		mh.dp = DpBrokerInit(mh.dpEbpf, rpcMode)
 
 		// Initialize the security zone subsystem

diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go
@@ -168,6 +168,7 @@ const (
 	RtActDnat
 	RtActSnat
 	RtActFullNat
+	RtActFullProxy
 )
 
 // possible types of end-point probe
@@ -646,11 +647,14 @@ func (a *ruleAct) String() string {
 		ks += fmt.Sprintf("%s", "trap")
 	} else if a.actType == RtActDnat ||
 		a.actType == RtActSnat ||
-		a.actType == RtActFullNat {
+		a.actType == RtActFullNat ||
+		a.actType == RtActFullProxy {
 		if a.actType == RtActSnat {
 			ks += fmt.Sprintf("%s", "do-snat:")
 		} else if a.actType == RtActDnat {
 			ks += fmt.Sprintf("%s", "do-dnat:")
+		} else if a.actType == RtActFullProxy {
+			ks += fmt.Sprintf("%s", "do-fullproxy:")
 		} else {
 			ks += fmt.Sprintf("%s", "do-fullnat:")
 		}
@@ -1444,6 +1448,8 @@ func (R *RuleH) AddNatLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg,
 	r.name = serv.Name
 	if serv.Mode == cmn.LBModeFullNAT || serv.Mode == cmn.LBModeOneArm {
 		r.act.actType = RtActFullNat
+	} else if serv.Mode == cmn.LBModeFullProxy {
+		r.act.actType = RtActFullProxy
 	} else {
 		r.act.actType = RtActDnat
 	}
@@ -2321,7 +2327,7 @@ func (R *RuleH) RuleDestructAll() {
 // VIP2DP - Sync state of nat-rule for local sock VIP-port rewrite
 func (r *ruleEnt) VIP2DP(work DpWorkT) int {
 	portMap := make(map[int]struct{})
-	if mh.locVIP {
+	if mh.lSockPolicy {
 		switch at := r.act.action.(type) {
 		case *ruleNatActs:
 			for _, ep := range at.endPoints {
@@ -2371,6 +2377,8 @@ func (r *ruleEnt) Nat2DP(work DpWorkT) int {
 		nWork.NatType = DpSnat
 	} else if r.act.actType == RtActFullNat {
 		nWork.NatType = DpFullNat
+	} else if r.act.actType == RtActFullProxy {
+		nWork.NatType = DpFullProxy
 	} else {
 		return -1
 	}
@@ -2592,7 +2600,8 @@ func (r *ruleEnt) DP(work DpWorkT) int {
 
 	if r.act.actType == RtActDnat ||
 		r.act.actType == RtActSnat ||
-		r.act.actType == RtActFullNat {
+		r.act.actType == RtActFullNat ||
+		r.act.actType == RtActFullProxy {
 		isNat = true
 	}