Add support for TC programs

[mauriciovasquezbernal]

This PR implements support for TC programs in inspector gadget.

The main component of this PR is a new tchandler package that handles how TC programs are attached to containers and network interfaces. (very similar to the existing pkg/gadgets/internal/networktracer one). Programs are attached by using a clsact qdisc and filter in direct-action mode (check https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/ to learn more).

For containers, the programs are attached to the peer interface on the host, this guarantees that processes running inside the container can't detach them from the interface. We might considering adding support for attaching these in the container side later on.

Gadgets with multiple TC programs, multiple gadgets and multiple instances of Inspektor Gadget running at the same time are supported. This is done by using a different handle each time a program is attached to the qdisc.

How to test

Define a TC program, for instance, this one is a very simple firewall: (It's not supported to fill the ips map yet, to this only works to print messages to trace_pipe)

#include <stdint.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/swab.h>
#include <linux/pkt_cls.h>
#include <bpf/bpf_endian.h>

char __license[] SEC("license") = "GPL";

struct {
	__uint(type, BPF_MAP_TYPE_HASH);
	__uint(max_entries, 1024);
	__type(key, __u32); // ipv4
	__type(value, __u8); // not used
} ips SEC(".maps");

SEC("classifier/egress/drop")
int egress_drop(struct __sk_buff *skb) {
	//bpf_printk("Packet on egress");

	void *data_end = (void *)(unsigned long long)skb->data_end;
	void *data = (void *)(unsigned long long)skb->data;

	// Check if the packet is not malformed
	struct ethhdr *eth = data;
	if (data + sizeof(struct ethhdr) > data_end)
		return TC_ACT_SHOT;

	// Check that this is an IP packet
	if (bpf_ntohs(eth->h_proto) != ETH_P_IP)
		return TC_ACT_UNSPEC;

	// Check if the packet is not malformed
	struct iphdr *ip = data + sizeof(struct ethhdr);
	if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) > data_end)
		return TC_ACT_SHOT;

	bpf_printk("egress: src:%pi4 -> dst: %pi4", &ip->saddr, &ip->daddr);

	// Drop packet if in map
	__u8 *dummy = bpf_map_lookup_elem(&ips, &ip->daddr);
	if (dummy) {
		bpf_printk("Dropping in egress");
		return TC_ACT_SHOT;
	}

	return TC_ACT_UNSPEC;
}

SEC("classifier/ingress/drop")
int ingress_drop(struct __sk_buff *skb) {
	//bpf_printk("Packet on ingress");

	void *data_end = (void *)(unsigned long long)skb->data_end;
	void *data = (void *)(unsigned long long)skb->data;

	// Check if the packet is not malformed
	struct ethhdr *eth = data;
	if (data + sizeof(struct ethhdr) > data_end)
		return TC_ACT_SHOT;

	// Check that this is an IP packet
	if (bpf_ntohs(eth->h_proto) != ETH_P_IP)
		return TC_ACT_UNSPEC;

	// Check if the packet is not malformed
	struct iphdr *ip = data + sizeof(struct ethhdr);
	if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) > data_end)
		return TC_ACT_SHOT;

	bpf_printk("ingress: src:%pi4 -> dst: %pi4", &ip->saddr, &ip->daddr);

	// Drop packet if in map
	__u8 *dummy = bpf_map_lookup_elem(&ips, &ip->saddr);
	if (dummy)
		return TC_ACT_SHOT;

	return TC_ACT_UNSPEC;
}

Build the gadget:

$ sudo -E ig image build . -t mytcgadget

And run it:

$ sudo -E ig run mytcgadget --iface enp5s0 
INFO[0000] Experimental features enabled                
INFO[0000] Running. Press Ctrl + C to finish

check trace_pipe to see the debug messages:

$ sudo cat /sys/kernel/debug/tracing/trace_pipe
          <idle>-0       [010] d.s.. 32963.221506: bpf_trace_printk: comm: wget, pid: 105845
          <idle>-0       [010] d.s.. 32963.227058: bpf_trace_printk: egress: src:192.178.050.068 -> dst: 172.017.000.004
          <idle>-0       [010] d.s.. 32963.227062: bpf_trace_printk: comm: wget, pid: 105845
          <idle>-0       [010] d.s.. 32963.227071: bpf_trace_printk: egress: src:172.017.000.004 -> dst: 192.178.050.068
          <idle>-0       [010] d.s.. 32963.227072: bpf_trace_printk: comm: wget, pid: 105845
          <idle>-0       [010] d.s.. 32963.227944: bpf_trace_printk: egress: src:192.178.050.068 -> dst: 172.017.000.004
          <idle>-0       [010] d.s.. 32963.227947: bpf_trace_printk: comm: wget, pid: 105845
          <idle>-0       [010] d.s.. 32963.227952: bpf_trace_printk: egress: src:172.017.000.004 -> dst: 192.178.050.068
          <idle>-0       [010] d.s.. 32963.227953: bpf_trace_printk: comm: wget, pid: 105845

Fixes #2369

TODO:

• Tests
• Documentation
• How to handle multiple TC gadgets at the same time
• How to handle multiple instances of ig at the same time
• How to handle collisions with other applications using TC programs (clsact qdisc and filters)
• Understand how the --iface parameter should behave when there are containers present

[alban]

Should there be a way to attach the same tc program to the network interfaces of several containers, like we do for the socket filters?

Should we have a way to attach the tc program to a non-root qdisc? Maybe the handle and the parent should be a parameter, defaulting to the root handle as you've done?

[alban]

How to handle multiple TC gadgets at the same time

Do you mean a gadget containing several conflicting tc programs?

How to handle multiple instances of ig at the same time
How to handle collisions with other applications using TC programs (clsact qdisc and filters)

I would do it the same way the iptables and tc tools do: just do what's requested by the user and allow newer instances to overwrite the setup done by a previous instance.

[alban]

In the documentation, we will need to say we don't support tc ebpf programs that uses tc's ELF convention. For examples, those programs won't work:
https://github.com/iproute2/iproute2/tree/main/examples/bpf

And I guess the documentation should say which ELF convention we support instead...

[mauriciovasquezbernal]

Should there be a way to attach the same tc program to the network interfaces of several containers, like we do for the socket filters?

I implement that in the last update. The support is almost identical to the socket programs. I implement it as as separated package, but I'll check if this is possible to consolidate on the same module.

Should we have a way to attach the tc program to a non-root qdisc? Maybe the handle and the parent should be a parameter, defaulting to the root handle as you've done?

I'm learning more about traffic control in linux. We're using the clsact for attaching these programs, and AFAIU it's only possible to have a one of them per interface. Do you know if that's right?

Do you mean a gadget containing several conflicting tc programs?

I was thinking more about multiple instances of the same gadget or even different gadgets. I'm not sure if a gadget with multiple programs is a valid use case, perhaps there it's better to have a single program that is attached and then use tail calls to invoke other programs.

I would do it the same way the iptables and tc tools do: just do what's requested by the user and allow newer instances to overwrite the setup done by a previous instance.

I agree, however I still need to better understand how it works to write down the documentation.

[mauriciovasquezbernal]

After some more investigation I found out that it's actually possible to attach multiple eBPF programs to the same TC hook (qdisc). The thing is that the programs have to return TC_ACT_UNSPEC to let other programs process the packet, if they return TC_ACT_OK other programs are skipped.

I implemented a simple logic that loops using a different handle until one available is found. I limited that to the first 128 handles, but we can discuss this approach once this PR is more mature.

[eiffel-fl]

I will take another big picture look and will test it, but for now here are some comments:

[eiffel-fl]

Same here.

[eiffel-fl]

OK, but this is still an integration test.
We should aim for more unit tests for run and we can still use real gadgets as integration ones.

[mauriciovasquezbernal]

Do you have a specific idea of how this test could be implement as a unit one?

[eiffel-fl]

Not for this particular one but I would rather use a real gadget as integration one here.
Otherwise, if we start to have "real gadgets" and "integration test ones" this will begin to be a real mess to maintain.

[mauriciovasquezbernal]

With image-based gadgets Inspektor Gadget is becoming more a framework than a collection of tools, hence we need to make sure the framework is working fine. I think we should be testing the framework part (the ability to pull, load, attach, confiture, etc.. ebpf programs.) without using real gadgets. The reasons are:

• It's possible that don't have gadgets that use all features of the framework. The TC support on this PR is one example of that.
• It's easier to understand if an issue is on the framework rather than in the gadget.
• Tests are easier to implement as we don't depend on the gadget's logic.
• By using mock gadgets we could be able to test more corner cases than by using real ones.
• It can happen that we'll move the "official gadgets" to an independent repository later on, so using them to test will add an "external dependency"

I agree we need more unit tests, but these ones are needed as well.

#2301 is following this discussion.

[blanquicet]

Some comments. I'll try it tomorrow.

[blanquicet]

I would suggest to make it a const.

[eiffel-fl]

I tested it and it works fine:

...
            wget-25601   [003] ..s2.  5108.850198: bpf_trace_printk: egress: src:010.010.000.003 -> dst: 188.114.096.002
            wget-25601   [003] ..s2.  5108.851160: bpf_trace_printk: egress: src:010.010.000.003 -> dst: 188.114.096.002
...

I have some comments though I will approve it but I would like another approval before it being merged.

[eiffel-fl]

Can you mimic how it is defined in the code you linked? Something like this:

Suggested change

	filterInfo = uint32(0x00010300) // priority (1) << 16 | proto (htons(ETH_P_ALL))
	proto = /* ... */
	filterInfo = uint32(1 << 16) | proto

[mauriciovasquezbernal]

I wasn't able to make it a const because the compiler complains when I use htons. I changed it a bit to be more clear without using htons.

[eiffel-fl]

Should it be a const?

[mauriciovasquezbernal]

I think it's just fine to have it there. It's not used anywhere else.

[blanquicet]

IMO, the PR is ready to go after managing these comments.