support xdp auth in tailcall

[weli-l]

What type of PR is this?

What this PR does / why we need it:
support xdp auth in tail call
Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[codecov]

Codecov Report

Attention: Patch coverage is 15.78947% with 48 lines in your changes missing coverage. Please review.

Project coverage is 48.91%. Comparing base (f14f7d2) to head (e22e641).
Report is 31 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/status/status_server.go	0.00%	34 Missing ⚠️
pkg/bpf/workload/xdp.go	50.00%	6 Missing and 3 partials ⚠️
pkg/bpf/bpf.go	0.00%	4 Missing ⚠️
pkg/controller/controller.go	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
pkg/controller/controller.go	0.00% <0.00%> (ø)
pkg/bpf/bpf.go	37.30% <0.00%> (-0.15%)	⬇️
pkg/bpf/workload/xdp.go	48.27% <50.00%> (-0.30%)	⬇️
pkg/status/status_server.go	35.48% <0.00%> (-3.46%)	⬇️

... and 2 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6cdc638...e22e641. Read the comment docs.

[lec-bit]

/retest

[LiZhenCheng9527]

In the case where only error is returned, is it possible to know if it is a policyCheck error or a ruleCheck error?

[hzxuzhonghu]

please add some more error info

[weli-l]

/retest

[hzxuzhonghu]

suggest add kmesh prefix

Add __uint(map_flags, BPF_F_NO_PREALLOC);

Is 256 enough? I think we should greatly increase to support higher throughput if BPF_F_NO_PREALLOC set

[hzxuzhonghu]

Suggested change

	BPF_LOG(ERR, AUTH, "Failed to read policyId, thrown it to user auth");
	BPF_LOG(ERR, AUTH, "Failed to read policyId, throw it to user auth");

[hzxuzhonghu]

Suggested change

	BPF_LOG(DEBUG, AUTH, "Failed to delete context from map");
	BPF_LOG(DEBUG, AUTH, "Failed to delete tailcall context from map");

[hzxuzhonghu]

please be more clear

[hzxuzhonghu]

MAX_MEMBER_NUM_PER_POLICY does not only limit the policy numbers but also the rules number per policy, right?

[hzxuzhonghu]

please rename

[hzxuzhonghu]

should we move the policy index check here?

    if (res->policy_index < 0 || res->policy_index >= MAX_MEMBER_NUM_PER_POLICY) {
        BPF_LOG(ERR, AUTH, "Policy index out of bounds");
        return XDP_PASS;
    }

[YaoZengzeng]

redundant check with line 342?

[weli-l]

redundant check with line 342?

In xdp type eBPF program, the null pointer check may fail. An additional check is needed here, otherwise the verifier will report an error.

[YaoZengzeng]

redundant check

[weli-l]

/retest

[supercharge-xsy]

This code has multiple calls in the function, can it converge to one place?：
bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key)
bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE);

[tacslon]

Why remove the inline here?

[hzxuzhonghu]

Suggested change

	} kmesh_tc_info_map SEC(".maps");
	} kmesh_tc_args SEC(".maps");

[hzxuzhonghu]

please add some more error info

[hzxuzhonghu]

Suggested change

	int xdp_shutdown(struct xdp_md *ctx)
	int xdp_authz(struct xdp_md *ctx)

[hzxuzhonghu]

Suggested change

	SEC("xdp_auth")
	SEC("xdp_authz")

[hzxuzhonghu]

here we write a ctx to this map, and in the another place this ctx could be read , is it safe to access policies concurrently?

[hzxuzhonghu]

Suggested change

	SEC("xdp_auth")
	SEC("xdp_authz")

[weli-l]

A switch needs to be added to determine whether to enable link-level authentication or packet-based authentication.

[hzxuzhonghu]

It is painful for me to review such a big pr with round and round update/review. We should incrementallly update. Never force push

[hzxuzhonghu]

nit https://github.com/kmesh-net/kmesh/pull/1015/files#diff-e531188f2d6f84d9df52b52c90eb506619ef6d6d6ec4169dd093fcc33531a3fbR66 we are changing to a config map

[hzxuzhonghu]

I think this should be called match_dst_port

[hzxuzhonghu]

log should be started with small cased word

[hzxuzhonghu]

this is not an error, it is a valid case to have {}

[hzxuzhonghu]

instead of parsing this everywhere, can we move the parsed res into kmesh_tc_args

[hzxuzhonghu]

ditto if we add to the kmesh_tc_args, we will not need to parse again

[hzxuzhonghu]

Suggested change

	static bool is_authz_enabled()
	static bool is_authz_offload_enabled()

[hzxuzhonghu]

this logic is not correct. Say we have two authorizationPolicy set, wih the returned result, i think we may miss the second policy check

[hzxuzhonghu]

/lgtm

[kmesh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hzxuzhonghu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment