From 46948c716dc955d635fc216c07dbfdddd910fff3 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Thu, 17 Oct 2024 21:43:53 +0800 Subject: [PATCH 1/8] support xdp auth in tailcall Signed-off-by: weli-l <1289113577@qq.com> --- bpf/kmesh/workload/include/authz.h | 242 ++++++++++++++++++++++--- bpf/kmesh/workload/include/backend.h | 3 - bpf/kmesh/workload/include/config.h | 15 +- bpf/kmesh/workload/include/tail_call.h | 20 +- bpf/kmesh/workload/xdp.c | 103 +++-------- pkg/bpf/workload/xdp.go | 21 +++ pkg/constants/constants.go | 7 +- 7 files changed, 290 insertions(+), 121 deletions(-) diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 693793e0c..47658308d 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -7,6 +7,7 @@ #include "workload_common.h" #include "bpf_log.h" #include "xdp.h" +#include "tail_call.h" #include "workloadapi/security/authorization.pb-c.h" #define AUTH_ALLOW 0 @@ -22,6 +23,26 @@ struct { __uint(max_entries, MAP_SIZE_OF_AUTH_POLICY); } map_of_authz SEC(".maps"); +struct match_context { + __u32 action; + __u8 policy_index; + __u8 n_rules; + wl_policies_v *policies; + void *rulesPtr; +}; + +/* + * This map is used to store the variable that + * xdp_auth needs to pass during the tail call + */ +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(struct bpf_sock_tuple)); + __uint(value_size, sizeof(struct match_context)); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, MAP_SIZE_OF_AUTH_TAILCALL); +} kmesh_tc_info_map SEC(".maps"); + static inline Istio__Security__Authorization *map_lookup_authz(__u32 policyKey) { return (Istio__Security__Authorization *)kmesh_map_lookup_elem(&map_of_authz, &policyKey); @@ -32,19 +53,82 @@ static inline wl_policies_v *get_workload_policies_by_uid(__u32 workload_uid) return (wl_policies_v *)kmesh_map_lookup_elem(&map_of_wl_policy, &workload_uid); } -static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static inline int parser_xdp_info(struct xdp_md *ctx, struct xdp_info *info) +{ + void *begin = (void *)(long)(ctx->data); + void *end = (void *)(long)(ctx->data_end); + + // eth header + info->ethh = (struct ethhdr *)begin; + if ((void *)(info->ethh + 1) > end) + return PARSER_FAILED; + + // ip4|ip6 header + begin = info->ethh + 1; + if ((begin + 1) > end) + return PARSER_FAILED; + if (((struct iphdr *)begin)->version == 4) { + info->iph = (struct iphdr *)begin; + if ((void *)(info->iph + 1) > end || (info->iph->protocol != IPPROTO_TCP)) + return PARSER_FAILED; + begin = (info->iph + 1); + } else if (((struct iphdr *)begin)->version == 6) { + info->ip6h = (struct ipv6hdr *)begin; + if ((void *)(info->ip6h + 1) > end || (info->ip6h->nexthdr != IPPROTO_TCP)) + return PARSER_FAILED; + begin = (info->ip6h + 1); + } else + return PARSER_FAILED; + + info->tcph = (struct tcphdr *)begin; + if ((void *)(info->tcph + 1) > end) + return PARSER_FAILED; + return PARSER_SUCC; +} + +static inline void parser_tuple(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +{ + if (info->iph->version == 4) { + tuple_info->ipv4.saddr = info->iph->saddr; + tuple_info->ipv4.daddr = info->iph->daddr; + tuple_info->ipv4.sport = info->tcph->source; + tuple_info->ipv4.dport = info->tcph->dest; + } else { + bpf_memcpy((__u8 *)tuple_info->ipv6.saddr, info->ip6h->saddr.in6_u.u6_addr8, IPV6_ADDR_LEN); + bpf_memcpy((__u8 *)tuple_info->ipv6.daddr, info->ip6h->daddr.in6_u.u6_addr8, IPV6_ADDR_LEN); + tuple_info->ipv6.sport = info->tcph->source; + tuple_info->ipv6.dport = info->tcph->dest; + } +} + +static int construct_tuple_key(struct xdp_md *ctx, struct bpf_sock_tuple *tuple_info, struct xdp_info *info) +{ + int ret = parser_xdp_info(ctx, info); + if (ret != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "Failed to parse xdp_info"); + return PARSER_FAILED; + } + + parser_tuple(info, tuple_info); + + return PARSER_SUCC; +} + +static int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 *notPorts = NULL; __u32 *ports = NULL; __u32 i; if (match->n_destination_ports == 0 && match->n_not_destination_ports == 0) { + BPF_LOG(DEBUG, AUTH, "No ports configured, matching by default"); return MATCHED; } if (match->n_not_destination_ports != 0) { notPorts = KMESH_GET_PTR_VAL(match->not_destination_ports, void *); if (!notPorts) { + BPF_LOG(ERR, AUTH, "Failed to retrieve not_destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -54,10 +138,12 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } if (info->iph->version == 4) { if (bpf_htons(notPorts[i]) == tuple_info->ipv4.dport) { + BPF_LOG(DEBUG, AUTH, "Port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } else { if (bpf_htons(notPorts[i]) == tuple_info->ipv6.dport) { + BPF_LOG(DEBUG, AUTH, "Port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } @@ -65,11 +151,13 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } // if not match not_destination_ports && has no destination_ports, return MATCHED if (match->n_destination_ports == 0) { + BPF_LOG(INFO, AUTH, "No destination_ports configured, matching by default"); return MATCHED; } ports = KMESH_GET_PTR_VAL(match->destination_ports, void *); if (!ports) { + BPF_LOG(ERR, AUTH, "Failed to retrieve destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -79,18 +167,21 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } if (info->iph->version == 4) { if (bpf_htons(ports[i]) == tuple_info->ipv4.dport) { + BPF_LOG(INFO, AUTH, "Port %u in destination_ports, matched", ports[i]); return MATCHED; } } else { if (bpf_htons(ports[i]) == tuple_info->ipv6.dport) { + BPF_LOG(INFO, AUTH, "Port %u in destination_ports, matched", ports[i]); return MATCHED; } } } + BPF_LOG(DEBUG, AUTH, "No matching ports found, unmatched"); return UNMATCHED; } -static inline int match_check(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int match_check(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 matchResult; @@ -100,8 +191,7 @@ static inline int match_check(Istio__Security__Match *match, struct xdp_info *in return matchResult; } -static inline int -clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { void *matchsPtr = NULL; Istio__Security__Match *match = NULL; @@ -132,8 +222,7 @@ clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bp return UNMATCHED; } -static inline int -rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { void *clausesPtr = NULL; Istio__Security__Clause *clause = NULL; @@ -167,49 +256,144 @@ rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_ return MATCHED; } -static inline int -do_auth(Istio__Security__Authorization *policy, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +SEC("xdp_auth") +int policy_check(struct xdp_md *ctx) { - void *rulesPtr = NULL; - Istio__Security__Rule *rule = NULL; - int matchFlag = 0; - __u32 i = 0; + struct match_context *match_ctx; + wl_policies_v *policies; + void *rulesPtr; + __u32 policyId; + Istio__Security__Authorization *policy; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; + int ret; + + if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "policy_check, Failed to get tuple key"); + return XDP_ABORTED; + } - if (policy->n_rules == 0) { - BPF_LOG(ERR, AUTH, "auth policy %s has no rules\n", KMESH_GET_PTR_VAL(policy->name, char *)); - return AUTH_ALLOW; + match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "Failed to retrieve tailcall context from kmesh_tc_info_map"); + return XDP_PASS; } - // Rules are OR-ed. - rulesPtr = KMESH_GET_PTR_VAL(policy->rules, void *); - if (!rulesPtr) { - BPF_LOG(ERR, AUTH, "failed to get rules from policy %s\n", KMESH_GET_PTR_VAL(policy->name, char *)); - return AUTH_DENY; + policies = match_ctx->policies; + if (!policies) { + return XDP_PASS; } + // Safely access policyId and check if the policy exists + if (bpf_probe_read_kernel(&policyId, sizeof(policyId), (void *)(policies->policyIds + match_ctx->policy_index)) + != 0) { + BPF_LOG(ERR, AUTH, "Failed to read policyId, throw it to user auth"); + if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + } + policy = map_lookup_authz(policyId); + if (!policy) { + // if no policy matches in xdp, thrown it to user auth + if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "Failed to delete tailcall context from map"); + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + } else { + rulesPtr = kmesh_get_ptr_val(policy->rules); + if (!rulesPtr) { + BPF_LOG(ERR, AUTH, "failed to get rules from policy %s\n", kmesh_get_ptr_val(policy->name)); + return XDP_DROP; + } + match_ctx->rulesPtr = rulesPtr; + match_ctx->n_rules = policy->n_rules; + match_ctx->action = policy->action; + ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + return XDP_DROP; + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_RULE_CHECK); + } + return XDP_PASS; +} + +SEC("xdp_auth") +int rule_check(struct xdp_md *ctx) +{ + struct match_context *match_ctx; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; + void *rulesPtr; + __u64 rule_addr; + void *rule; + int ret; + int i; + + if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "Failed to get tuple key in rule_check"); + return XDP_ABORTED; + } + + match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "Failed to retrieve match_context from map"); + return XDP_PASS; + } for (i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) { - if (i >= policy->n_rules) { + if (i >= match_ctx->n_rules) { + BPF_LOG(DEBUG, AUTH, "Rule index %d exceeds rule count %d, exiting loop", i, match_ctx->n_rules); break; } - rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)*((__u64 *)rulesPtr + i), Istio__Security__Rule); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "Failed to retrieve match_ctx from map"); + return XDP_PASS; + } + rulesPtr = match_ctx->rulesPtr; + if (!rulesPtr) { + BPF_LOG(ERR, AUTH, "rulesPtr is null"); + return XDP_PASS; + } + if (bpf_probe_read_kernel(&rule_addr, sizeof(rule_addr), &rulesPtr[i]) != 0) { + BPF_LOG(ERR, AUTH, "Failed to read rule address at index %d", i); + continue; + } + + rule = (Istio__Security__Rule *)kmesh_get_ptr_val((void *)rule_addr); if (!rule) { continue; } - if (rule_match_check(rule, info, tuple_info) == MATCHED) { - if (policy->action == ISTIO__SECURITY__ACTION__DENY) { + if (rule_match_check(rule, &info, &tuple_key) == MATCHED) { + if (match_ctx->action == ISTIO__SECURITY__ACTION__DENY) { + BPF_LOG(INFO, AUTH, "Rule matched, action: DENY"); + if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); + } return AUTH_DENY; } else { + BPF_LOG(INFO, AUTH, "Rule matched, action: ALLOW"); + if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); + } return AUTH_ALLOW; } } } - // no match rules - if (policy->action == ISTIO__SECURITY__ACTION__DENY) { - return AUTH_ALLOW; - } else { - return AUTH_DENY; + match_ctx->policy_index++; + if (match_ctx->policy_index >= MAX_MEMBER_NUM_PER_POLICY) { + BPF_LOG(ERR, AUTH, "Policy index out of bounds"); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + } + + ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + return XDP_DROP; } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); + return XDP_PASS; } #endif \ No newline at end of file diff --git a/bpf/kmesh/workload/include/backend.h b/bpf/kmesh/workload/include/backend.h index 99037567c..760b9dc55 100644 --- a/bpf/kmesh/workload/include/backend.h +++ b/bpf/kmesh/workload/include/backend.h @@ -8,9 +8,6 @@ #include "encoder.h" #include "tail_call.h" -#define TAIL_CALL_CONNECT4_INDEX 0 -#define TAIL_CALL_CONNECT6_INDEX 1 - static inline backend_value *map_lookup_backend(const backend_key *key) { return kmesh_map_lookup_elem(&map_of_backend, key); diff --git a/bpf/kmesh/workload/include/config.h b/bpf/kmesh/workload/include/config.h index 5015b82dd..539fb80f1 100644 --- a/bpf/kmesh/workload/include/config.h +++ b/bpf/kmesh/workload/include/config.h @@ -5,13 +5,14 @@ #define _KMESH_CONFIG_H_ // map size -#define MAP_SIZE_OF_FRONTEND 105000 -#define MAP_SIZE_OF_SERVICE 5000 -#define MAP_SIZE_OF_ENDPOINT 105000 -#define MAP_SIZE_OF_BACKEND 100000 -#define MAP_SIZE_OF_AUTH 8192 -#define MAP_SIZE_OF_DSTINFO 8192 -#define MAP_SIZE_OF_AUTH_POLICY 512 +#define MAP_SIZE_OF_FRONTEND 105000 +#define MAP_SIZE_OF_SERVICE 5000 +#define MAP_SIZE_OF_ENDPOINT 105000 +#define MAP_SIZE_OF_BACKEND 100000 +#define MAP_SIZE_OF_AUTH 8192 +#define MAP_SIZE_OF_DSTINFO 8192 +#define MAP_SIZE_OF_AUTH_TAILCALL 100000 +#define MAP_SIZE_OF_AUTH_POLICY 512 // map name #define map_of_frontend kmesh_frontend diff --git a/bpf/kmesh/workload/include/tail_call.h b/bpf/kmesh/workload/include/tail_call.h index 0f9e921cb..5ae7cce0b 100644 --- a/bpf/kmesh/workload/include/tail_call.h +++ b/bpf/kmesh/workload/include/tail_call.h @@ -6,7 +6,17 @@ #include "workload_common.h" -#define MAP_SIZE_OF_TAIL_CALL_PROG 4 +#define MAP_SIZE_OF_TAIL_CALL_PROG 8 + +typedef struct bpf_sock_addr ctx_buff_t; + +typedef enum { + TAIL_CALL_CONNECT4_INDEX = 0, + TAIL_CALL_CONNECT6_INDEX, + TAIL_CALL_POLICY_CHECK, + TAIL_CALL_RULE_CHECK, + TAIL_CALL_AUTH_IN_USER_SPACE, +} workload_tail_call_index_t; struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); @@ -16,6 +26,14 @@ struct { __uint(map_flags, 0); } map_of_tail_call_prog SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); + __uint(max_entries, MAP_SIZE_OF_TAIL_CALL_PROG); + __uint(map_flags, 0); +} xdp_tailcall_map SEC(".maps"); + static inline void kmesh_workload_tail_call(ctx_buff_t *ctx, const __u32 index) { bpf_tail_call(ctx, &map_of_tail_call_prog, index); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index 71f4e5c08..14147aeb3 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -15,21 +15,6 @@ #include "authz.h" #include "xdp.h" -static inline void parser_tuple(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) -{ - if (info->iph->version == 4) { - tuple_info->ipv4.saddr = info->iph->saddr; - tuple_info->ipv4.daddr = info->iph->daddr; - tuple_info->ipv4.sport = info->tcph->source; - tuple_info->ipv4.dport = info->tcph->dest; - } else { - bpf_memcpy((__u8 *)tuple_info->ipv6.saddr, info->ip6h->saddr.in6_u.u6_addr8, IPV6_ADDR_LEN); - bpf_memcpy((__u8 *)tuple_info->ipv6.daddr, info->ip6h->daddr.in6_u.u6_addr8, IPV6_ADDR_LEN); - tuple_info->ipv6.sport = info->tcph->source; - tuple_info->ipv6.dport = info->tcph->dest; - } -} - static inline void shutdown_tuple(struct xdp_info *info) { info->tcph->fin = 0; @@ -63,39 +48,6 @@ static inline int should_shutdown(struct xdp_info *info, struct bpf_sock_tuple * return AUTH_PASS; } -static inline int parser_xdp_info(struct xdp_md *ctx, struct xdp_info *info) -{ - void *begin = (void *)(long)(ctx->data); - void *end = (void *)(long)(ctx->data_end); - - // eth header - info->ethh = (struct ethhdr *)begin; - if ((void *)(info->ethh + 1) > end) - return PARSER_FAILED; - - // ip4|ip6 header - begin = info->ethh + 1; - if ((begin + 1) > end) - return PARSER_FAILED; - if (((struct iphdr *)begin)->version == 4) { - info->iph = (struct iphdr *)begin; - if ((void *)(info->iph + 1) > end || (info->iph->protocol != IPPROTO_TCP)) - return PARSER_FAILED; - begin = (info->iph + 1); - } else if (((struct iphdr *)begin)->version == 6) { - info->ip6h = (struct ipv6hdr *)begin; - if ((void *)(info->ip6h + 1) > end || (info->ip6h->nexthdr != IPPROTO_TCP)) - return PARSER_FAILED; - begin = (info->ip6h + 1); - } else - return PARSER_FAILED; - - info->tcph = (struct tcphdr *)begin; - if ((void *)(info->tcph + 1) > end) - return PARSER_FAILED; - return PARSER_SUCC; -} - static inline int xdp_deny_packet(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { if (info->iph != NULL && info->iph->version == 4) { @@ -140,41 +92,40 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct return get_workload_policies_by_uid(workload_uid); } -static inline int match_workload_policy(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +SEC("xdp_auth") +int xdp_shutdown(struct xdp_md *ctx) { - int ret = 0; + struct match_context match_ctx; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; wl_policies_v *policies; - __u32 policyId; - Istio__Security__Authorization *policy; + int ret; - policies = get_workload_policies(info, tuple_info); + if (parser_xdp_info(ctx, &info) == PARSER_FAILED) + return XDP_PASS; + if (info.iph->version != 4 && info.iph->version != 6) + return XDP_PASS; + + // never failed + parser_tuple(&info, &tuple_key); + policies = get_workload_policies(&info, &tuple_key); if (!policies) { - return AUTH_ALLOW; + return XDP_PASS; } - - for (int i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) { - policyId = policies->policyIds[i]; - if (policyId != 0) { - policy = map_lookup_authz(policyId); - if (!policy) { - continue; - } - if (do_auth(policy, info, tuple_info) == AUTH_DENY) { - BPF_LOG(ERR, AUTH, "policy %u manage result deny\n", policyId); - return AUTH_DENY; - } - } + match_ctx.policies = policies; + match_ctx.policy_index = 0; + ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, &match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + return XDP_PASS; } - return AUTH_ALLOW; -} -static inline int xdp_rbac_manage(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) -{ - return match_workload_policy(info, tuple_info); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); + return XDP_PASS; } SEC("xdp_auth") -int xdp_shutdown(struct xdp_md *ctx) +int xdp_shutdown_in_userspace(struct xdp_md *ctx) { struct xdp_info info = {0}; struct bpf_sock_tuple tuple_info = {0}; @@ -186,12 +137,6 @@ int xdp_shutdown(struct xdp_md *ctx) // never failed parser_tuple(&info, &tuple_info); - // Before the authentication types supported by eBPF XDP are fully implemented, - // this section only processes AUTH_DENY. If get AUTH_ALLOW, - // it will still depend on the user-space authentication process to match other rule types. - if (xdp_rbac_manage(&info, &tuple_info) == AUTH_DENY) { - return xdp_deny_packet(&info, &tuple_info); - } if (should_shutdown(&info, &tuple_info) == AUTH_FORBID) shutdown_tuple(&info); diff --git a/pkg/bpf/workload/xdp.go b/pkg/bpf/workload/xdp.go index ad885c687..fe9e32c19 100644 --- a/pkg/bpf/workload/xdp.go +++ b/pkg/bpf/workload/xdp.go @@ -96,6 +96,27 @@ func (xa *BpfXdpAuthWorkload) LoadXdpAuth() error { xa.Info.Type = prog.Type xa.Info.AttachType = prog.AttachType + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallPolicyCheck), + uint32(xa.PolicyCheck.FD()), + ebpf.UpdateAny); err != nil { + return err + } + + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallRuleCheck), + uint32(xa.RuleCheck.FD()), + ebpf.UpdateAny); err != nil { + return err + } + + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallAuthInUserSpace), + uint32(xa.XdpShutdownInUserspace.FD()), + ebpf.UpdateAny); err != nil { + return err + } + return nil } diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index ac8568196..37c7800f5 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -49,8 +49,11 @@ const ( OperDisableControl = 930 // tail call index in tail call prog map - TailCallConnect4Index = 0 - TailCallConnect6Index = 1 + TailCallConnect4Index = 0 + TailCallConnect6Index = 1 + TailCallPolicyCheck = 2 + TailCallRuleCheck = 3 + TailCallAuthInUserSpace = 4 INBOUND = uint32(1) OUTBOUND = uint32(2) From 0843437bd275d6b0c30d6b51f2de7e4d5706cebb Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Wed, 6 Nov 2024 14:25:44 +0800 Subject: [PATCH 2/8] fix comment Signed-off-by: weli-l <1289113577@qq.com> --- bpf/kmesh/workload/include/authz.h | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 47658308d..8af23fc01 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -270,7 +270,7 @@ int policy_check(struct xdp_md *ctx) if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { BPF_LOG(ERR, AUTH, "policy_check, Failed to get tuple key"); - return XDP_ABORTED; + return XDP_PASS; } match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); @@ -288,23 +288,18 @@ int policy_check(struct xdp_md *ctx) if (bpf_probe_read_kernel(&policyId, sizeof(policyId), (void *)(policies->policyIds + match_ctx->policy_index)) != 0) { BPF_LOG(ERR, AUTH, "Failed to read policyId, throw it to user auth"); - if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { - BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); - } - bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + goto auth_in_user_space; } policy = map_lookup_authz(policyId); if (!policy) { - // if no policy matches in xdp, thrown it to user auth - if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { - BPF_LOG(DEBUG, AUTH, "Failed to delete tailcall context from map"); - } - bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + // if no policy matches in xdp, throw it to user auth + BPF_LOG(INFO, AUTH, "No more policy, throw it to user auth"); + goto auth_in_user_space; } else { rulesPtr = kmesh_get_ptr_val(policy->rules); if (!rulesPtr) { BPF_LOG(ERR, AUTH, "failed to get rules from policy %s\n", kmesh_get_ptr_val(policy->name)); - return XDP_DROP; + return XDP_PASS; } match_ctx->rulesPtr = rulesPtr; match_ctx->n_rules = policy->n_rules; @@ -312,11 +307,17 @@ int policy_check(struct xdp_md *ctx) ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); - return XDP_DROP; + return XDP_PASS; } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_RULE_CHECK); } return XDP_PASS; + +auth_in_user_space: + if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); } SEC("xdp_auth") @@ -333,7 +334,7 @@ int rule_check(struct xdp_md *ctx) if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { BPF_LOG(ERR, AUTH, "Failed to get tuple key in rule_check"); - return XDP_ABORTED; + return XDP_PASS; } match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); @@ -390,7 +391,7 @@ int rule_check(struct xdp_md *ctx) ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); - return XDP_DROP; + return XDP_PASS; } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); return XDP_PASS; From 470be253b4327cf6f44084d4ac1b2f3ec9a92bdb Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Sat, 9 Nov 2024 10:34:02 +0800 Subject: [PATCH 3/8] fix comment Signed-off-by: weli-l <1289113577@qq.com> --- .../kmeshcgroupsockworkload_bpfeb.go | 3 +++ .../kmeshcgroupsockworkload_bpfel.go | 3 +++ .../kmeshcgroupsockworkloadcompat_bpfeb.go | 3 +++ .../kmeshcgroupsockworkloadcompat_bpfel.go | 3 +++ .../bpf2go/dualengine/kmeshxdpauth_bpfeb.go | 18 +++++++++++++++--- .../bpf2go/dualengine/kmeshxdpauth_bpfel.go | 18 +++++++++++++++--- .../dualengine/kmeshxdpauthcompat_bpfeb.go | 18 +++++++++++++++--- .../dualengine/kmeshxdpauthcompat_bpfel.go | 18 +++++++++++++++--- bpf/kmesh/workload/include/authz.h | 19 ++++++++++--------- bpf/kmesh/workload/xdp.c | 4 ++-- pkg/constants/constants.go | 2 +- pkg/controller/controller.go | 2 +- 12 files changed, 86 insertions(+), 25 deletions(-) diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go index 72fa367dd..f903d9a1a 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go @@ -133,6 +133,7 @@ type KmeshCgroupSockWorkloadMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +177,7 @@ type KmeshCgroupSockWorkloadMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadMaps) Close() error { @@ -202,6 +204,7 @@ func (m *KmeshCgroupSockWorkloadMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go index 65b7ded19..1ddda5ecd 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go @@ -133,6 +133,7 @@ type KmeshCgroupSockWorkloadMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +177,7 @@ type KmeshCgroupSockWorkloadMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadMaps) Close() error { @@ -202,6 +204,7 @@ func (m *KmeshCgroupSockWorkloadMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go index dc336585c..756f25ac2 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go @@ -133,6 +133,7 @@ type KmeshCgroupSockWorkloadCompatMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadCompatObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +177,7 @@ type KmeshCgroupSockWorkloadCompatMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { @@ -202,6 +204,7 @@ func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go index ed1f37e84..0f2f21783 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go @@ -133,6 +133,7 @@ type KmeshCgroupSockWorkloadCompatMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadCompatObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +177,7 @@ type KmeshCgroupSockWorkloadCompatMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { @@ -202,6 +204,7 @@ func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go index abe513c60..c9ca27c1a 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go @@ -89,7 +89,10 @@ type KmeshXDPAuthSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthMapSpecs contains maps before they are loaded into the kernel. @@ -168,13 +171,16 @@ func (m *KmeshXDPAuthMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +188,18 @@ func (m *KmeshXDPAuthMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthPrograms) Close() error { return _KmeshXDPAuthClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go index bd98514f6..7f07100a6 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go @@ -89,7 +89,10 @@ type KmeshXDPAuthSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthMapSpecs contains maps before they are loaded into the kernel. @@ -168,13 +171,16 @@ func (m *KmeshXDPAuthMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +188,18 @@ func (m *KmeshXDPAuthMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthPrograms) Close() error { return _KmeshXDPAuthClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go index 40e2c8a51..b43e612d7 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go @@ -89,7 +89,10 @@ type KmeshXDPAuthCompatSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthCompatMapSpecs contains maps before they are loaded into the kernel. @@ -168,13 +171,16 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +188,18 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthCompatPrograms) Close() error { return _KmeshXDPAuthCompatClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go index c183c3126..c7e0803e2 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go @@ -89,7 +89,10 @@ type KmeshXDPAuthCompatSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthCompatMapSpecs contains maps before they are loaded into the kernel. @@ -168,13 +171,16 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +188,18 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthCompatPrograms) Close() error { return _KmeshXDPAuthCompatClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 8af23fc01..3171a9154 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -41,7 +41,7 @@ struct { __uint(value_size, sizeof(struct match_context)); __uint(map_flags, BPF_F_NO_PREALLOC); __uint(max_entries, MAP_SIZE_OF_AUTH_TAILCALL); -} kmesh_tc_info_map SEC(".maps"); +} kmesh_tc_args SEC(".maps"); static inline Istio__Security__Authorization *map_lookup_authz(__u32 policyKey) { @@ -273,9 +273,9 @@ int policy_check(struct xdp_md *ctx) return XDP_PASS; } - match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); + match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); if (!match_ctx) { - BPF_LOG(ERR, AUTH, "Failed to retrieve tailcall context from kmesh_tc_info_map"); + BPF_LOG(ERR, AUTH, "Failed to retrieve tailcall context from kmesh_tc_args"); return XDP_PASS; } @@ -304,7 +304,7 @@ int policy_check(struct xdp_md *ctx) match_ctx->rulesPtr = rulesPtr; match_ctx->n_rules = policy->n_rules; match_ctx->action = policy->action; - ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); return XDP_PASS; @@ -314,10 +314,11 @@ int policy_check(struct xdp_md *ctx) return XDP_PASS; auth_in_user_space: - if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + return XDP_PASS; } SEC("xdp_auth") @@ -337,7 +338,7 @@ int rule_check(struct xdp_md *ctx) return XDP_PASS; } - match_ctx = bpf_map_lookup_elem(&kmesh_tc_info_map, &tuple_key); + match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); if (!match_ctx) { BPF_LOG(ERR, AUTH, "Failed to retrieve match_context from map"); return XDP_PASS; @@ -368,13 +369,13 @@ int rule_check(struct xdp_md *ctx) if (rule_match_check(rule, &info, &tuple_key) == MATCHED) { if (match_ctx->action == ISTIO__SECURITY__ACTION__DENY) { BPF_LOG(INFO, AUTH, "Rule matched, action: DENY"); - if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); } return AUTH_DENY; } else { BPF_LOG(INFO, AUTH, "Rule matched, action: ALLOW"); - if (bpf_map_delete_elem(&kmesh_tc_info_map, &tuple_key) != 0) { + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); } return AUTH_ALLOW; @@ -388,7 +389,7 @@ int rule_check(struct xdp_md *ctx) bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); } - ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, match_ctx, BPF_ANY); + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); return XDP_PASS; diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index 14147aeb3..7ba4b064d 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -93,7 +93,7 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct } SEC("xdp_auth") -int xdp_shutdown(struct xdp_md *ctx) +int xdp_authz(struct xdp_md *ctx) { struct match_context match_ctx; struct bpf_sock_tuple tuple_key = {0}; @@ -114,7 +114,7 @@ int xdp_shutdown(struct xdp_md *ctx) } match_ctx.policies = policies; match_ctx.policy_index = 0; - ret = bpf_map_update_elem(&kmesh_tc_info_map, &tuple_key, &match_ctx, BPF_ANY); + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, &match_ctx, BPF_ANY); if (ret < 0) { BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); return XDP_PASS; diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 37c7800f5..fb9478a18 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -27,7 +27,7 @@ const ( // This annotation is used to indicate traffic redirection settings specific to Kmesh KmeshRedirectionAnnotation = "kmesh.net/redirection" - XDP_PROG_NAME = "xdp_shutdown" + XDP_PROG_NAME = "xdp_authz" RootCertPath = "/var/run/secrets/istio/root-cert.pem" TrustDomain = "cluster.local" diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 1f2da7eee..8a68a266b 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -76,7 +76,7 @@ func (c *Controller) Start(stopCh <-chan struct{}) error { } go secertManager.Run(stopCh) } - kmeshManageController, err = manage.NewKmeshManageController(clientset, secertManager, c.bpfWorkloadObj.XdpAuth.XdpShutdown.FD(), c.mode) + kmeshManageController, err = manage.NewKmeshManageController(clientset, secertManager, c.bpfWorkloadObj.XdpAuth.XdpAuthz.FD(), c.mode) } else { kmeshManageController, err = manage.NewKmeshManageController(clientset, nil, -1, c.mode) } From d06dd68fec0faf0564fa340207d44ce6fe8cb330 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Tue, 12 Nov 2024 15:01:06 +0800 Subject: [PATCH 4/8] use kmeshctl to enable/disable authz Signed-off-by: weli-l <1289113577@qq.com> --- bpf/include/common.h | 7 +- bpf/kmesh/workload/include/authz.h | 2 +- bpf/kmesh/workload/xdp.c | 16 ++++ ctl/authz/authz.go | 124 +++++++++++++++++++++++++++++ ctl/common/common.go | 2 + docs/ctl/kmeshctl.md | 1 + docs/ctl/kmeshctl_authz.md | 28 +++++++ pkg/status/status_server.go | 35 ++++++++ 8 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 ctl/authz/authz.go create mode 100644 docs/ctl/kmeshctl_authz.md diff --git a/bpf/include/common.h b/bpf/include/common.h index 5b9df15b9..a1b614827 100644 --- a/bpf/include/common.h +++ b/bpf/include/common.h @@ -137,9 +137,14 @@ struct { __type(value, struct buf); } tmp_buf SEC(".maps"); +/* + * This map is used to store different configuration options: + * - key 0: Stores the log level + * - key 1: Stores the authz (authorization) toggle + */ struct { __uint(type, BPF_MAP_TYPE_ARRAY); - __uint(max_entries, 1); + __uint(max_entries, 4); __type(key, int); __type(value, struct kmesh_config); } kmesh_config_map SEC(".maps"); diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 3171a9154..9381868fc 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -230,7 +230,7 @@ static int rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, if (rule->n_clauses == 0) { BPF_LOG(ERR, AUTH, "rule has no clauses\n"); - return UNMATCHED; + return MATCHED; } // Clauses are AND-ed. clausesPtr = KMESH_GET_PTR_VAL(rule->clauses, void *); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index 7ba4b064d..c8e107d29 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -70,6 +70,16 @@ static inline int xdp_deny_packet(struct xdp_info *info, struct bpf_sock_tuple * return XDP_DROP; } +static bool is_authz_enabled() +{ + int key = 1; + int *value = NULL; + value = kmesh_map_lookup_elem(&kmesh_config_map, &key); + if (!value) + return false; + return (*value == 1); +} + static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { frontend_key frontend_k = {}; @@ -95,6 +105,12 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct SEC("xdp_auth") int xdp_authz(struct xdp_md *ctx) { + if (!is_authz_enabled()) { + BPF_LOG(ERR, AUTH, "authz is not enabled, tail call to user auth"); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + return XDP_PASS; + } + BPF_LOG(ERR, AUTH, "authz is enabled, processing"); struct match_context match_ctx; struct bpf_sock_tuple tuple_key = {0}; struct xdp_info info = {0}; diff --git a/ctl/authz/authz.go b/ctl/authz/authz.go new file mode 100644 index 000000000..84b5fc2cc --- /dev/null +++ b/ctl/authz/authz.go @@ -0,0 +1,124 @@ +/* + * Copyright The Kmesh Authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package authz + +import ( + "context" + "fmt" + "net/http" + "os" + + "github.com/spf13/cobra" + + "kmesh.net/kmesh/ctl/utils" + "kmesh.net/kmesh/pkg/kube" + "kmesh.net/kmesh/pkg/logger" +) + +const ( + patternAuthz = "/authz" +) + +var log = logger.NewLoggerScope("kmeshctl/authz") + +func NewCmd() *cobra.Command { + cmd := &cobra.Command{ + Use: "authz", + Short: "Enable or disable Kmesh's authz", + Example: `# Enable Kmesh's authz: + kmeshctl authz enable + + # Disable Kmesh's authz: + kmeshctl authz authz`, + Args: cobra.MinimumNArgs(1), + Run: func(cmd *cobra.Command, args []string) { + SetAuthz(cmd, args) + }, + } + return cmd +} + +func SetAuthz(cmd *cobra.Command, args []string) { + var info string + authzFlag := args[len(args)-1] + if authzFlag == "enable" { + info = "true" + } else if authzFlag == "disable" { + info = "false" + } else { + log.Errorf("Error: Argument must be 'enable' or 'disable'") + os.Exit(1) + } + + cli, err := utils.CreateKubeClient() + if err != nil { + log.Errorf("failed to create cli client: %v", err) + os.Exit(1) + } + + if len(args) == 1 { + // Perform operations on all kmesh daemons. + podList, err := cli.PodsForSelector(context.TODO(), utils.KmeshNamespace, utils.KmeshLabel) + if err != nil { + log.Errorf("failed to get kmesh podList: %v", err) + os.Exit(1) + } + for _, pod := range podList.Items { + SetAuthzPerKmeshDaemon(cli, pod.GetName(), info) + } + } else { + // Processes authz triggers for specified kmesh daemon. + for _, podname := range args[:len(args)-1] { + SetAuthzPerKmeshDaemon(cli, podname, info) + } + } +} + +func SetAuthzPerKmeshDaemon(cli kube.CLIClient, podName, info string) { + fw, err := utils.CreateKmeshPortForwarder(cli, podName) + if err != nil { + log.Errorf("failed to create port forwarder for Kmesh daemon pod %s: %v", podName, err) + os.Exit(1) + } + if err := fw.Start(); err != nil { + log.Errorf("failed to start port forwarder for Kmesh daemon pod %s: %v", podName, err) + os.Exit(1) + } + defer fw.Close() + + url := fmt.Sprintf("http://%s%s?enable=%s", fw.Address(), patternAuthz, info) + + req, err := http.NewRequest(http.MethodPost, url, nil) + if err != nil { + log.Errorf("Error creating request: %v", err) + return + } + + req.Header.Set("Content-Type", "application/json") + client := &http.Client{} + resp, err := client.Do(req) + if err != nil { + log.Errorf("failed to make HTTP request: %v", err) + return + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + log.Errorf("Error: received status code %d", resp.StatusCode) + return + } +} diff --git a/ctl/common/common.go b/ctl/common/common.go index ffb335b63..271f6e7eb 100644 --- a/ctl/common/common.go +++ b/ctl/common/common.go @@ -20,6 +20,7 @@ import ( "github.com/spf13/cobra" "kmesh.net/kmesh/ctl/accesslog" + "kmesh.net/kmesh/ctl/authz" "kmesh.net/kmesh/ctl/dump" logcmd "kmesh.net/kmesh/ctl/log" "kmesh.net/kmesh/ctl/version" @@ -41,6 +42,7 @@ func GetRootCommand() *cobra.Command { rootCmd.AddCommand(waypoint.NewCmd()) rootCmd.AddCommand(version.NewCmd()) rootCmd.AddCommand(accesslog.NewCmd()) + rootCmd.AddCommand(authz.NewCmd()) return rootCmd } diff --git a/docs/ctl/kmeshctl.md b/docs/ctl/kmeshctl.md index be12de5f2..bccfdc0ab 100644 --- a/docs/ctl/kmeshctl.md +++ b/docs/ctl/kmeshctl.md @@ -11,6 +11,7 @@ Kmesh command line tools to operate and debug Kmesh ### SEE ALSO * [kmeshctl accesslog](kmeshctl_accesslog.md) - Enable or disable Kmesh's accesslog +* [kmeshctl authz](kmeshctl_authz.md) - Enable or disable Kmesh's authz * [kmeshctl dump](kmeshctl_dump.md) - Dump config of kernel-native or dual-engine mode * [kmeshctl log](kmeshctl_log.md) - Get or set kmesh-daemon's logger level * [kmeshctl version](kmeshctl_version.md) - Prints out build version info diff --git a/docs/ctl/kmeshctl_authz.md b/docs/ctl/kmeshctl_authz.md new file mode 100644 index 000000000..b64dadafd --- /dev/null +++ b/docs/ctl/kmeshctl_authz.md @@ -0,0 +1,28 @@ +## kmeshctl authz + +Enable or disable Kmesh's authz + +``` +kmeshctl authz [flags] +``` + +### Examples + +``` +# Enable Kmesh's authz: + kmeshctl authz enable + + # Disable Kmesh's authz: + kmeshctl authz authz +``` + +### Options + +``` + -h, --help help for authz +``` + +### SEE ALSO + +* [kmeshctl](kmeshctl.md) - Kmesh command line tools to operate and debug Kmesh + diff --git a/pkg/status/status_server.go b/pkg/status/status_server.go index 9b650c8df..16d432e35 100644 --- a/pkg/status/status_server.go +++ b/pkg/status/status_server.go @@ -60,6 +60,7 @@ const ( patternReadyProbe = "/debug/ready" patternLoggers = "/debug/loggers" patternAccesslog = "/accesslog" + patternAuthz = "/authz" bpfLoggerName = "bpf" @@ -99,6 +100,7 @@ func NewServer(c *controller.XdsClient, configs *options.BootstrapConfigs, confi s.mux.HandleFunc(patternConfigDumpWorkload, s.configDumpWorkload) s.mux.HandleFunc(patternLoggers, s.loggersHandler) s.mux.HandleFunc(patternAccesslog, s.accesslogHandler) + s.mux.HandleFunc(patternAuthz, s.authzHandler) // TODO: add dump certificate, authorizationPolicies and services s.mux.HandleFunc(patternReadyProbe, s.readyProbe) @@ -264,6 +266,39 @@ func (s *Server) accesslogHandler(w http.ResponseWriter, r *http.Request) { } } +func (s *Server) authzHandler(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodPost { + http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) + return + } + + authzInfo := r.URL.Query().Get("enable") + enabled, err := strconv.ParseBool(authzInfo) + if err != nil { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(fmt.Sprintf("invalid accesslog enable=%s", authzInfo))) + return + } + + key := uint32(1) + value := uint32(0) + if enabled { + value = 1 + } + + if s.kmeshConfigMap == nil { + http.Error(w, "update log level error: kmeshConfigMap is nil", http.StatusBadRequest) + return + } + + if err := s.kmeshConfigMap.Update(&key, &value, ebpf.UpdateAny); err != nil { + http.Error(w, fmt.Sprintf("update log level error: %v", err), http.StatusBadRequest) + return + } + + w.WriteHeader(http.StatusOK) +} + func (s *Server) getLoggerNames(w http.ResponseWriter) { loggerNames := append(logger.GetLoggerNames(), bpfLoggerName) data, err := json.MarshalIndent(&loggerNames, "", " ") From 1b864ca4081644fca771cb14cf80a1e7ae603c60 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Wed, 13 Nov 2024 16:02:03 +0800 Subject: [PATCH 5/8] add cache for authz Signed-off-by: weli-l <1289113577@qq.com> --- bpf/kmesh/workload/include/authz.h | 24 ++++++++++---------- bpf/kmesh/workload/xdp.c | 35 +++++++++++++++++------------- 2 files changed, 32 insertions(+), 27 deletions(-) diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 9381868fc..c9a1e35f3 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -367,19 +367,19 @@ int rule_check(struct xdp_md *ctx) continue; } if (rule_match_check(rule, &info, &tuple_key) == MATCHED) { - if (match_ctx->action == ISTIO__SECURITY__ACTION__DENY) { - BPF_LOG(INFO, AUTH, "Rule matched, action: DENY"); - if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { - BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); - } - return AUTH_DENY; - } else { - BPF_LOG(INFO, AUTH, "Rule matched, action: ALLOW"); - if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { - BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); - } - return AUTH_ALLOW; + BPF_LOG( + INFO, + AUTH, + "Rule matched, action: %s", + match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? "DENY" : "ALLOW"); + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { + BPF_LOG(INFO, AUTH, "Failed to delete tail call context from map"); + } + __u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW; + if (bpf_map_update_elem(&map_of_auth, &tuple_key, &auth_result, BPF_ANY) != 0) { + BPF_LOG(ERR, AUTH, "Failed to update auth result in map_of_auth"); } + return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS; } } diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index c8e107d29..fde9d0fd6 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -27,7 +27,7 @@ static inline void shutdown_tuple(struct xdp_info *info) static inline int should_shutdown(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 *value = bpf_map_lookup_elem(&map_of_auth, tuple_info); - if (value) { + if (value && *value == 1) { if (info->iph->version == 4) BPF_LOG( INFO, @@ -106,11 +106,11 @@ SEC("xdp_auth") int xdp_authz(struct xdp_md *ctx) { if (!is_authz_enabled()) { - BPF_LOG(ERR, AUTH, "authz is not enabled, tail call to user auth"); + BPF_LOG(INFO, AUTH, "authz is not enabled, tail call to user auth"); bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); return XDP_PASS; } - BPF_LOG(ERR, AUTH, "authz is enabled, processing"); + BPF_LOG(INFO, AUTH, "authz is enabled, processing"); struct match_context match_ctx; struct bpf_sock_tuple tuple_key = {0}; struct xdp_info info = {0}; @@ -124,20 +124,25 @@ int xdp_authz(struct xdp_md *ctx) // never failed parser_tuple(&info, &tuple_key); - policies = get_workload_policies(&info, &tuple_key); - if (!policies) { - return XDP_PASS; - } - match_ctx.policies = policies; - match_ctx.policy_index = 0; - ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, &match_ctx, BPF_ANY); - if (ret < 0) { - BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + int *value = bpf_map_lookup_elem(&map_of_auth, &tuple_key); + if (!value) { + policies = get_workload_policies(&info, &tuple_key); + if (!policies) { + return XDP_PASS; + } + match_ctx.policies = policies; + match_ctx.policy_index = 0; + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, &match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + return XDP_PASS; + } + + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); return XDP_PASS; + } else { + return *value ? XDP_DROP : XDP_PASS; } - - bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); - return XDP_PASS; } SEC("xdp_auth") From 87e5863168056553fb47847961de7cb38227a532 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Mon, 18 Nov 2024 11:19:40 +0800 Subject: [PATCH 6/8] resolve conflicts Signed-off-by: weli-l <1289113577@qq.com> --- .../bpf2go/dualengine/kmeshxdpauth_bpfeb.go | 78 ++++++++++--------- .../bpf2go/dualengine/kmeshxdpauth_bpfel.go | 78 ++++++++++--------- .../dualengine/kmeshxdpauthcompat_bpfeb.go | 78 ++++++++++--------- .../dualengine/kmeshxdpauthcompat_bpfel.go | 78 ++++++++++--------- bpf/kmesh/workload/include/authz.h | 6 +- 5 files changed, 171 insertions(+), 147 deletions(-) diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go index c9ca27c1a..7bd6dd268 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go @@ -99,24 +99,27 @@ type KmeshXDPAuthProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthObjects contains all objects after they have been loaded into the kernel. @@ -138,24 +141,27 @@ func (o *KmeshXDPAuthObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthMaps) Close() error { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go index 7f07100a6..7e40b9e42 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go @@ -99,24 +99,27 @@ type KmeshXDPAuthProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthObjects contains all objects after they have been loaded into the kernel. @@ -138,24 +141,27 @@ func (o *KmeshXDPAuthObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthMaps) Close() error { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go index b43e612d7..422eaf181 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go @@ -99,24 +99,27 @@ type KmeshXDPAuthCompatProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthCompatObjects contains all objects after they have been loaded into the kernel. @@ -138,24 +141,27 @@ func (o *KmeshXDPAuthCompatObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthCompatMaps) Close() error { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go index c7e0803e2..f70b50421 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go @@ -99,24 +99,27 @@ type KmeshXDPAuthCompatProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthCompatObjects contains all objects after they have been loaded into the kernel. @@ -138,24 +141,27 @@ func (o *KmeshXDPAuthCompatObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthCompatMaps) Close() error { diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index c9a1e35f3..745d7ae93 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -296,9 +296,9 @@ int policy_check(struct xdp_md *ctx) BPF_LOG(INFO, AUTH, "No more policy, throw it to user auth"); goto auth_in_user_space; } else { - rulesPtr = kmesh_get_ptr_val(policy->rules); + rulesPtr = KMESH_GET_PTR_VAL(policy->rules, void *); if (!rulesPtr) { - BPF_LOG(ERR, AUTH, "failed to get rules from policy %s\n", kmesh_get_ptr_val(policy->name)); + BPF_LOG(ERR, AUTH, "failed to get rules from policies\n"); return XDP_PASS; } match_ctx->rulesPtr = rulesPtr; @@ -362,7 +362,7 @@ int rule_check(struct xdp_md *ctx) continue; } - rule = (Istio__Security__Rule *)kmesh_get_ptr_val((void *)rule_addr); + rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)*((__u64 *)rulesPtr + i), Istio__Security__Rule); if (!rule) { continue; } From 7161af5a0d40756783a8f2925a23b4d65a6245f1 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Mon, 18 Nov 2024 15:17:48 +0800 Subject: [PATCH 7/8] add authz for kmesh_config Signed-off-by: weli-l <1289113577@qq.com> --- bpf/include/common.h | 1 + .../kmeshcgroupsockworkload_bpfeb.go | 7 ++- .../kmeshcgroupsockworkload_bpfel.go | 7 ++- .../kmeshcgroupsockworkloadcompat_bpfeb.go | 7 ++- .../kmeshcgroupsockworkloadcompat_bpfel.go | 7 ++- .../bpf2go/dualengine/kmeshsendmsg_bpfeb.go | 7 ++- .../bpf2go/dualengine/kmeshsendmsg_bpfel.go | 7 ++- .../dualengine/kmeshsendmsgcompat_bpfeb.go | 7 ++- .../dualengine/kmeshsendmsgcompat_bpfel.go | 7 ++- .../dualengine/kmeshsockopsworkload_bpfeb.go | 7 ++- .../dualengine/kmeshsockopsworkload_bpfel.go | 7 ++- .../kmeshsockopsworkloadcompat_bpfeb.go | 7 ++- .../kmeshsockopsworkloadcompat_bpfel.go | 7 ++- .../bpf2go/dualengine/kmeshxdpauth_bpfeb.go | 7 ++- .../bpf2go/dualengine/kmeshxdpauth_bpfel.go | 7 ++- .../dualengine/kmeshxdpauthcompat_bpfeb.go | 7 ++- .../dualengine/kmeshxdpauthcompat_bpfel.go | 7 ++- .../normal/kmeshcgroupsock_bpfeb.go | 7 ++- .../normal/kmeshcgroupsock_bpfel.go | 7 ++- .../normal/kmeshcgroupsockcompat_bpfeb.go | 7 ++- .../normal/kmeshcgroupsockcompat_bpfel.go | 7 ++- bpf/kmesh/workload/include/authz.h | 57 +++++++++---------- bpf/kmesh/workload/xdp.c | 12 ++-- pkg/bpf/bpf.go | 14 +++-- pkg/constants/constants.go | 4 +- pkg/status/status_server.go | 28 +++++---- 26 files changed, 142 insertions(+), 114 deletions(-) diff --git a/bpf/include/common.h b/bpf/include/common.h index a1b614827..d10b40168 100644 --- a/bpf/include/common.h +++ b/bpf/include/common.h @@ -67,6 +67,7 @@ struct kmesh_config { __u32 bpf_log_level; __u32 node_ip[4]; __u32 pod_gateway[4]; + __u32 authz_offload; }; static inline void *kmesh_map_lookup_elem(void *map, const void *key) diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go index f903d9a1a..579369779 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadBpfSockTuple struct { type KmeshCgroupSockWorkloadBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go index 1ddda5ecd..6824fe7b9 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadBpfSockTuple struct { type KmeshCgroupSockWorkloadBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go index 756f25ac2..274244126 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadCompatBpfSockTuple struct { type KmeshCgroupSockWorkloadCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go index 0f2f21783..63feccc98 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadCompatBpfSockTuple struct { type KmeshCgroupSockWorkloadCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go index d08ceaf0d..0e490c875 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSendmsgBpfSockTuple struct { type KmeshSendmsgBuf struct{ Data [40]int8 } type KmeshSendmsgKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go index 55298e174..b7455e686 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go @@ -25,9 +25,10 @@ type KmeshSendmsgBpfSockTuple struct { type KmeshSendmsgBuf struct{ Data [40]int8 } type KmeshSendmsgKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go index f57c72b13..8cb9fde03 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSendmsgCompatBpfSockTuple struct { type KmeshSendmsgCompatBuf struct{ Data [40]int8 } type KmeshSendmsgCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go index 28ab8db62..c89a25d76 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshSendmsgCompatBpfSockTuple struct { type KmeshSendmsgCompatBuf struct{ Data [40]int8 } type KmeshSendmsgCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go index 0448a1c77..1ba055e46 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadBpfSockTuple struct { type KmeshSockopsWorkloadBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go index f62f15133..3347ca527 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadBpfSockTuple struct { type KmeshSockopsWorkloadBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go index d74c4ba9a..5453c7e12 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadCompatBpfSockTuple struct { type KmeshSockopsWorkloadCompatBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go index b70e08185..5e54ead06 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadCompatBpfSockTuple struct { type KmeshSockopsWorkloadCompatBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go index 7bd6dd268..d0572379c 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go @@ -25,9 +25,10 @@ type KmeshXDPAuthBpfSockTuple struct { type KmeshXDPAuthBuf struct{ Data [40]int8 } type KmeshXDPAuthKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go index 7e40b9e42..949272a62 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go @@ -25,9 +25,10 @@ type KmeshXDPAuthBpfSockTuple struct { type KmeshXDPAuthBuf struct{ Data [40]int8 } type KmeshXDPAuthKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go index 422eaf181..2fc0dd85b 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshXDPAuthCompatBpfSockTuple struct { type KmeshXDPAuthCompatBuf struct{ Data [40]int8 } type KmeshXDPAuthCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go index f70b50421..edf3b5b97 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshXDPAuthCompatBpfSockTuple struct { type KmeshXDPAuthCompatBuf struct{ Data [40]int8 } type KmeshXDPAuthCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go index 825374383..537a4bbd4 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go @@ -17,9 +17,10 @@ type KmeshCgroupSockBuf struct{ Data [40]int8 } type KmeshCgroupSockClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go index 7ab3663b4..e03bab1a1 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go @@ -17,9 +17,10 @@ type KmeshCgroupSockBuf struct{ Data [40]int8 } type KmeshCgroupSockClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go index 5775ba319..870f48cac 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go @@ -17,9 +17,10 @@ type KmeshCgroupSockCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockCompatClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go index aebada7a5..dadd56f5a 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go @@ -17,9 +17,10 @@ type KmeshCgroupSockCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockCompatClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockCompatLogEvent struct { diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 745d7ae93..c16cb7065 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -105,7 +105,7 @@ static int construct_tuple_key(struct xdp_md *ctx, struct bpf_sock_tuple *tuple_ { int ret = parser_xdp_info(ctx, info); if (ret != PARSER_SUCC) { - BPF_LOG(ERR, AUTH, "Failed to parse xdp_info"); + BPF_LOG(ERR, AUTH, "failed to parse xdp_info"); return PARSER_FAILED; } @@ -114,21 +114,21 @@ static int construct_tuple_key(struct xdp_md *ctx, struct bpf_sock_tuple *tuple_ return PARSER_SUCC; } -static int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 *notPorts = NULL; __u32 *ports = NULL; __u32 i; if (match->n_destination_ports == 0 && match->n_not_destination_ports == 0) { - BPF_LOG(DEBUG, AUTH, "No ports configured, matching by default"); + BPF_LOG(DEBUG, AUTH, "no ports configured, matching by default"); return MATCHED; } if (match->n_not_destination_ports != 0) { notPorts = KMESH_GET_PTR_VAL(match->not_destination_ports, void *); if (!notPorts) { - BPF_LOG(ERR, AUTH, "Failed to retrieve not_destination_ports pointer"); + BPF_LOG(ERR, AUTH, "failed to retrieve not_destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -138,12 +138,12 @@ static int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, s } if (info->iph->version == 4) { if (bpf_htons(notPorts[i]) == tuple_info->ipv4.dport) { - BPF_LOG(DEBUG, AUTH, "Port %u in not_destination_ports, unmatched", notPorts[i]); + BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } else { if (bpf_htons(notPorts[i]) == tuple_info->ipv6.dport) { - BPF_LOG(DEBUG, AUTH, "Port %u in not_destination_ports, unmatched", notPorts[i]); + BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } @@ -151,13 +151,13 @@ static int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, s } // if not match not_destination_ports && has no destination_ports, return MATCHED if (match->n_destination_ports == 0) { - BPF_LOG(INFO, AUTH, "No destination_ports configured, matching by default"); + BPF_LOG(INFO, AUTH, "no destination_ports configured, matching by default"); return MATCHED; } ports = KMESH_GET_PTR_VAL(match->destination_ports, void *); if (!ports) { - BPF_LOG(ERR, AUTH, "Failed to retrieve destination_ports pointer"); + BPF_LOG(ERR, AUTH, "failed to retrieve destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -167,17 +167,17 @@ static int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, s } if (info->iph->version == 4) { if (bpf_htons(ports[i]) == tuple_info->ipv4.dport) { - BPF_LOG(INFO, AUTH, "Port %u in destination_ports, matched", ports[i]); + BPF_LOG(INFO, AUTH, "port %u in destination_ports, matched", ports[i]); return MATCHED; } } else { if (bpf_htons(ports[i]) == tuple_info->ipv6.dport) { - BPF_LOG(INFO, AUTH, "Port %u in destination_ports, matched", ports[i]); + BPF_LOG(INFO, AUTH, "port %u in destination_ports, matched", ports[i]); return MATCHED; } } } - BPF_LOG(DEBUG, AUTH, "No matching ports found, unmatched"); + BPF_LOG(DEBUG, AUTH, "no matching ports found, unmatched"); return UNMATCHED; } @@ -187,7 +187,7 @@ static int match_check(Istio__Security__Match *match, struct xdp_info *info, str // if multiple types are set, they are AND-ed, all matched is a match // todo: add other match types - matchResult = matchDstPorts(match, info, tuple_info); + matchResult = match_dst_ports(match, info, tuple_info); return matchResult; } @@ -229,7 +229,6 @@ static int rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, __u32 i; if (rule->n_clauses == 0) { - BPF_LOG(ERR, AUTH, "rule has no clauses\n"); return MATCHED; } // Clauses are AND-ed. @@ -275,7 +274,7 @@ int policy_check(struct xdp_md *ctx) match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); if (!match_ctx) { - BPF_LOG(ERR, AUTH, "Failed to retrieve tailcall context from kmesh_tc_args"); + BPF_LOG(ERR, AUTH, "failed to retrieve tailcall context from kmesh_tc_args"); return XDP_PASS; } @@ -287,13 +286,13 @@ int policy_check(struct xdp_md *ctx) // Safely access policyId and check if the policy exists if (bpf_probe_read_kernel(&policyId, sizeof(policyId), (void *)(policies->policyIds + match_ctx->policy_index)) != 0) { - BPF_LOG(ERR, AUTH, "Failed to read policyId, throw it to user auth"); + BPF_LOG(ERR, AUTH, "failed to read policyId, throw it to user auth"); goto auth_in_user_space; } policy = map_lookup_authz(policyId); if (!policy) { // if no policy matches in xdp, throw it to user auth - BPF_LOG(INFO, AUTH, "No more policy, throw it to user auth"); + BPF_LOG(INFO, AUTH, "no more policy, throw it to user auth"); goto auth_in_user_space; } else { rulesPtr = KMESH_GET_PTR_VAL(policy->rules, void *); @@ -306,7 +305,7 @@ int policy_check(struct xdp_md *ctx) match_ctx->action = policy->action; ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { - BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + BPF_LOG(ERR, AUTH, "failed to update map, error: %d", ret); return XDP_PASS; } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_RULE_CHECK); @@ -315,7 +314,7 @@ int policy_check(struct xdp_md *ctx) auth_in_user_space: if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { - BPF_LOG(DEBUG, AUTH, "Failed to delete context from map"); + BPF_LOG(DEBUG, AUTH, "failed to delete context from map"); } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); return XDP_PASS; @@ -334,22 +333,22 @@ int rule_check(struct xdp_md *ctx) int i; if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { - BPF_LOG(ERR, AUTH, "Failed to get tuple key in rule_check"); + BPF_LOG(ERR, AUTH, "failed to get tuple key in rule_check"); return XDP_PASS; } match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); if (!match_ctx) { - BPF_LOG(ERR, AUTH, "Failed to retrieve match_context from map"); + BPF_LOG(ERR, AUTH, "failed to retrieve match_context from map"); return XDP_PASS; } for (i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) { if (i >= match_ctx->n_rules) { - BPF_LOG(DEBUG, AUTH, "Rule index %d exceeds rule count %d, exiting loop", i, match_ctx->n_rules); + BPF_LOG(DEBUG, AUTH, "rule index %d exceeds rule count %d, exiting loop", i, match_ctx->n_rules); break; } if (!match_ctx) { - BPF_LOG(ERR, AUTH, "Failed to retrieve match_ctx from map"); + BPF_LOG(ERR, AUTH, "failed to retrieve match_ctx from map"); return XDP_PASS; } rulesPtr = match_ctx->rulesPtr; @@ -358,11 +357,11 @@ int rule_check(struct xdp_md *ctx) return XDP_PASS; } if (bpf_probe_read_kernel(&rule_addr, sizeof(rule_addr), &rulesPtr[i]) != 0) { - BPF_LOG(ERR, AUTH, "Failed to read rule address at index %d", i); + BPF_LOG(ERR, AUTH, "failed to read rule address at index %d", i); continue; } - rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)*((__u64 *)rulesPtr + i), Istio__Security__Rule); + rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)rule_addr, Istio__Security__Rule); if (!rule) { continue; } @@ -370,14 +369,14 @@ int rule_check(struct xdp_md *ctx) BPF_LOG( INFO, AUTH, - "Rule matched, action: %s", + "rule matched, action: %s", match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? "DENY" : "ALLOW"); if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { - BPF_LOG(INFO, AUTH, "Failed to delete tail call context from map"); + BPF_LOG(INFO, AUTH, "failed to delete tail call context from map"); } __u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW; if (bpf_map_update_elem(&map_of_auth, &tuple_key, &auth_result, BPF_ANY) != 0) { - BPF_LOG(ERR, AUTH, "Failed to update auth result in map_of_auth"); + BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth"); } return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS; } @@ -385,13 +384,13 @@ int rule_check(struct xdp_md *ctx) match_ctx->policy_index++; if (match_ctx->policy_index >= MAX_MEMBER_NUM_PER_POLICY) { - BPF_LOG(ERR, AUTH, "Policy index out of bounds"); + BPF_LOG(ERR, AUTH, "policy index out of bounds"); bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); } ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); if (ret < 0) { - BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + BPF_LOG(ERR, AUTH, "failed to update map, error: %d", ret); return XDP_PASS; } bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index fde9d0fd6..30fa11989 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -70,14 +70,14 @@ static inline int xdp_deny_packet(struct xdp_info *info, struct bpf_sock_tuple * return XDP_DROP; } -static bool is_authz_enabled() +static bool is_authz_offload_enabled() { - int key = 1; - int *value = NULL; - value = kmesh_map_lookup_elem(&kmesh_config_map, &key); + int kmesh_config_key = 0; + struct kmesh_config *value = {0}; + value = kmesh_map_lookup_elem(&kmesh_config_map, &kmesh_config_key); if (!value) return false; - return (*value == 1); + return ((*value).authz_offload == 1); } static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) @@ -105,7 +105,7 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct SEC("xdp_auth") int xdp_authz(struct xdp_md *ctx) { - if (!is_authz_enabled()) { + if (!is_authz_offload_enabled()) { BPF_LOG(INFO, AUTH, "authz is not enabled, tail call to user auth"); bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); return XDP_PASS; diff --git a/pkg/bpf/bpf.go b/pkg/bpf/bpf.go index ba810c90a..8bc7c80d8 100644 --- a/pkg/bpf/bpf.go +++ b/pkg/bpf/bpf.go @@ -60,9 +60,10 @@ type BpfLoader struct { } type KmeshBpfConfig struct { - BpfLogLevel uint32 - NodeIP [16]byte - PodGateway [16]byte + BpfLogLevel uint32 + NodeIP [16]byte + PodGateway [16]byte + AuthzOffload uint32 } func NewBpfLoader(config *options.BpfConfig) *BpfLoader { @@ -305,9 +306,10 @@ func (l *BpfLoader) setBpfProgOptions() { keyOfKmeshBpfConfig := uint32(0) ValueOfKmeshBpfConfig := KmeshBpfConfig{ // Write this map only when the kmesh daemon starts, so set bpfloglevel to the default value. - BpfLogLevel: constants.BPF_LOG_INFO, - NodeIP: nodeIP, - PodGateway: gateway, + BpfLogLevel: constants.BPF_LOG_INFO, + NodeIP: nodeIP, + PodGateway: gateway, + AuthzOffload: uint32(0), } if l.kmeshConfig != nil { diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index fb9478a18..44aae9ef9 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -27,7 +27,9 @@ const ( // This annotation is used to indicate traffic redirection settings specific to Kmesh KmeshRedirectionAnnotation = "kmesh.net/redirection" - XDP_PROG_NAME = "xdp_authz" + XDP_PROG_NAME = "xdp_authz" + XDP_AUTHZ_ENABLED = 1 + XDP_AUTHZ_DISABLED = 0 RootCertPath = "/var/run/secrets/istio/root-cert.pem" TrustDomain = "cluster.local" diff --git a/pkg/status/status_server.go b/pkg/status/status_server.go index 16d432e35..39c6a8704 100644 --- a/pkg/status/status_server.go +++ b/pkg/status/status_server.go @@ -276,23 +276,27 @@ func (s *Server) authzHandler(w http.ResponseWriter, r *http.Request) { enabled, err := strconv.ParseBool(authzInfo) if err != nil { w.WriteHeader(http.StatusBadRequest) - _, _ = w.Write([]byte(fmt.Sprintf("invalid accesslog enable=%s", authzInfo))) + _, _ = w.Write([]byte(fmt.Sprintf("invalid authz enable=%s", authzInfo))) return } - key := uint32(1) - value := uint32(0) - if enabled { - value = 1 - } - + key := uint32(0) + value := bpf.KmeshBpfConfig{} if s.kmeshConfigMap == nil { - http.Error(w, "update log level error: kmeshConfigMap is nil", http.StatusBadRequest) + http.Error(w, fmt.Sprintf("update authz error: %v", "kmeshConfigMap is nil"), http.StatusBadRequest) return } - - if err := s.kmeshConfigMap.Update(&key, &value, ebpf.UpdateAny); err != nil { - http.Error(w, fmt.Sprintf("update log level error: %v", err), http.StatusBadRequest) + if err = s.kmeshConfigMap.Lookup(&key, &value); err != nil { + http.Error(w, fmt.Sprintf("get kmesh config error: %v", err), http.StatusBadRequest) + return + } + if enabled { + value.AuthzOffload = constants.XDP_AUTHZ_ENABLED + } else { + value.AuthzOffload = constants.XDP_AUTHZ_DISABLED + } + if err = s.kmeshConfigMap.Update(&key, &value, ebpf.UpdateAny); err != nil { + http.Error(w, fmt.Sprintf("update authz error: %v", err), http.StatusBadRequest) return } @@ -458,7 +462,7 @@ func (s *Server) getBpfLogLevel() (*LoggerInfo, error) { loggerLevel, exists := logLevelMap[int(logLevel)] if !exists { - return nil, fmt.Errorf("unexpected invalid log level: %d", value) + return nil, fmt.Errorf("unexpected invalid log level: %d", value.BpfLogLevel) } return &LoggerInfo{ From e22e641d0e507b61fe6f26b66699944ae84c79e4 Mon Sep 17 00:00:00 2001 From: weli-l <1289113577@qq.com> Date: Mon, 18 Nov 2024 20:09:14 +0800 Subject: [PATCH 8/8] modify kmesh_config entries to 1 Signed-off-by: weli-l <1289113577@qq.com> --- bpf/include/common.h | 2 +- deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/bpf/include/common.h b/bpf/include/common.h index d10b40168..49a9ebf91 100644 --- a/bpf/include/common.h +++ b/bpf/include/common.h @@ -145,7 +145,7 @@ struct { */ struct { __uint(type, BPF_MAP_TYPE_ARRAY); - __uint(max_entries, 4); + __uint(max_entries, 1); __type(key, int); __type(value, struct kmesh_config); } kmesh_config_map SEC(".maps"); diff --git a/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml b/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml index 1df85c3a6..dbc575371 100644 --- a/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml +++ b/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml @@ -13,6 +13,7 @@ rules: - pods - services - namespaces + - nodes verbs: - get - update