Skip to content

Commit

Permalink
additional changes to maps for memory optimization
Browse files Browse the repository at this point in the history
  • Loading branch information
@r-caamano
r-caamano committed May 22, 2024
1 parent b6fa3c6 commit f44fddd
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 41 deletions.
50 changes: 27 additions & 23 deletions src/zfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,11 @@ struct tproxy_tuple
{
__u16 index_len;
__u16 index_table[MAX_INDEX_ENTRIES];
struct tproxy_port_mapping port_mapping[MAX_TABLE_SIZE];
};

struct range_mapping {
__u16 high_port;
__u16 tproxy_port;
};

struct tproxy_key
Expand Down Expand Up @@ -611,7 +615,6 @@ void add_index(__u16 index, struct tproxy_port_mapping *mapping, struct tproxy_t
return;
}
}
memcpy((void *)&tuple->port_mapping[index], (void *)mapping, sizeof(struct tproxy_port_mapping));
}

void remove_index(__u16 index, struct tproxy_tuple *tuple)
Expand All @@ -633,7 +636,6 @@ void remove_index(__u16 index, struct tproxy_tuple *tuple)
tuple->index_table[x] = tuple->index_table[x + 1];
}
tuple->index_len -= 1;
memset((void *)&tuple->port_mapping[index], 0, sizeof(struct tproxy_port_mapping));
printf("mapping[%d] removed\n", ntohs(index));
}
else
Expand Down Expand Up @@ -726,7 +728,7 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
port_ext_key.pad = 0;

range_map.key = (uint64_t)&port_ext_key;
__u16 range_value;
struct range_mapping range_value;
range_map.value = (uint64_t)&range_value;
range_map.map_fd = range_fd;
range_map.flags = BPF_ANY;
Expand All @@ -735,28 +737,28 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
for (; x < tuple->index_len; x++)
{
__u16 port_key = tuple->index_table[x];
ext_key.tproxy_port = tuple->port_mapping[port_key].tproxy_port;
int tp_ext_lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &tp_ext_map, sizeof(tp_ext_map));
port_ext_key.low_port = port_key;
int range_lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &range_map, sizeof(range_map));
ext_key.tproxy_port = range_value.tproxy_port;
int tp_ext_lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &tp_ext_map, sizeof(tp_ext_map));
if(!range_lookup){
sprintf(dpts, "dpts=%d:%d", ntohs(port_key),
ntohs(range_value));
ntohs(range_value.high_port));
int if_ext_lookup = syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &if_list_ext_map, sizeof(if_list_ext_map));
if (intercept && !passthru)
{
bool entry_exists = false;
if (tun_mode)
if (tun_mode && (ntohs(range_value.tproxy_port) > 0))
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tp_ext_lookup ? "?" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, o_tunif.ifname);
entry_exists = true;
*rule_count += 1;
}
else if (ntohs(tuple->port_mapping[port_key].tproxy_port) > 0)
else if (ntohs(range_value.tproxy_port) > 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, ntohs(tuple->port_mapping[port_key].tproxy_port));
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tp_ext_lookup ? "?" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, ntohs(range_value.tproxy_port));
entry_exists = true;
*rule_count += 1;
}
Expand Down Expand Up @@ -789,9 +791,9 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
}
else if (passthru && !intercept)
{
if (ntohs(tuple->port_mapping[port_key].tproxy_port) == 0)
if (ntohs(range_value.tproxy_port) == 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tp_ext_lookup ? "?" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, "PASSTHRU", dcidr_block);
char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
if(!if_ext_lookup){
Expand Down Expand Up @@ -824,19 +826,19 @@ void print_rule(struct tproxy_key *key, struct tproxy_tuple *tuple, int *rule_co
}
else
{
if (tun_mode)
if (tun_mode && (ntohs(range_value.tproxy_port) > 0))
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\tTUNMODE redirect:%-15s", tp_ext_lookup ? "?" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, o_tunif.ifname);
}
else if (ntohs(tuple->port_mapping[port_key].tproxy_port) > 0)
else if (ntohs(range_value.tproxy_port) > 0)
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, ntohs(tuple->port_mapping[port_key].tproxy_port));
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\tTPROXY redirect 127.0.0.1:%-6d", tp_ext_lookup ? "?" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, ntohs(range_value.tproxy_port));
}
else
{
printf("%-11s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
printf("%-22s\t%-3s\t%-20s\t%-32s%-17s\t%s to %-20s", tp_ext_lookup ? "" : ext_value.service_id, proto, scidr_block, dcidr_block,
dpts, "PASSTHRU", dcidr_block);
}
char interfaces[IF_NAMESIZE * MAX_IF_LIST_ENTRIES + 8] = "";
Expand Down Expand Up @@ -2386,8 +2388,11 @@ void set_range(struct port_extension_key key){
}
printf("Setting range\n");
range_map.key = (uint64_t)&key;
__u16 range_high_port = htons(high_port);
range_map.value = (uint64_t)&range_high_port;
struct range_mapping range_ports = {
htons(high_port),
htons(tproxy_port)
};
range_map.value = (uint64_t)&range_ports;
range_map.map_fd = range_fd;
range_map.flags = BPF_ANY;
int result = syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &range_map, sizeof(range_map));
Expand Down Expand Up @@ -2485,7 +2490,6 @@ void map_insert()
/* create a new tproxy prefix entry and add port range to it */
rule->index_len = 1;
rule->index_table[0] = *index;
memcpy((void *)&rule->port_mapping[*index], (void *)port_mapping, sizeof(struct tproxy_port_mapping));
map.value = (uint64_t)rule;
union bpf_attr count_map;
memset(&count_map, 0, sizeof(count_map));
Expand Down
33 changes: 15 additions & 18 deletions src/zfw_tc_ingress.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,11 @@ struct port_extension_key {
__u8 pad;
};

struct range_mapping {
__u16 high_port;
__u16 tproxy_port;
};

struct tproxy_port_mapping {
__u16 tproxy_port;
};
Expand All @@ -102,13 +107,6 @@ struct tproxy_tuple {
* with each populated index representing a udp or tcp tproxy
* mapping in the port_mapping array
*/
struct tproxy_port_mapping port_mapping[MAX_TABLE_SIZE];/*Array to store unique tproxy mappings
* with each index matches the low_port of
* struct tproxy_port_mapping {
* __u16 high_port;
* __u16 tproxy_port;
* }
*/
};

/*key to zt_tproxy_map*/
Expand Down Expand Up @@ -412,7 +410,7 @@ struct {
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(struct port_extension_key));
__uint(value_size, sizeof(uint16_t));
__uint(value_size, sizeof(struct range_mapping));
__uint(max_entries, 132000);
__uint(pinning, LIBBPF_PIN_BY_NAME);
__uint(map_flags, BPF_F_NO_PREALLOC);
Expand All @@ -433,8 +431,8 @@ static inline struct if_list_extension_mapping *get_if_list_ext_mapping(struct p
return ifem;
}

static inline __u16 *get_high_port(struct port_extension_key key){
__u16 *hp;
static inline struct range_mapping *get_range_ports(struct port_extension_key key){
struct range_mapping *hp;
hp = bpf_map_lookup_elem(&range_map, &key);
if(hp){
return hp;
Expand Down Expand Up @@ -1576,20 +1574,19 @@ int bpf_sk_splice5(struct __sk_buff *skb){
for (int index = 0; index < max_entries; index++){
int port_key = tproxy->index_table[index];
struct port_extension_key ext_key = {key.dst_ip, key.src_ip, port_key, key.dprefix_len, key.sprefix_len, protocol, 0};
__u16 *high_port = get_high_port(ext_key);
bpf_printk("high=%u\n",high_port);
struct range_mapping *range = get_range_ports(ext_key);
//check if there is a udp or tcp destination port match
if (high_port && ((bpf_ntohs(tuple->ipv4.dport) >= bpf_ntohs(port_key))
&& (bpf_ntohs(tuple->ipv4.dport) <= bpf_ntohs(*high_port))))
if (range && ((bpf_ntohs(tuple->ipv4.dport) >= bpf_ntohs(port_key))
&& (bpf_ntohs(tuple->ipv4.dport) <= bpf_ntohs(range->high_port))))
{
event.proto = key.protocol;
event.tport = tproxy->port_mapping[port_key].tproxy_port;
event.tport = range->tproxy_port;
/*check if interface is set for per interface rule awarness and if yes check if it is in the rules interface list. If not in
the interface list drop it on all interfaces accept loopback. If its not aware then forward based on mapping*/
sockcheck.ipv4.daddr = 0x0100007f;
sockcheck.ipv4.dport = tproxy->port_mapping[port_key].tproxy_port;
sockcheck.ipv4.dport = range->tproxy_port;
if(!local_diag->per_interface){
if(tproxy->port_mapping[port_key].tproxy_port == 0){
if(range->tproxy_port == 0){
if(local_diag->verbose){
send_event(&event);
}
Expand Down Expand Up @@ -1642,7 +1639,7 @@ int bpf_sk_splice5(struct __sk_buff *skb){
if(ext_mapping){
for(int x = 0; x < MAX_IF_LIST_ENTRIES; x++){
if(ext_mapping->if_list[x] == skb->ifindex){
if(tproxy->port_mapping[port_key].tproxy_port == 0){
if(range->tproxy_port == 0){
if(local_diag->verbose){
send_event(&event);
}
Expand Down

0 comments on commit f44fddd

Please sign in to comment.