Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dataplane: optimize early host-endpoint blacklist rules #1991

merged 14 commits into from Apr 12, 2019


None yet
6 participants
Copy link

commented Apr 11, 2019


This adds support for optimizing suitable GlobalNetworkPolicy rules with XDP.
Given host support, eligible policies will be optimized automatically.

It adds a new XDP Manager that keeps the state for XDP and defines callbacks to
get information from the calculation graph. Additionally, existing managers are
extended so the XDP Manager can access their information.

To implement low-level functionality, it adds a BPF library that shells out to
the bpftool and ip tools.


  • Unit tests (full coverage)
  • Integration tests (delete as appropriate) In plan/Not needed/Done
  • Documentation
  • Backport
  • Release note

Release Note

git: Allow skipping some checks in pre-commit hook
The new `git-hooks/files-to-skip` file contains a list of files that
should not be checked for copyright or goimports. The obvious
candidates for skipping such checks are generated source files that
are not based on some template.

This commits adds one file to the list - the generated go code from
protobuf definitions.

@iaguis iaguis requested a review from projectcalico/core-maintainers as a code owner Apr 11, 2019


This comment has been minimized.

Copy link

commented Apr 11, 2019

CLA assistant check
All committers have signed the CLA.

@iaguis iaguis referenced this pull request Apr 11, 2019


Add new tool to the image and bump Felix #208

0 of 3 tasks complete

@iaguis iaguis changed the title dataplane: optimise early host-endpoint blacklist rules dataplane: optimize early host-endpoint blacklist rules Apr 11, 2019

iaguis and others added some commits Feb 19, 2019

image: Build bpftool in the image
bpftool is required by the bpf library, so it needs to be a part of
the image that has felix.
bpf dumper: Implement command line tool felix-xdp for debugging XDP maps
It can dump the content of the failsafe port map and the blacklist map
for all network interfaces with a XDP program attached.

$ sudo -E go run bpf/cmd/felix-xdp.go dump
Failsafe ports:
  TCP: 22
  UDP: 53
  TCP: 53
  TCP: 80
Interfaces with blacklist:
  eth42: value=1 value=1

Additionally, for debugging, maps can be populated with example values
by the "populate" command:

$ sudo -E go run bpf/cmd/felix-xdp.go populate
bpf: Add XDP program and means to build it
The program implements blocking the traffic by consulting the BPF maps
that serve as blacklists.

This also adds a docker file for building an image with clang, so we
can compile the C code into an ELF object file with the the BPF

The above are used in the Makefile.

Co-authored-by: Alban Crequy <>
glide: add some dependencies for the follow-up work
This includes packr2 for putting files in the go code. This required
bumping logrus and cobra to fix compilation.

Co-authored-by: Alban Crequy <>
fv: add XDP tests
Co-authored-by: Iago López Galeiras <>
versionparse, iptables: Move version parsing to a separate package
We will need to parse kernel version in some follow-up commit, so to
avoid the duplication of the same functionality that the iptables
package already has, move the version parsing to the separate package.
license-checker: Fix licenses of the new dependencies
Some dependencies we added have some variant of a BSD license the
checker didn't know about. Add them.
config, dataplane: add parameters related to XDP functionality
XDPENABLED is about enabling XDP functionality (which is disabled by
default), provided that the system will meet certain requirements.

GENERICXDPENABLED is about allowing using the generic XDP mode, which is
the slowest one available. It is mostly used for debugging/testing.

XDPREFRESHINTERNAL is about how often the internal view of XDP state
in Felix should be synchronized with the actual state of XDP on the

These get translated to internal dataplane options. The options are
not yet used, though.
dataplane, ipsets: add callbacks for some events in managers
These callbacks will be used by the XDP functionality coming in the
follow-up commit. The implementation is quite simple, since there will
be just one consumer of the callbacks functionality for now.

Later, if more consumers of callbacks appear, the implementation will
need to change to use slices to allow many callbacks for an
event. This kind of change should not change the API of callbacks,

Also, for type-safety reasons, the code is quite repetitive, so maybe
writing a simple code-generator could be an option.
dataplane: make blocking traffic more performant for some kind of pol…

This commit introduces an XDP state that does all the tracking and
managing of the BPF state related to XDP. It uses callbacks to receive
all the necessary information to decide whether a policy could be
optimized with XDP. It uses the BPF library to make the changes in the
system state.

Co-authored-by: Iago López Galeiras <>
dataplane: hook the XDP state to the internal dataplane loop
Here, we check if the system meets the requirements (new enough
kernel, expected endianness) to actually enable XDP if it was
explicitly requested. Internal dataplane creates the failsafe BPF map
and the XDP state object and integrates that in its loop.

Co-authored-by: Iago López Galeiras <>
bpf: Add a mock bpf library
This will be used in the unit tests to avoid messing with the system
bpf: Implement bpftool library in Go for Felix
Package bpf provides primitives to manage Calico-specific XDP programs
attached to network interfaces, along with the blacklist LPM map and the
failsafe map.

It does not call the bpf() syscall itself but executes external programs
like bpftool and ip.

It can be tested with:
sudo -E go test -v ./bpf -count=1

This also packs the XDP program into the library with packr2.

Co-authored-by: Iago López Galeiras <>

@iaguis iaguis force-pushed the kinvolk:kinvolk/fast-blacklist branch from 50fd9e4 to b7b026f Apr 11, 2019

@fasaxc fasaxc self-assigned this Apr 12, 2019

@fasaxc fasaxc changed the title dataplane: optimize early host-endpoint blacklist rules Dataplane: optimize early host-endpoint blacklist rules Apr 12, 2019


fasaxc approved these changes Apr 12, 2019

@fasaxc fasaxc merged commit cbc711e into projectcalico:master Apr 12, 2019

2 checks passed

license/cla Contributor License Agreement is signed.
semaphoreci The build passed on Semaphore.

This comment has been minimized.

Copy link

commented Apr 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.