Skip to content
Permalink
Branch: icept.2
Commits on Nov 16, 2019
  1. icept: debug output

    wdebruij committed Aug 21, 2019
    observe the flow of traffic with
    
      cat /sys/kernel/debug/tracing/trace_pipe &
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  2. icept: add kTLS

    wdebruij committed Nov 16, 2019
    Optionally use kTLS between the two icept processes.
    
    sk_msg works with kTLS
    
    with kernel changes
    
    "
        @@ -859,6 +861,7 @@ static int __init tls_register(void)
    
                tls_sw_proto_ops = inet_stream_ops;
                tls_sw_proto_ops.splice_read = tls_sw_splice_read;
        +       tls_sw_proto_ops.sendpage_locked   = tls_sw_sendpage_locked,
    "
    
    and
    
    "
         int tls_sw_sendpage_locked(struct sock *sk, struct page *page,
                                    int offset, size_t size, int flags)
         {
               if (flags & ~(MSG_MORE | MSG_DONTWAIT | MSG_NOSIGNAL |
        -                     MSG_SENDPAGE_NOTLAST | MSG_SENDPAGE_NOPOLICY))
        +                     MSG_SENDPAGE_NOTLAST | MSG_SENDPAGE_NOPOLICY | MSG_NO_SHARED_FRAGS))
                         return -ENOTSUPP;
    "
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  3. icept: add skmsg interception

    wdebruij committed Nov 15, 2019
    Avoid the need for iptables rules.
    
    Splice traffic from client/server directly into icept egress socket.
    
    Attach a bpf program to the client/server cgroups to intercept all
    connection establishment. Insert the new sockets into a sockmap.
    
    Attach a bpf program to this sockmap to intercept all send calls.
    Call bpf_skb_redirect_msg to redirect to the icept egress socket.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  4. icept: run client and server in cgroup

    wdebruij committed Nov 15, 2019
    A prerequisite for skmsg interception
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  5. icept: add sockmap interception

    wdebruij committed Nov 15, 2019
    Splice data from the interception agents' ingress to egress sockets.
    Avoid the recv()/send() system calls.
    
    Attach bpf sockmap parse and verdict callbacks to the sockets and
    use bpf_sk_redirect_map to splice.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  6. icept: add splice interception

    wdebruij committed Nov 15, 2019
    Optionally replace the recv() + send() pair with splice() in the
    interception agents.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  7. icept: add iptables interception

    wdebruij committed Nov 16, 2019
    In each namespace. start an interception process on port 8000
    
    Install ip(6)tables REDIRECT rules to redirect client/server traffic
    there.
    
    Make iptables based interception pass also on hosts that have
    replaced standard ip(6)tables with their nftables alternatives.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
  8. icept: initial client/server test

    wdebruij committed Jul 16, 2019
    Preparation for an interception test.
    
    Create a simple client/server pair that exchange 1 byte messages.
    The client sends message 'a' to the server, which responds with
    message 'b'.
    
    Run the test both over IPv4 and IPv6.
    
    The processes run in private network namespaces and communicate
    over veth. This state is setup with helper script with_veth.sh.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
Commits on Nov 15, 2019
  1. ktls: test splice

    wdebruij committed Nov 5, 2019
    Verify that kTLS sockets work with the splice() call.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
Commits on Aug 21, 2019
  1. ktls: example server

    wdebruij committed Jul 27, 2019
    Create a simple TCP server that echoes client input. Run over TLS and
    optionally off-load the datapath to kTLS.
    
    To validate the implementation, communicate with a standard client:
    either socat or openssl s_client.
    
    In kTLS mode the server must pass the session state from OpenSSL to
    the kernel. OpenSSL does not implement an API to extract this data.
    The current approach is to locally redefine some internal structs.
    This is obviously fragile. On top of that, it requires OpenSSL 1.0,
    as 1.1+ purposely hides even more struct types.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
Commits on Nov 20, 2018
  1. tests: add test for tx_ring page overwrite

    wdebruij committed Nov 20, 2018
    See also netdev thread
    
      VETH & AF_PACKET problem
      http://www.spinics.net/lists/netdev/msg533177.html
Commits on Nov 21, 2017
Commits on May 1, 2017
  1. Add basic echo request/response test

    wdebruij committed May 1, 2017
    pingpong_tcpudp sends a simple echo request/response pair over
    packet sockets, mimicing TCP or UDP headers.
Commits on Nov 2, 2016
Commits on Oct 26, 2016
Commits on Oct 25, 2016
Commits on Oct 21, 2016
  1. tests: extend psock_txring_vnet with vnet_hdr without GSO

    wdebruij committed Oct 21, 2016
    Allow passing a vnet_hdr to the packet socket without triggering
    segmentation offload. This allows testing checksum offload on MTU
    sized packets.
Commits on Aug 8, 2016
  1. tools: import tcplate

    wdebruij committed Aug 8, 2016
    tcplate computes traffic shaping latency by reading egress
    packet timestamps with nflog and packet sockets.
    
    SO_TIMESTAMPING offers a more complete timestamping solution
    for processes that own file descriptors. Tcplate is geared at
    casual latency monitoring by administrators.
Commits on Mar 21, 2016
  1. tests: extend psock_txring_vnet features

    wdebruij committed Mar 21, 2016
    Add
    - PACKET_QDISC_BYPASS support
    - Short input support
      - override length flag
      - drop CAP_SYS_RAWIO to force min length check in kernel
    
    Fix
    - Always allocate large enough ring slot
Commits on Jan 31, 2016
  1. tests: demo process for tpacket_snd with vnet

    wdebruij committed Jan 31, 2016
    Add a test that writes over a packet socket both
    - with and without PACKET_TX_RING
    - with and without PACKET_VNET_HDR
  2. tests: demo process for tpacket_rcv with vnet

    wdebruij committed Jan 31, 2016
    Add a test that reads from a packet socket ring with both options
    PACKET_RX_RING and PACKET_VNET_HDR enabled.
Commits on May 12, 2015
Commits on May 9, 2015
  1. test: bench_rollover: spawn after socket init

    wdebruij committed May 9, 2015
    delay concurrent execution until the socket fanout group is completely
    initialized.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
Commits on May 6, 2015
  1. test: benchmark for packet socket rollover

    wdebruij committed May 4, 2015
    A benchmark process that creates multiple packet sockets in a single
    fanout group. It spawns one process per socket and pins each process
    to its own core. Each process reads the packets arriving on that cpu.
    The socket group has flag PACKET_FANOUT_FLAG_ROLLOVER enabled, so
    that a saturated cpu can offload packets to others in the group.
    
    Use this with a remote packet generator (such as pktgen.ko) to cause
    high load. Send a single 4-tuple to cause load imbalance. To create
    socket overload without saturating the physical link, limit the
    processing rate of each socket reader process by passing -l $RATE.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
Commits on Aug 8, 2014
Commits on Aug 7, 2014
Commits on Jul 3, 2014
  1. add msg_tstamp.c

    wdebruij committed Jul 3, 2014
  2. Create LICENSE.md

    wdebruij committed Jul 3, 2014
You can’t perform that action at this time.