Tc

.github/workflows/ci.yaml

@@ -63,21 +63,25 @@ jobs:
           username: ${{github.actor}}
           password: ${{secrets.GITHUB_TOKEN}}
 
-      - name: "Build and push to ghcr"
+      - name: "Build container"
         run: |
           #Cross-build
           cd sfunnel
 
-          echo "Fix mess with tags in actions/checkout..."
-          git fetch -f && git fetch -f --tags
-
           export TAG=$(git describe HEAD | sed 's/-.*$//g' | tr -d "v")
           EXACT_TAG=$(git describe --exact-match --match "v*" || echo "")
+          docker buildx build --platform ${PLATFORMS} -t sfunnel --load -f docker/Dockerfile .
+          docker image ls sfunnel
+
+      - name: "Run container with default ruleset"
+        run: |
+          docker image ls sfunnel:latest
+          docker run --privileged sfunnel:latest > output
+          grep "[NOTICE] Using default ruleset2" output || (echo "ERROR: unable to validate it loads default ruleset") && exit 1)
 
+      - name: "Push to ghcr"
+        run: |
           if [[ "${EXACT_TAG}" != "" ]]; then
-            echo "Cross-building and PUSHING!"
+            echo "Pushing to ghcr.io..."
             docker buildx build --platform ${PLATFORMS} --push -f docker/Dockerfile . --tag ghcr.io/${GITHUB_REPOSITORY}:${TAG}
-          else
-            echo "Cross-building ONLY"
-            docker buildx build --platform ${PLATFORMS} -f docker/Dockerfile .
           fi

docker/entrypoint.sh

@@ -5,23 +5,43 @@ set -x
 
 N_ATTEMPTS=5
 RETRY_DELAY=5
-PROG=tc_sfunnel.o
+PROG=/opt/sfunnel/src/tc_sfunnel.o
 
-#Compile eBPF programs
+#Compile eBPF program only if rulesset are defined at load time
+#either via file or ENV
 compile(){
-	cd /opt/sfunnel
-	make compile
+	cd /opt/sfunnel/src
+	make
 }
 
 #$1: PROG
 #$2: IFACE
 load_prog(){
 	tc qdisc add dev $2 clsact
-	tc filter add dev $2 ingress bpf da obj /opt/sfunnel/$1 sec funnel verbose
+	tc filter add dev $2 ingress bpf da obj $1 sec funnel verbose
 }
 
-#Compile for this specific kernel
-#compile
+###
+
+#If SFUNNEL_RULESET is defined, create the file
+if [[ "$SFUNNEL_RULESET" != "" ]]; then
+	echo "[NOTICE] SFUNNEL_RULESET='$SFUNNEL_RULESET'"
+	echo $FUNNEL_RULESET > /opt/sfunnel/src/ruleset
+fi
+
+#Compile programs, if necessary
+if test -f /opt/sfunnel/src/ruleset; then
+	echo "[NOTICE] Compiling sfunnel with ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset
+	echo "==="
+	compile
+else
+	echo "[NOTICE] Using default ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset.default
+	echo "==="
+fi
 
 #Show
 ls -la /opt/sfunnel

src/.gitignore

@@ -1 +1 @@
-rules.h
+ruleset.h

src/Makefile

@@ -1,9 +1,11 @@
 all: compile
 
+FILE := $(or $(wildcard ruleset), ruleset.default)
+
 compile:
-	python3 ../tools/gen.py rules.default > rules.h
+	python3 ../tools/gen.py $(FILE) > ruleset.h
 	clang -O2 -Wall -Werror -g -target bpf -c sfunnel.c -o tc_sfunnel.o
 
 clean:
 	rm -rf *.o || true
-	rm -rf rules.h || true
+	rm -rf ruleset.h || true

src/common.h

@@ -106,6 +106,6 @@ typedef struct sfunnel_ip4_rule {
 	} actions;
 }sfunnel_ip4_rule_t;
 
-#include "rules.h"
+#include "ruleset.h"
 
 #endif //FUNNEL_COMMON_H

test/.gitignore

@@ -1 +1 @@
-rules.h
+ruleset.h

test/Makefile

@@ -45,8 +45,9 @@ unload:
 	$(QUIET)sudo tc filter del dev veth2 egress || true
 
 compile:
-	$(QUIET)python3 ../tools/gen.py ../src/rules.default > rules.h
-	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I. -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
+	$(QUIET)rm ../src/ruleset.h || true
+	$(QUIET)python3 ../tools/gen.py ../src/ruleset.default > ruleset.h
+	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I./ -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
 
 show:
 	$(QUIET)sudo tc filter show dev veth0 ingress