From e517cebeb96895b7d2a269411979f4e6eaff1c91 Mon Sep 17 00:00:00 2001
From: Marc Sune <marcdevel@gmail.com>
Date: Tue, 27 Aug 2024 12:56:25 +0200
Subject: [PATCH] Tc

---
 .github/workflows/ci.yaml              | 20 +++++++++------
 docker/entrypoint.sh                   | 34 ++++++++++++++++++++------
 src/.gitignore                         |  2 +-
 src/Makefile                           |  6 +++--
 src/common.h                           |  2 +-
 src/{rules.default => ruleset.default} |  0
 test/.gitignore                        |  2 +-
 test/Makefile                          |  5 ++--
 8 files changed, 49 insertions(+), 22 deletions(-)
 rename src/{rules.default => ruleset.default} (100%)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 218478a..4a5afac 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -63,21 +63,25 @@ jobs:
           username: ${{github.actor}}
           password: ${{secrets.GITHUB_TOKEN}}
 
-      - name: "Build and push to ghcr"
+      - name: "Build container"
         run: |
           #Cross-build
           cd sfunnel
 
-          echo "Fix mess with tags in actions/checkout..."
-          git fetch -f && git fetch -f --tags
-
           export TAG=$(git describe HEAD | sed 's/-.*$//g' | tr -d "v")
           EXACT_TAG=$(git describe --exact-match --match "v*" || echo "")
+          docker buildx build --platform ${PLATFORMS} -t sfunnel --load -f docker/Dockerfile .
+          docker image ls sfunnel
+
+      - name: "Run container with default ruleset"
+        run: |
+          docker image ls sfunnel:latest
+          docker run --privileged sfunnel:latest > output
+          grep "[NOTICE] Using default ruleset2" output || (echo "ERROR: unable to validate it loads default ruleset") && exit 1)
 
+      - name: "Push to ghcr"
+        run: |
           if [[ "${EXACT_TAG}" != "" ]]; then
-            echo "Cross-building and PUSHING!"
+            echo "Pushing to ghcr.io..."
             docker buildx build --platform ${PLATFORMS} --push -f docker/Dockerfile . --tag ghcr.io/${GITHUB_REPOSITORY}:${TAG}
-          else
-            echo "Cross-building ONLY"
-            docker buildx build --platform ${PLATFORMS} -f docker/Dockerfile .
           fi
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 0b10935..519156a 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -5,23 +5,43 @@ set -x
 
 N_ATTEMPTS=5
 RETRY_DELAY=5
-PROG=tc_sfunnel.o
+PROG=/opt/sfunnel/src/tc_sfunnel.o
 
-#Compile eBPF programs
+#Compile eBPF program only if rulesset are defined at load time
+#either via file or ENV
 compile(){
-	cd /opt/sfunnel
-	make compile
+	cd /opt/sfunnel/src
+	make
 }
 
 #$1: PROG
 #$2: IFACE
 load_prog(){
 	tc qdisc add dev $2 clsact
-	tc filter add dev $2 ingress bpf da obj /opt/sfunnel/$1 sec funnel verbose
+	tc filter add dev $2 ingress bpf da obj $1 sec funnel verbose
 }
 
-#Compile for this specific kernel
-#compile
+###
+
+#If SFUNNEL_RULESET is defined, create the file
+if [[ "$SFUNNEL_RULESET" != "" ]]; then
+	echo "[NOTICE] SFUNNEL_RULESET='$SFUNNEL_RULESET'"
+	echo $FUNNEL_RULESET > /opt/sfunnel/src/ruleset
+fi
+
+#Compile programs, if necessary
+if test -f /opt/sfunnel/src/ruleset; then
+	echo "[NOTICE] Compiling sfunnel with ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset
+	echo "==="
+	compile
+else
+	echo "[NOTICE] Using default ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset.default
+	echo "==="
+fi
 
 #Show
 ls -la /opt/sfunnel
diff --git a/src/.gitignore b/src/.gitignore
index 71501e8..168cf8e 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -1 +1 @@
-rules.h
+ruleset.h
diff --git a/src/Makefile b/src/Makefile
index d0ab536..fa1f70e 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,9 +1,11 @@
 all: compile
 
+FILE := $(or $(wildcard ruleset), ruleset.default)
+
 compile:
-	python3 ../tools/gen.py rules.default > rules.h
+	python3 ../tools/gen.py $(FILE) > ruleset.h
 	clang -O2 -Wall -Werror -g -target bpf -c sfunnel.c -o tc_sfunnel.o
 
 clean:
 	rm -rf *.o || true
-	rm -rf rules.h || true
+	rm -rf ruleset.h || true
diff --git a/src/common.h b/src/common.h
index 6e054f5..f548201 100644
--- a/src/common.h
+++ b/src/common.h
@@ -106,6 +106,6 @@ typedef struct sfunnel_ip4_rule {
 	} actions;
 }sfunnel_ip4_rule_t;
 
-#include "rules.h"
+#include "ruleset.h"
 
 #endif //FUNNEL_COMMON_H
diff --git a/src/rules.default b/src/ruleset.default
similarity index 100%
rename from src/rules.default
rename to src/ruleset.default
diff --git a/test/.gitignore b/test/.gitignore
index 71501e8..168cf8e 100644
--- a/test/.gitignore
+++ b/test/.gitignore
@@ -1 +1 @@
-rules.h
+ruleset.h
diff --git a/test/Makefile b/test/Makefile
index fccb775..377399c 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -45,8 +45,9 @@ unload:
 	$(QUIET)sudo tc filter del dev veth2 egress || true
 
 compile:
-	$(QUIET)python3 ../tools/gen.py ../src/rules.default > rules.h
-	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I. -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
+	$(QUIET)rm ../src/ruleset.h || true
+	$(QUIET)python3 ../tools/gen.py ../src/ruleset.default > ruleset.h
+	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I./ -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
 
 show:
 	$(QUIET)sudo tc filter show dev veth0 ingress