Tc

datahangar · Aug 27, 2024 · f6a06c2 · f6a06c2
1 parent 658c408
commit f6a06c2
Show file tree

Hide file tree

Showing 9 changed files with 65 additions and 24 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -63,21 +63,39 @@ jobs:
           username: ${{github.actor}}
           password: ${{secrets.GITHUB_TOKEN}}
 
-      - name: "Build and push to ghcr"
+      - name: "Build container"
         run: |
           #Cross-build
           cd sfunnel
 
-          echo "Fix mess with tags in actions/checkout..."
-          git fetch -f && git fetch -f --tags
-
           export TAG=$(git describe HEAD | sed 's/-.*$//g' | tr -d "v")
           EXACT_TAG=$(git describe --exact-match --match "v*" || echo "")
+          docker buildx build --platform ${PLATFORMS} -t sfunnel --load -f docker/Dockerfile .
+
+      - name: "[TEST] Run container with default ruleset..."
+        run: |
+          docker run --privileged sfunnel:latest > output
+          grep "[NOTICE] Using default ruleset" output || (echo "ERROR: unable to validate it loads default ruleset" && exit 1)
+
+      - name: "[TEST] Run container with custom ruleset file..."
+        run: |
+          RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel udp"
+          echo "$RULE" > ruleset
+          docker run --privileged sfunnel:latest -v `pwd`/ruleset:/opt/sfunnel/src/ruleset > output
+          grep "[NOTICE] Compiling sfunnel with custom ruleset" output || (echo "ERROR: unable to validate it loads custom file ruleset" && exit 1)
+          grep "$RULE" output || (echo "ERROR: unable to validate it loads custom file ruleset" && exit 1)
+
+      - name: "[TEST] Run container with custom ruleset via SFUNNEL_RULESET..."
+        run: |
+          RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel udp"
+          docker run -e SFUNNEL_RULESET="$RULE" --privileged sfunnel:latest -v `pwd`/ruleset:/opt/sfunnel/src/ruleset > output
+          grep "[NOTICE] SFUNNEL_RULESET='$RULE'" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1)
+          grep "[NOTICE] Compiling sfunnel with custom ruleset" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1)
+          grep "$RULE" output || (echo "ERROR: unable to validate it loads custom ruleset via SFUNNEL_RULESET" && exit 1)
 
+      - name: "Push to ghcr"
+        run: |
           if [[ "${EXACT_TAG}" != "" ]]; then
-            echo "Cross-building and PUSHING!"
+            echo "Pushing to ghcr.io..."
             docker buildx build --platform ${PLATFORMS} --push -f docker/Dockerfile . --tag ghcr.io/${GITHUB_REPOSITORY}:${TAG}
-          else
-            echo "Cross-building ONLY"
-            docker buildx build --platform ${PLATFORMS} -f docker/Dockerfile .
           fi
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -25,5 +25,4 @@ COPY ./docker/entrypoint.sh /opt/sfunnel
 RUN chmod +x /opt/sfunnel/entrypoint.sh && \
 	ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm && \
 	cd /opt/sfunnel/src/ && make
-RUN mv /opt/sfunnel/src/tc_sfunnel.o /opt/sfunnel
 ENTRYPOINT ["/opt/sfunnel/entrypoint.sh"]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -5,26 +5,47 @@ set -x
 
 N_ATTEMPTS=5
 RETRY_DELAY=5
-PROG=tc_sfunnel.o
+PROG=/opt/sfunnel/src/tc_sfunnel.o
 
-#Compile eBPF programs
+#Compile eBPF program only if rulesset are defined at load time
+#either via file or ENV
 compile(){
-	cd /opt/sfunnel
-	make compile
+	cd /opt/sfunnel/src
+	make
 }
 
 #$1: PROG
 #$2: IFACE
 load_prog(){
 	tc qdisc add dev $2 clsact
-	tc filter add dev $2 ingress bpf da obj /opt/sfunnel/$1 sec funnel verbose
+	tc filter add dev $2 ingress bpf da obj $1 sec funnel verbose
 }
 
-#Compile for this specific kernel
-#compile
+###
+
+#If SFUNNEL_RULESET is defined, create the file
+if [[ "$SFUNNEL_RULESET" != "" ]]; then
+	echo "[NOTICE] SFUNNEL_RULESET='$SFUNNEL_RULESET'"
+	echo $FUNNEL_RULESET > /opt/sfunnel/src/ruleset
+fi
+
+#Compile sfunnel only if new ruleset is specified
+if test -f /opt/sfunnel/src/ruleset; then
+	echo "[NOTICE] Compiling sfunnel with ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset
+	echo "==="
+	compile
+else
+	echo "[NOTICE] Using default ruleset..."
+	echo "==="
+	cat /opt/sfunnel/src/ruleset.default
+	echo "==="
+fi
 
 #Show
-ls -la /opt/sfunnel
+ls /opt/sfunnel
+ls /opt/sfunnel/src
 
 #Load
 for IFACE in $(ls /sys/class/net); do

diff --git a/src/.gitignore b/src/.gitignore
@@ -1 +1 @@
-rules.h
+ruleset.h
diff --git a/src/Makefile b/src/Makefile
@@ -1,9 +1,11 @@
 all: compile
 
+FILE := $(or $(wildcard ruleset), ruleset.default)
+
 compile:
-	python3 ../tools/gen.py rules.default > rules.h
+	python3 ../tools/gen.py $(FILE) > ruleset.h
 	clang -O2 -Wall -Werror -g -target bpf -c sfunnel.c -o tc_sfunnel.o
 
 clean:
 	rm -rf *.o || true
-	rm -rf rules.h || true
+	rm -rf ruleset.h || true
diff --git a/src/common.h b/src/common.h
@@ -106,6 +106,6 @@ typedef struct sfunnel_ip4_rule {
 	} actions;
 }sfunnel_ip4_rule_t;
 
-#include "rules.h"
+#include "ruleset.h"
 
 #endif //FUNNEL_COMMON_H
diff --git a/src/rules.default → src/ruleset.default b/src/rules.default → src/ruleset.default
diff --git a/test/.gitignore b/test/.gitignore
@@ -1 +1 @@
-rules.h
+ruleset.h
diff --git a/test/Makefile b/test/Makefile
@@ -45,8 +45,9 @@ unload:
 	$(QUIET)sudo tc filter del dev veth2 egress || true
 
 compile:
-	$(QUIET)python3 ../tools/gen.py ../src/rules.default > rules.h
-	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I. -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
+	$(QUIET)rm ../src/ruleset.h || true
+	$(QUIET)python3 ../tools/gen.py ../src/ruleset.default > ruleset.h
+	$(QUIET)clang -DTEST_TCP_FUNNELING=1 -O2 -Wall -Werror -I./ -g -target bpf -c ../src/sfunnel.c -o tc_sfunnel.o
 
 show:
 	$(QUIET)sudo tc filter show dev veth0 ingress