From: Eric Leblond Date: Sun, 7 Oct 2018 18:46:45 +0000 (+0200) Subject: ebpf: document XDP iface redirect X-Git-Tag: suricata-5.0.0-rc1~394 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf4381b17bfae9628977abb2b52e31752d729977;p=thirdparty%2Fsuricata.git ebpf: document XDP iface redirect --- diff --git a/ebpf/xdp_filter.c b/ebpf/xdp_filter.c index 597ef4883b..d9c5933a81 100644 --- a/ebpf/xdp_filter.c +++ b/ebpf/xdp_filter.c @@ -123,6 +123,9 @@ struct bpf_map_def SEC("maps") cpus_count = { }; #endif +/* Map has only one element as we don't handle any sort of + * routing for now. Key value set by user space is 0 and + * value is the peer interface. */ struct bpf_map_def SEC("maps") tx_peer = { .type = BPF_MAP_TYPE_DEVMAP, .key_size = sizeof(int), @@ -130,6 +133,9 @@ struct bpf_map_def SEC("maps") tx_peer = { .max_entries = 1, }; +/* single entry to indicate if we have peer, key value + * set in user space is 0. It is only used to see if + * a interface has a peer we need to send the information to */ struct bpf_map_def SEC("maps") tx_peer_int = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(int), diff --git a/src/util-ebpf.c b/src/util-ebpf.c index 2cf48ac451..cb9388a61c 100644 --- a/src/util-ebpf.c +++ b/src/util-ebpf.c @@ -675,6 +675,18 @@ void EBPFBuildCPUSet(ConfNode *node, char *iface) BPF_ANY); } +/** + * Setup peer interface in XDP system + * + * Ths function set up the peer interface in the XDP maps used by the + * bypass filter. The first map tx_peer has type device map and is + * used to store the peer. The second map tx_peer_int is used by the + * code to check if we have a peer defined for this interface. + * + * As the map are per device we just need maps with one single element. + * In both case, we use the key 0 to enter element so XDP kernel code + * is using the same key. + */ int EBPFSetPeerIface(const char *iface, const char *out_iface) { int mapfd = EBPFGetMapFDByName(iface, "tx_peer");