webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

xdp-tools: tc-basic-classifier ingress shaping

Browse Source 
commit 9b82374a47906be38eb50f6ee5cc429fc4de4a4c (HEAD -> main, origin/main, origin/HEAD)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date:   Sat Nov 1 09:03:11 2025 -0700

    tc-basic-classifier: add source ip address classification

    For ingress shaping based on local network source address, according to [0] [1], iptables firewallrule mark is used to mark the packet originated from the local network source ip, but with eBPF tc, we can do the eBPF TC classification on the ifb0 interface to eliminate use of iptables, this improves programability and flexibility. so change the tc bpf program to do both destination and source ip classification, the setup is like:

    modprobe ifb numifbs=1
    modprobe sch_fq_codel
    modprobe act_mirred
    modprobe act_connmark

    ip link set ifb0 up

    tc qdisc add dev green0 ingress handle ffff:

    tc filter add dev green0 parent ffff: protocol ip u32 match u32 0 0 action connmark action mirred egress redirect dev ifb0 flowid ffff:1

    ./class_filter -a -b ./class_filter.bpf.o -i ifb0 -v

    Setting up TC qdisc and classes...
    Setting up TC qdisc and classes on ifb0
    Executing: tc qdisc del dev ifb0 root 2>/dev/null
    Command failed but ignoring (may be normal): tc qdisc del dev ifb0 root 2>/dev/null
    Executing: tc qdisc add dev ifb0 root handle 1:0 htb default 30
    Executing: tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 100mbit
    Warning: sch_htb: quantum of class 10001 is big. Consider r2q change.
    Executing: tc class add dev ifb0 parent 1:1 classid 1:30 htb rate 5mbit ceil 20mbit
    Successfully setup TC qdisc and classes on ifb0

    TC qdisc configuration:
    Executing: tc qdisc show dev ifb0
    qdisc htb 1: root refcnt 2 r2q 10 default 0x30 direct_packets_stat 2 direct_qlen 32

    TC classes configuration:
    Executing: tc class show dev ifb0
    class htb 1:1 root rate 100Mbit ceil 100Mbit burst 1600b cburst 1600b
    class htb 1:30 parent 1:1 prio 0 rate 5Mbit ceil 20Mbit burst 1600b cburst 1600b
    Executing: tc filter del dev ifb0 protocol ip parent 1:0 2>/dev/null
    Command failed but ignoring (may be normal): tc filter del dev ifb0 protocol ip parent 1:0 2>/dev/null
    Executing: tc filter add dev ifb0 protocol ip parent 1:0 bpf obj ./class_filter.bpf.o classid 1: direct-action
    Successfully attached BPF program to ifb0 egress (parent 1:0)
    BPF maps automatically pinned to /sys/fs/bpf/tc/globals/
    Verification:
    Executing: tc filter show dev ifb0 parent 1:0
    filter protocol ip pref 49152 bpf chain 0
    filter protocol ip pref 49152 bpf chain 0 handle 0x1 flowid 1: class_filter.bpf.o:[classifier] direct-action not_in_hw id 93 name cls_filter tag 7163f8c072cf7015 jited
    Pinned maps:
    Executing: ls -la /sys/fs/bpf/tc/globals/ 2>/dev/null || echo 'No pinned maps found'
    total 0
    drwx------ 2 root root 0 Nov  1 09:01 .
    drwx------ 3 root root 0 Nov  1 08:01 ..
    -rw------- 1 root root 0 Nov  1 09:01 cls_filter_ip_trie_map
    -rw------- 1 root root 0 Nov  1 09:01 cls_filter_port_map

    BPF program loaded and attached successfully to ifb0 egress
    Default class configured: 1:30 (rate: 5mbit, ceil: 20mbit)

    Use --add-port to create additional classes with rates (supports single ports and ranges).

    ./class_filter -i ifb0 -r 192.168.9.13/32:40:80mbit

    Added TC class: 1:40 (rate: 5mbit, ceil: 80mbit)
    Added IP mapping: 192.168.9.13/32 -> 1:40 (rate: 80mbit)

    ./class_filter -m

    IP Range Mappings:
    CIDR            -> TC_CLASS  (BPF_VALUE)
    ----------------------------------------
    192.168.9.13/32 -> 1:40     (0x40)
    Total: 1 IP range mappings

    tc -g class show dev ifb0

    +---(1:1) htb rate 100Mbit ceil 100Mbit burst 1600b cburst 1600b
         +---(1:40) htb prio 0 rate 5Mbit ceil 80Mbit burst 1600b cburst 1600b
         +---(1:30) htb prio 0 rate 5Mbit ceil 20Mbit burst 1600b cburst 1600b

    on 192.168.9.13:

    root@vincent-iMac:~# iperf3 -t 4 -c 10.0.0.206 -p 8080
    Connecting to host 10.0.0.206, port 8080
    [  5] local 192.168.9.13 port 51072 connected to 10.0.0.206 port 8080
    [ ID] Interval           Transfer     Bitrate         Retr  Cwnd
    [  5]   0.00-1.00   sec  9.63 MBytes  80.8 Mbits/sec    5    119 KBytes
    [  5]   1.00-2.00   sec  9.26 MBytes  77.7 Mbits/sec    7   86.3 KBytes
    [  5]   2.00-3.00   sec  9.20 MBytes  77.1 Mbits/sec    7    116 KBytes
    [  5]   3.00-4.00   sec  8.82 MBytes  74.0 Mbits/sec    2    102 KBytes
    - - - - - - - - - - - - - - - - - - - - - - - - -
    [ ID] Interval           Transfer     Bitrate         Retr
    [  5]   0.00-4.00   sec  36.9 MBytes  77.4 Mbits/sec   21             sender
    [  5]   0.00-4.05   sec  36.5 MBytes  75.6 Mbits/sec                  receiver

    [0]: https://std.rocks/gnulinux_network_traffic_control.html
    [1]: https://wiki.archlinux.org/title/Advanced_traffic_control#Shape_ingress_traffic_on_SNAT

    Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2025-11-03 02:56:04 +00:00
parent 0b4a8acd52
commit 101831d1b7
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lfs/xdp-tools
View File

@@ -25,7 +25,7 @@
include Config
VER = 1.5.7.1
VER = 1.5.7.2
THISAPP = xdp-tools-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -41,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_BLAKE2 = 242e7c40faedb527807161c9d4cc32fcb00dee1bf73227d66f6efefd9b36ea6aff64809a2e5b50bdbd58cf8e2407dc8ff2ea65c10ecd01a633ac9e54efbd2e05
$(DL_FILE)_BLAKE2 = 74cf44992416a9a5c8e30985089e651b0b11ffabf192fd3dc066f95420ba27cbba039641fcffe0adbe682cd0d8572c5565980ab9928fad60dadb288a1d44cc08
install : $(TARGET)