mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
58b4babde2
commit f0812939ca4f6332d34715673c4fe44fbb1a491b (HEAD -> main, origin/main, origin/HEAD)
Author: Vincent Li <vincent.mc.li@gmail.com>
Date: Mon Nov 3 21:46:30 2025 -0800
tc-basic-classifier: add IFB setup in user space
Add the required kernel modules setup and green0 ingress mirror to ifb0
egress setup in class_filter so it is easier for user. see [0] for
required kernel modules and ingress shaping. also change the default
path to /usr/lib/bpf/class_filter.bpf.o also change the default bpf
object path to /usr/lib/bpf/class_filter.bpf.o.
[0]: https://std.rocks/gnulinux_network_traffic_control.html
for example:
Complete setup with one command (IFB mirroring + BPF attachment)
./class_filter -i green0 -3 10mbit -I -a -v
Setting up IFB mirroring for ingress traffic shaping on green0
Loading required kernel modules...
Executing: modprobe ifb numifbs=1
Loaded module: ifb numifbs=1
Executing: modprobe sch_fq_codel
Loaded module: sch_fq_codel
Executing: modprobe act_mirred
Loaded module: act_mirred
Executing: modprobe act_connmark
Loaded module: act_connmark
Successfully loaded all required kernel modules
Executing: ip link set dev ifb0 up
Executing: tc qdisc del dev green0 ingress 2>/dev/null
Executing: tc qdisc add dev green0 ingress handle ffff:
Executing: tc filter add dev green0 parent ffff: protocol ip u32 match u32 0 0 action connmark action mirred egress redirect dev ifb0 flowid ffff:1
Successfully setup IFB mirroring:
- Ingress traffic from green0 mirrored to ifb0 egress
Verification - IFB status:
Executing: ip link show ifb0
7: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN mode DEFAULT group default qlen 32
link/ether 8e:52:c9:93:13:34 brd ff:ff:ff:ff:ff:ff
TC configuration on green0 ingress:
Executing: tc qdisc show dev green0
qdisc fq_codel 8001: root refcnt 9 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64
qdisc ingress ffff: parent ffff:fff1 ----------------
Executing: tc filter show dev green0 parent ffff:
filter protocol ip pref 49152 u32 chain 0
filter protocol ip pref 49152 u32 chain 0 fh 800: ht divisor 1
filter protocol ip pref 49152 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid ffff:1 not_in_hw
match 00000000/00000000 at 0
action order 1: connmark zone 0 pipe
index 1 ref 1 bind 1
action order 2: mirred (Egress Redirect to device ifb0) stolen
index 1 ref 1 bind 1
Setting up TC qdisc and classes on ifb0 for egress shaping...
Executing: tc qdisc del dev ifb0 root 2>/dev/null
Executing: tc qdisc add dev ifb0 root handle 1:0 htb default 30
Executing: tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 100mbit
Warning: sch_htb: quantum of class 10001 is big. Consider r2q change.
Executing: tc class add dev ifb0 parent 1:1 classid 1:30 htb rate 5mbit ceil 10mbit
Successfully setup TC qdisc and classes on ifb0
TC configuration on ifb0:
Executing: tc qdisc show dev ifb0
qdisc htb 1: root refcnt 2 r2q 10 default 0x30 direct_packets_stat 1 direct_qlen 32
Executing: tc class show dev ifb0
class htb 1:1 root rate 100Mbit ceil 100Mbit burst 1600b cburst 1600b
class htb 1:30 parent 1:1 prio 0 rate 5Mbit ceil 10Mbit burst 1600b cburst 1600b
Automatically attaching BPF program to ifb0 for classification...
Attaching BPF program to ifb0...
Executing: tc filter del dev ifb0 protocol ip parent 1:0 2>/dev/null
Command failed but ignoring (may be normal): tc filter del dev ifb0 protocol ip parent 1:0 2>/dev/null
Executing: tc filter add dev ifb0 protocol ip parent 1:0 bpf obj ./class_filter.bpf.o classid 1: direct-action
Successfully attached BPF program to ifb0 egress (parent 1:0)
BPF maps automatically pinned to /sys/fs/bpf/tc/globals/
Verification:
Executing: tc filter show dev ifb0 parent 1:0
filter protocol ip pref 49152 bpf chain 0
filter protocol ip pref 49152 bpf chain 0 handle 0x1 flowid 1: class_filter.bpf.o:[classifier] direct-action not_in_hw id 100 name cls_filter tag 7163f8c072cf7015 jited
Pinned maps:
Executing: ls -la /sys/fs/bpf/tc/globals/ 2>/dev/null || echo 'No pinned maps found'
total 0
drwx------ 2 root root 0 Nov 3 11:43 .
drwx------ 3 root root 0 Nov 3 11:24 ..
-rw------- 1 root root 0 Nov 3 11:43 cls_filter_ip_trie_map
-rw------- 1 root root 0 Nov 3 11:43 cls_filter_port_map
Complete setup finished:
- IFB mirroring configured on green0 -> ifb0
- TC qdisc and classes setup on ifb0
- BPF classifier attached to ifb0 egress
- Ready for port/IP based traffic classification!
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
80 lines
3.3 KiB
Plaintext
80 lines
3.3 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
|
|
# Copyright (C) 2024-2025 BPFire <vincent.mc.li@gmail.com> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 1.5.7.2
|
|
|
|
THISAPP = xdp-tools-$(VER)
|
|
DL_FILE = $(THISAPP).tar.gz
|
|
DL_FROM = $(URL_IPFIRE)
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_BLAKE2 = 3262f2c34ed70ae06f1262ed629dc50562e1dfe6045db8ee3e6e4fd0540e1ae62009b12dc235a565ee88fc5a1a6ef24fbb3063c694feef37e876ca940954b92c
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
b2 : $(subst %,%_BLAKE2,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, b2sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_BLAKE2,$(objects)) :
|
|
@$(B2SUM)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
|
|
|
|
cd $(DIR_APP) && sed -i -e 's/PREFIX?=\/usr\/local/PREFIX?=\/usr/' lib/defines.mk
|
|
cd $(DIR_APP) && ./configure
|
|
cd $(DIR_APP) && make && make install
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|