第28周:XDP 进阶应用

字数统计: 3k字   |   阅读时长≈ 16分

第28周:XDP 进阶应用

目标:掌握 XDP 高级特性(转发、连接跟踪雏形、DDoS 防护),实现高性能网络应用。

1. XDP_REDIRECT 高级用法

1.1 三种重定向

1
2
3
4
5
6
7
8
9
10
11
12
13
XDP_REDIRECT 支持三种目标:

1. 同网卡的另一个 RX 队列(CPUMAP)
   - 负载均衡到多个 CPU
   - 避免单 CPU 瓶颈

2. 另一个网卡(DEVMAP)
   - 真实网络转发
   - 用于 L3 转发、负载均衡

3. AF_XDP socket(用户态)
   - 零拷贝到用户态
   - 与 DPDK 类似但更轻量

1.2 DEVMAP 实现转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
// xdp_forward.bpf.c — 简单的二层转发
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>

// 设备映射:key=源 IP, value=目标网卡 index
struct {
    __uint(type, BPF_MAP_TYPE_DEVMAP);
    __uint(max_entries, 8);
    __type(key, u32);
    __type(value, struct bpf_devmap_val);
} dev_map SEC(".maps");

// MAC 表:key=目的 MAC, value=下一跳网卡
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 1024);
    __type(key, struct mac_key);
    __type(value, struct mac_val);
} mac_table SEC(".maps");

struct mac_key {
    u8 dst[6];
    u8 src[6];
    u16 ethertype;
    u16 pad;  // 对齐
} __attribute__((packed));

struct mac_val {
    u32 out_ifindex;
    u8  next_hop_mac[6];
    u8  pad[2];
} __attribute__((packed));

SEC("xdp")
int xdp_forward(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;

    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;

    // 查找 MAC 表
    struct mac_key key = {0};
    memcpy(key.dst, eth->h_dest, 6);
    memcpy(key.src, eth->h_source, 6);
    key.ethertype = eth->h_proto;

    struct mac_val *entry = bpf_map_lookup_elem(&mac_table, &key);
    if (!entry) {
        // 未学到 → 泛洪(这里简化:丢弃)
        return XDP_DROP;
    }

    // 重新写入 MAC 地址
    memcpy(eth->h_source, entry->next_hop_mac, 6);
    memcpy(eth->h_dest, entry->next_hop_mac, 6);

    // 重定向到目标网卡
    return bpf_redirect_map(&dev_map, entry->out_ifindex, 0);
}

char LICENSE[] SEC("license") = "GPL";

1.3 CPUMAP 负载均衡

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// xdp_cpumap.bpf.c — 通过 CPU 转发
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <bpf/bpf_helpers.h>

// CPU 映射
struct {
    __uint(type, BPF_MAP_TYPE_CPUMAP);
    __uint(max_entries, 8);
    __type(key, u32);
    __type(value, struct bpf_cpumap_val);
} cpu_map SEC(".maps");

SEC("xdp")
int xdp_to_cpu(struct xdp_md *ctx) {
    // 简单的 round-robin
    u32 cpu = bpf_get_smp_processor_id();
    cpu = (cpu + 1) % 8;  // 下一个 CPU

    return bpf_redirect_map(&cpu_map, cpu, 0);
}

2. 连接跟踪雏形

2.1 简单状态机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// xdp_conntrack.bpf.c — 简单 TCP 状态跟踪
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <bpf/bpf_helpers.h>

// 连接跟踪条目
struct ct_entry {
    u32 client_ip;
    u32 server_ip;
    u16 client_port;
    u16 server_port;
    u8  state;          // TCP 状态
    u8  flags;          // 记录已见标志
    u64 last_ts;        // 最后活跃时间
};

struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 65536);
    __type(key, struct ct_key);
    __type(value, struct ct_entry);
} conntrack SEC(".maps");

struct ct_key {
    u32 src_ip;
    u32 dst_ip;
    u16 src_port;
    u16 dst_port;
} __attribute__((packed));

// TCP 状态常量
#define TCP_NEW         0
#define TCP_SYN_RCVD    1
#define TCP_ESTABLISHED 2
#define TCP_FIN_WAIT    3
#define TCP_CLOSED      4

// 计算时间差
#define CT_TIMEOUT_NS   30000000000ULL  // 30 秒

SEC("xdp")
int xdp_conntrack(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;

    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;

    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return XDP_PASS;

    struct iphdr *ip = (void *)(eth + 1);
    if ((void *)(ip + 1) > data_end)
        return XDP_PASS;

    if (ip->protocol != IPPROTO_TCP)
        return XDP_PASS;

    struct tcphdr *tcp = (void *)ip + (ip->ihl * 4);
    if ((void *)(tcp + 1) > data_end)
        return XDP_PASS;

    // 构造 key
    struct ct_key key = {
        .src_ip = ip->saddr,
        .dst_ip = ip->daddr,
        .src_port = tcp->source,
        .dst_port = tcp->dest,
    };

    struct ct_entry *entry = bpf_map_lookup_elem(&conntrack, &key);
    u64 now = bpf_ktime_get_ns();

    if (!entry) {
        // 新连接
        if (!(tcp->syn) || tcp->ack) {
            // 没有 SYN 标志,不应建立连接
            return XDP_DROP;
        }

        // 创建新条目
        struct ct_entry new_entry = {
            .client_ip = ip->saddr,
            .server_ip = ip->daddr,
            .client_port = tcp->source,
            .server_port = tcp->dest,
            .state = TCP_NEW,
            .flags = tcp->syn ? 1 : 0,
            .last_ts = now,
        };
        bpf_map_update_elem(&conntrack, &key, &new_entry, BPF_ANY);
    } else {
        // 已存在连接,更新状态
        entry->last_ts = now;

        // 状态机
        if (entry->state == TCP_NEW && tcp->syn && tcp->ack) {
            entry->state = TCP_SYN_RCVD;
        } else if (entry->state == TCP_SYN_RCVD && tcp->ack) {
            entry->state = TCP_ESTABLISHED;
        } else if (entry->state == TCP_ESTABLISHED && tcp->fin) {
            entry->state = TCP_FIN_WAIT;
        } else if (entry->state == TCP_FIN_WAIT && tcp->fin) {
            entry->state = TCP_CLOSED;
            bpf_map_delete_elem(&conntrack, &key);
        }
    }

    return XDP_PASS;
}

char LICENSE[] SEC("license") = "GPL";

2.2 反向 key(双向跟踪)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 同时维护双向连接(5 元组双向)
// 关键:也要按反向 5 元组查找

// 方法 1:插入两个 key
SEC("xdp")
int xdp_ct_two_way(struct xdp_md *ctx) {
    // ... 解析 ...

    // 正向 key
    struct ct_key fwd = {
        .src_ip = ip->saddr, .dst_ip = ip->daddr,
        .src_port = tcp->source, .dst_port = tcp->dest
    };
    // 反向 key(交换 src/dst)
    struct ct_key rev = {
        .src_ip = ip->daddr, .dst_ip = ip->saddr,
        .src_port = tcp->dest, .dst_port = tcp->source
    };

    // 创建新条目(同时插两个 key 指向同一 entry)
    bpf_map_update_elem(&conntrack, &fwd, &entry, BPF_ANY);
    bpf_map_update_elem(&conntrack, &rev, &entry, BPF_ANY);

    return XDP_PASS;
}

3. DDoS 防护:SYN 速率限制

3.1 简单令牌桶

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// xdp_syn_rate_limit.bpf.c
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>

// 速率限制配置
struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __uint(max_entries, 1);
    __type(key, u32);
    __type(value, u32);
} config_ratelimit SEC(".maps");

// 全局 SYN 计数
struct {
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
    __uint(max_entries, 4);
    __type(key, u32);
    __type(value, u64);
} syn_stats SEC(".maps");

// 按源 IP 的 token bucket
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 10240);
    __type(key, u32);
    __type(value, u64);  // 上次更新时间
} src_last_time SEC(".maps");

enum {
    STAT_TOTAL_SYN = 0,
    STAT_PASSED = 1,
    STAT_DROPPED = 2,
    STAT_PERCPU = 3,
};

#define MAX_SYN_PER_SEC 100   // 每 IP 每秒最多 100 个 SYN

SEC("xdp")
int xdp_syn_ratelimit(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;

    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;

    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return XDP_PASS;

    struct iphdr *ip = (void *)(eth + 1);
    if ((void *)(ip + 1) > data_end)
        return XDP_PASS;

    if (ip->protocol != IPPROTO_TCP)
        return XDP_PASS;

    struct tcphdr *tcp = (void *)ip + (ip->ihl * 4);
    if ((void *)(tcp + 1) > data_end)
        return XDP_PASS;

    // 只处理 SYN
    if (!tcp->syn || tcp->ack)
        return XDP_PASS;

    // 统计总 SYN
    u32 key = STAT_TOTAL_SYN;
    u64 *count = bpf_map_lookup_elem(&syn_stats, &key);
    if (count) (*count)++;

    // 限速(简单的 token bucket)
    u32 src_ip = ip->saddr;
    u64 now = bpf_ktime_get_ns();
    u64 *last = bpf_map_lookup_elem(&src_last_time, &src_ip);

    if (last) {
        // 计算速率
        u64 elapsed_ns = now - *last;
        if (elapsed_ns < 1000000000ULL / MAX_SYN_PER_SEC) {
            // 频率过高 → 丢弃
            key = STAT_DROPPED;
            count = bpf_map_lookup_elem(&syn_stats, &key);
            if (count) (*count)++;
            return XDP_DROP;
        }
        *last = now;
    } else {
        // 第一次
        bpf_map_update_elem(&src_last_time, &src_ip, &now, BPF_ANY);
    }

    key = STAT_PASSED;
    count = bpf_map_lookup_elem(&syn_stats, &key);
    if (count) (*count)++;

    return XDP_PASS;
}

char LICENSE[] SEC("license") = "GPL";

3.2 滑动窗口限速(更精确)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
// 改进:维护一个固定大小的时间窗口
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 10240);
    __type(key, u32);
    __type(value, struct rate_state);
} rate_state SEC(".maps");

struct rate_state {
    u32 count;       // 当前窗口计数
    u64 window_start; // 窗口开始时间
};

// 用户态定期重置窗口
// XDP 端检查:如果 1 秒内超过 100 个 SYN → 丢弃

SEC("xdp")
int xdp_rate_window(struct xdp_md *ctx) {
    // ... 解析到 tcp 头 ...
    if (!tcp->syn || tcp->ack) return XDP_PASS;

    u32 src = ip->saddr;
    u64 now = bpf_ktime_get_ns();
    u64 window_ns = 1000000000ULL;  // 1 秒
    u32 max_per_window = 100;

    struct rate_state *state = bpf_map_lookup_elem(&rate_state, &src);
    if (state) {
        // 检查窗口
        if (now - state->window_start < window_ns) {
            // 在窗口内
            if (state->count >= max_per_window) {
                return XDP_DROP;  // 超过限制
            }
            state->count++;
        } else {
            // 窗口过期,重置
            state->window_start = now;
            state->count = 1;
        }
    } else {
        // 首次访问
        struct rate_state init = {
            .count = 1,
            .window_start = now
        };
        bpf_map_update_elem(&rate_state, &src, &init, BPF_ANY);
    }

    return XDP_PASS;
}

3.3 DDoS 防护综合策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// xdp_anti_ddos.bpf.c
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <bpf/bpf_helpers.h>

// 黑名单
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 1024);
    __type(key, u32);
    __type(value, u64);  // 时间戳
} blacklist SEC(".maps");

// 挑战-响应(cookie)
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 65536);
    __type(key, u32);
    __type(value, u64);
} cookies SEC(".maps");

// 速率限制(按 IP)
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 10240);
    __type(key, u32);
    __type(value, struct rate_state);
} rate_state SEC(".maps");

SEC("xdp")
int xdp_anti_ddos(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;

    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;

    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return XDP_PASS;

    struct iphdr *ip = (void *)(eth + 1);
    if ((void *)(ip + 1) > data_end)
        return XDP_PASS;

    if (ip->protocol != IPPROTO_TCP)
        return XDP_PASS;

    struct tcphdr *tcp = (void *)ip + (ip->ihl * 4);
    if ((void *)(tcp + 1) > data_end)
        return XDP_PASS;

    u32 src_ip = ip->saddr;

    // 1. 检查黑名单
    if (bpf_map_lookup_elem(&blacklist, &src_ip)) {
        return XDP_DROP;
    }

    // 2. SYN 限速
    if (tcp->syn && !tcp->ack) {
        // 检查速率
        struct rate_state *state = bpf_map_lookup_elem(&rate_state, &src_ip);
        u64 now = bpf_ktime_get_ns();

        if (state) {
            if (now - state->window_start < 1000000000ULL) {
                if (state->count >= 100) {  // 1 秒 100 个
                    // 加入临时黑名单
                    bpf_map_update_elem(&blacklist, &src_ip, &now, BPF_ANY);
                    return XDP_DROP;
                }
                state->count++;
            } else {
                state->window_start = now;
                state->count = 1;
            }
        } else {
            struct rate_state init = {
                .count = 1,
                .window_start = now
            };
            bpf_map_update_elem(&rate_state, &src_ip, &init, BPF_ANY);
        }

        // 3. SYN Cookie 挑战(简化)
        // 只通过已建立连接的 ACK
        // 真实场景需要 cookie 验证
    }

    return XDP_PASS;
}

char LICENSE[] SEC("license") = "GPL";

4. 实践:XDP 负载均衡

4.1 简单的 L4 负载均衡

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
// xdp_lb.bpf.c
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>

// VIP 配置
struct vip {
    u32 vip_ip;
    u16 vip_port;
};

// 后端列表
struct backend {
    u32 ip;
    u16 port;
    u8  weight;
    u8  state;
};

// VIP 表
struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __uint(max_entries, 16);
    __type(key, u32);  // vip_ip
    __type(value, struct vip);
} vips SEC(".maps");

// 后端池(按 VIP hash 存储)
struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __uint(max_entries, 64);
    __type(key, u32);
    __type(value, struct backend);
} backends SEC(".maps");

// 连接跟踪
struct lb_session {
    u32 client_ip;
    u32 vip_ip;
    u32 backend_ip;
    u16 client_port;
    u16 vip_port;
    u16 backend_port;
    u8  backend_idx;
    u64 last_ts;
};

struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 65536);
    __type(key, struct session_key);
    __type(value, struct lb_session);
} sessions SEC(".maps");

struct session_key {
    u32 src_ip;
    u32 dst_ip;
    u16 src_port;
    u16 dst_port;
} __attribute__((packed));

// 简单选择:轮询
static u32 select_backend(u32 vip_ip, u64 now) {
    // 简化:取 vip_ip 哈希
    return (vip_ip ^ (now / 1000000)) % 64;
}

SEC("xdp")
int xdp_lb(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;

    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;

    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return XDP_PASS;

    struct iphdr *ip = (void *)(eth + 1);
    if ((void *)(ip + 1) > data_end)
        return XDP_PASS;

    if (ip->protocol != IPPROTO_TCP)
        return XDP_PASS;

    struct tcphdr *tcp = (void *)ip + (ip->ihl * 4);
    if ((void *)(tcp + 1) > data_end)
        return XDP_PASS;

    // 查找 VIP
    struct vip *v = bpf_map_lookup_elem(&vips, &ip->daddr);
    if (!v) return XDP_PASS;

    // 匹配目的端口
    if (v->vip_port != 0 && tcp->dest != bpf_htons(v->vip_port))
        return XDP_PASS;

    // 查找或创建会话
    struct session_key key = {
        .src_ip = ip->saddr,
        .dst_ip = ip->daddr,
        .src_port = tcp->source,
        .dst_port = tcp->dest,
    };

    struct lb_session *sess = bpf_map_lookup_elem(&sessions, &key);
    if (!sess) {
        // 新连接:选后端
        u32 bk_idx = select_backend(ip->daddr, bpf_ktime_get_ns());
        struct backend *bk = bpf_map_lookup_elem(&backends, &bk_idx);
        if (!bk || bk->state == 0) return XDP_DROP;

        // 创建会话
        struct lb_session new_sess = {
            .client_ip = ip->saddr,
            .vip_ip = ip->daddr,
            .backend_ip = bk->ip,
            .client_port = tcp->source,
            .vip_port = tcp->dest,
            .backend_port = bk->port,
            .backend_idx = bk_idx,
            .last_ts = bpf_ktime_get_ns(),
        };
        bpf_map_update_elem(&sessions, &key, &new_sess, BPF_ANY);
        sess = bpf_map_lookup_elem(&sessions, &key);
    }

    if (!sess) return XDP_DROP;

    // DNAT:替换目的 IP
    ip->daddr = sess->backend_ip;
    tcp->dest = bpf_htons(sess->backend_port);

    // 重新计算校验和
    tcp->check = 0;
    ip->check = 0;
    tcp->check = bpf_l4_cksum(skb, ip, sizeof(struct tcphdr));
    ip->check = bpf_csum_diff();

    // (省略 MAC 重写和转发)
    // ...

    return XDP_PASS;
}

char LICENSE[] SEC("license") = "GPL";

5. 高级技巧

5.1 多程序 tail call

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// 主程序
SEC("xdp")
int xdp_main(struct xdp_md *ctx) {
    // ... 处理 ...

    // 跳转到连接跟踪
    bpf_tail_call(ctx, &progs_array, 0);

    return XDP_PASS;
}

SEC("xdp")
int xdp_track_conn(struct xdp_md *ctx) {
    // 连接跟踪逻辑
    // ...
    return XDP_PASS;
}

SEC("xdp")
int xdp_rate_limit(struct xdp_md *ctx) {
    // 限速
    // ...
    return XDP_PASS;
}

struct {
    __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
    __uint(max_entries, 4);
    __type(key, u32);
    __type(value, u32);
} progs_array SEC(".maps");

5.2 AF_XDP 零拷贝

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// XDP 端:重定向到 AF_XDP socket
SEC("xdp")
int xdp_to_af_xdp(struct xdp_md *ctx) {
    // 查找匹配的 AF_XDP socket
    // 通过 XSKMAP map 转发到用户态
    u32 key = 0;
    int *fd = bpf_map_lookup_elem(&xsks_map, &key);
    if (fd) {
        return bpf_redirect_map(&xsks_map, key, 0);
    }
    return XDP_PASS;
}

struct {
    __uint(type, BPF_MAP_TYPE_XSKMAP);
    __uint(max_entries, 4);
    __type(key, u32);
    __type(value, int);
} xsks_map SEC(".maps");

5.3 自定义 XDP meta 数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
// 添加自定义元数据(XDP 阶段 → SKB 阶段)
SEC("xdp")
int xdp_add_meta(struct xdp_md *ctx) {
    // 调整 meta 区域
    if (bpf_xdp_adjust_meta(ctx, -(int)sizeof(struct custom_meta)) < 0)
        return XDP_PASS;

    // 写入元数据
    void *data_meta = (void *)(long)ctx->data_meta;
    void *data = (void *)(long)ctx->data;

    if (data_meta + sizeof(struct custom_meta) > data)
        return XDP_PASS;

    struct custom_meta *m = data_meta;
    m->timestamp = bpf_ktime_get_ns();
    m->ifindex = ctx->ingress_ifindex;

    return XDP_PASS;  // 传递给内核协议栈
}

6. 性能基准

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
XDP 性能基准(10GbE NIC):

  ┌─────────────┬──────────┬──────────┐
  │ 操作         │ Mpps     │ 延迟     │
  ├─────────────┼──────────┼──────────┤
  │ XDP_DROP     │ 14.8     │ < 100ns  │
  │ XDP_TX       │ 14.8     │ < 200ns  │
  │ XDP_PASS     │ 6-10     │ < 1μs    │
  │ XDP_REDIRECT │ 12-14    │ < 500ns  │
  │ iptables     │ 1-3      │ < 5μs    │
  │ TC           │ 3-5      │ < 3μs    │
  └─────────────┴──────────┴──────────┘

注意:性能受以下影响:
  - 网卡型号
  - CPU 频率
  - Burst size
  - Map 大小
  - 程序复杂度

7. 调试技巧

1
2
3
4
5
6
7
8
9
10
11
// 1. 简单的 printk
bpf_printk("Got packet: %d bytes, port=%d\\n", len, port);

// 2. 通过 map 报告(更好)
// 详见下一节的事件传递

// 3. 通过 perf event array
// 旧方式,性能较差

// 4. 通过 ring buffer(推荐)
// 详见 week27
1
2
3
4
# 用户态调试
sudo bpftool prog tracepoint log id 42
sudo bpftool prog profile id 42 duration 5
sudo cat /sys/kernel/debug/tracing/trace_pipe

谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要涉及技术:
Java后端开发、Linux开发、
公众号开发、开源爱好者、Linux

联系QQ:562054870