Design

Software architecture

FPTUN-eBPF uses the Linux eBPF architecture to drive packets from the fast path to the Linux kernel stack.

A dummy virtual interface (fptun0) is created in the current VRF and a tc eBPF filter is attached on egress. The fast path sends packets to this interface using an AF_PACKET/SOCK_RAW socket. Statistics can be shown with the following command:

# tc -s filter show dev fptun0 egress

The FPTUN-eBPF metadata (from the fast path) are stored in a trailer at the end of the packet. The eBPF program get them (exception type, targeted interface, etc.) from this trailer. It removes them before injecting the packet into the Linux stack.

The bpf_redirect() function is used to redirect packets from fptun0 (egress) to the targeted interface (at ingress or egress).

Below is a description of the supported exception types.

FPTUN_ETH_INPUT_EXCEPT

This exception is used to inject a L2 packet in an interface at ingress.

Example of a packet flow for a datagram destinated to a local VLAN interface:

eth0 physical in-interface (FPTUN_BASIC_EXCEPT)
  --> fp_process_input (FPTUN_BASIC_EXCEPT)
  --> fp_ether_input (FPTUN_BASIC_EXCEPT)
  --> fp_vlan_input (FPTUN_BASIC_EXCEPT)
  --> fp_vlan_bulk_process (FPTUN_BASIC_EXCEPT => FPTUN_ETH_INPUT_EXCEPT)
  --> fp_ether_input (FPTUN_ETH_INPUT_EXCEPT)
  --> fp_ip_input (FPTUN_ETH_INPUT_EXCEPT)
  --> fp_ip_input_demux (FPTUN_ETH_INPUT_EXCEPT)
  --> fp_ip_bulk_exception (FPTUN_ETH_INPUT_EXCEPT)
  --> fp_send_fptunebpf (FPTUN_ETH_INPUT_EXCEPT)
  --> fptun0/egress
  --> _tc_fptun_ebpf (FPTUN_ETH_INPUT_EXCEPT)
  --> bpf_skb_change_tail (remove fptun-ebpf trailer)
  --> bpf_redirect (eth0 / ingress)
  --> dev_forward_skb (eth0)
  --> netif_rx_internal (eth0)

FPTUN_IFACE_INPUT_EXCEPT

This exception is used to inject a L3 packet in an interface at ingress.

FPTUN_OUTPUT_EXCEPT

This exception is used to inject a packet in an interface at egress.

FPTUN_TAP

This exception is used to inject packets in opened AF_PACKET sockets on a specified interface and drop them before they enter the Linux stack. An eBPF program is setup at ingress of the tapped interface. This program drops all packets sent through this exception type. An optional trailer can be put (“FASTPATH OFFLOAD” in ascii) at the end of the packet. It helps to indentify if packets are tapped in the fast path or in the kernel.

Example of a packet flow for a datagram tapped on an input interface:

eth0 physical in-interface (FPTUN_BASIC_EXCEPT)
  --> fp_process_input (FPTUN_BASIC_EXCEPT)
  --> fp_tap_bulk (FPTUN_BASIC_EXCEPT)
  --> fp_prepare_tap_exception (m_dup / FPTUN_TAP)
  --> fp_sp_exception (FPTUN_TAP)
  --> fp_send_fptunebpf (FPTUN_TAP)
  --> fptun0/egress
  --> _tc_fptun_ebpf (FPTUN_TAP)
  --> bpf_skb_store_bytes (set trailer to "FASTPATH OFFLOAD")
  --> bpf_redirect (eth0 / ingress)
  --> dev_forward_skb (eth0)
  --> netif_rx_internal (eth0)
  --> __netif_receive_skb_core (eth0)
  --> deliver_skb (=> AF_PACKET sockets)
  --> sch_handle_ingress
  --> _tc_fptun_ebpf_tap_drop