bpf

package
v1.6.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2026 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SETTING_ENABLE_MONITOR uint32 = 1
	SETTING_AUDIT_MODE     uint32 = 2
	SETTING_ENABLED        uint32 = 1
	SETTING_DISABLED       uint32 = 0

	TUNNEL_MODE_NONE   uint32 = 0
	TUNNEL_MODE_GENEVE uint32 = 1
	TUNNEL_MODE_VXLAN  uint32 = 2
)

Variables

View Source 
var (
	// Name of the directory in /sys/fs/bpf that holds the pinned maps/progs
	BPFMountDir = "neuwerk"
)

Functions

This section is empty.

Types

type AuditEvent 

type AuditEvent bpfAuditEvent

type Collection 

type Collection struct {
	IngressProg *ebpf.Program
	EgressProg  *ebpf.Program

	NetworkCIDRs    *ebpf.Map
	IPPortPolicies  *ebpf.Map
	PolicyConfigMap *ebpf.Map
	PktTrack        *ebpf.Map
	MetricsMap      *ebpf.Map
	AuditEvents     *ebpf.Map
	SettingsMap     *ebpf.Map
	FlowState       *ebpf.Map
	SessionMap      *ebpf.Map
	// contains filtered or unexported fields
}

func Load 

func Load(bpffs, ingressDeviceName, egressDeviceName, ingressAddr, mgmtAddr, tunnelMode string) (*Collection, error)

Load loads the BPF programs and maps with default (production) map sizes. For integration tests or memory-constrained environments, use LoadWithMapSizes. mgmtAddr is the management interface address for local traffic bypass (can be same as ingressAddr).

func LoadPinned added in v1.6.9 

func LoadPinned(bpffs string) (*Collection, error)

LoadPinned loads the BPF maps from the pinned path without needing device configuration. This is useful for CLI tools that inspect existing state without reloading programs. Returns a partial Collection with only the maps populated (no programs).

func LoadWithMapSizes added in v1.6.1 

func LoadWithMapSizes(bpffs, ingressDeviceName, egressDeviceName, ingressAddr, mgmtAddr, tunnelMode string, mapSizes MapSizes) (*Collection, error)

LoadWithMapSizes loads the BPF programs and maps with configurable map sizes. Zero values in mapSizes use the defaults compiled into the BPF ELF. ingressAddr is used for SNAT (egress IP in GCP ILB mode). mgmtAddr is used for management subnet bypass (ingress IP, traffic to this /24 passes through).

func (*Collection) ApplyNamedSetting 

func (coll *Collection) ApplyNamedSetting(name string, value uint32) error

func (*Collection) ApplySetting 

func (coll *Collection) ApplySetting(key uint32, value uint32) error

func (*Collection) Attach 

func (coll *Collection) Attach() error

func (*Collection) Close 

func (coll *Collection) Close() error

func (*Collection) GetNamedSetting 

func (coll *Collection) GetNamedSetting(name string) (uint32, error)

func (*Collection) GetPacketCounters 

func (coll *Collection) GetPacketCounters() (*PacketCounters, error)

GetPacketCounters reads packet counters from BPF metrics map

func (*Collection) GetSetting 

func (coll *Collection) GetSetting(key uint32) (uint32, error)

type FlowKey 

type FlowKey bpfFlowKey

type FlowMetadata 

type FlowMetadata bpfFlowMetadata

type MapSizes added in v1.6.1 

type MapSizes struct {
	// FlowState holds tunnel metadata for re-encapsulation (default: 1M entries, ~300MB)
	FlowState uint32
	// SessionMap tracks active sessions for monitoring (default: 500K entries, ~16MB)
	SessionMap uint32
	// PktTrack is the DNS resolver's packet tracking map (default: 16M entries, ~256MB)
	PktTrack uint32
	// AuditRingbuf is the audit event ring buffer (default: 16MB)
	AuditRingbuf uint32
}

MapSizes allows overriding BPF map max_entries at load time. Zero values use the defaults compiled into the BPF ELF.

func DefaultMapSizes added in v1.6.1 

func DefaultMapSizes() MapSizes

DefaultMapSizes returns production-ready map sizes.

func TestMapSizes added in v1.6.1 

func TestMapSizes() MapSizes

TestMapSizes returns reduced map sizes suitable for integration tests. Total memory: ~50MB instead of ~600MB

type NetworkCIDR 

type NetworkCIDR bpfNetworkCidr

type PacketCounters 

type PacketCounters struct {
	Allowed    uint64 `json:"allowed"`
	Blocked    uint64 `json:"blocked"`
	Redirected uint64 `json:"redirected"`
}

PacketCounters holds aggregated packet metrics

type PolicyKey 

type PolicyKey bpfPolicyKey

type ReplicatedSession 

type ReplicatedSession struct {
	// Flow metadata (tunnel info)
	TunnelType     uint8    `json:"tunnel_type"`
	VNI            uint32   `json:"vni"`
	FlowCookie     [8]byte  `json:"flow_cookie"`     // First 8 bytes of GENEVE options
	OuterSrcIP     uint32   `json:"outer_src_ip"`    // Network byte order
	OuterDstIP     uint32   `json:"outer_dst_ip"`    // Network byte order
	OuterSrcMAC    [6]uint8 `json:"outer_src_mac"`   // Ethernet MAC addresses
	OuterDstMAC    [6]uint8 `json:"outer_dst_mac"`   // Ethernet MAC addresses
	OuterSrcPort   uint16   `json:"outer_src_port"`  // UDP port
	OuterDstPort   uint16   `json:"outer_dst_port"`  // UDP port
	IngressIfindex uint32   `json:"ingress_ifindex"` // For GCP hairpin

	// Session state (timestamps only, NO packet counters per CONTEXT.md)
	LastSeenNs uint64 `json:"last_seen_ns"` // Nanoseconds since boot

	// Replication metadata
	NodeID       string `json:"node_id"`
	ReplicatedAt int64  `json:"replicated_at"` // Unix timestamp
}

ReplicatedSession contains minimal session data for replication. Excludes packet/byte counters per CONTEXT.md: "only tunnel metadata is replicated"

type ReplicationStatus 

type ReplicationStatus struct {
	LocalCount     int
	NATSCount      int
	InBoth         int
	OnlyLocal      int
	OnlyNATS       int
	LastSyncTime   time.Time
	ReplicationLag time.Duration
}

ReplicationStatus provides health metrics for session replication.

type SessionInfo 

type SessionInfo struct {
	SrcIP          string
	DstIP          string
	SrcPort        uint16
	DstPort        uint16
	Proto          string
	Age            string
	TunnelType     string
	VNI            uint32
	IngressPackets uint64
	EgressPackets  uint64
	IngressBytes   uint32
	EgressBytes    uint32
}

ListSessions returns all sessions matching filters

type SessionManager 

type SessionManager struct {
	// contains filtered or unexported fields
}

func NewSessionManager 

func NewSessionManager(sessionMap, flowStateMap *ebpf.Map) *SessionManager

func (*SessionManager) ListSessions 

func (sm *SessionManager) ListSessions(srcIPFilter, dstIPFilter string, portFilter uint16) ([]SessionInfo, error)

func (*SessionManager) StartGC 

func (sm *SessionManager) StartGC(ctx context.Context) error

type SessionReplicator 

type SessionReplicator struct {
	// contains filtered or unexported fields
}

SessionReplicator replicates BPF session state to NATS JetStream KV for HA failover. Implements debounced batch replication with periodic backup sync.

func NewSessionReplicator 

func NewSessionReplicator(ctx context.Context, js jetstream.JetStream, sessionMap, flowStateMap *ebpf.Map, nodeID string) (*SessionReplicator, error)

NewSessionReplicator creates a session replicator with NATS KV bucket.

func (*SessionReplicator) Create 

func (r *SessionReplicator) Create(key FlowKey, session SessionState, meta FlowMetadata)

Create replicates a new session immediately (bypasses debounce). Used on session creation to ensure rapid propagation.

func (*SessionReplicator) Delete 

func (r *SessionReplicator) Delete(key FlowKey)

Delete removes a session from NATS KV immediately (bypasses debounce). Used on session deletion (GC cleanup, connection close) for rapid propagation.

func (*SessionReplicator) Flush 

func (r *SessionReplicator) Flush()

Flush immediately writes all pending session updates to NATS KV. Called during graceful shutdown to ensure no data loss.

func (*SessionReplicator) GetStatus 

func (r *SessionReplicator) GetStatus(ctx context.Context) (*ReplicationStatus, error)

GetStatus compares local BPF maps against NATS KV and returns health information. Used for operational observability and troubleshooting replication issues.

func (*SessionReplicator) LoadFromNATS 

func (r *SessionReplicator) LoadFromNATS(ctx context.Context) error

LoadFromNATS eagerly loads all sessions from NATS KV into BPF maps on boot. Per CONTEXT.md: "Wait for session load to complete before registering with load balancer"

func (*SessionReplicator) StartPeriodicSync 

func (r *SessionReplicator) StartPeriodicSync(ctx context.Context, interval time.Duration)

StartPeriodicSync starts a background goroutine that performs periodic full sync. Backup mechanism per RESEARCH.md Pattern to catch missed replication events.

func (*SessionReplicator) Update 

func (r *SessionReplicator) Update(key FlowKey, session SessionState, meta FlowMetadata)

Update stores a session update in pending map and triggers debounced batch write. Multiple updates within 500ms window are coalesced into single NATS write.

type SessionState 

type SessionState bpfSessionState

type TCFilterStatus added in v1.6.9 

type TCFilterStatus struct {
	Interface   string
	Direction   string // "ingress" or "egress"
	FilterName  string
	Attached    bool
	ProgramType string
}

TCFilterStatus represents the attachment status of a TC filter on a network interface

func GetTCStatus added in v1.6.9 

func GetTCStatus() ([]TCFilterStatus, error)

GetTCStatus checks TC filter attachment status on all network interfaces. Returns a list of attached neuwerk TC filters.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.