Add the BPF state to flow entries

[AltraMayor]

This pull request adds a BPF state to flow entries. This new state has an associated BPF program to decide on the action that GK blocks must take over the packets of those flows.

BPF states are key to enable policies to have a failsafe mechanism when granted flows misbehave after receiving their capabilities, or to narrowly control the packets in granted flows.

[mengxiang0811]

gk: add BPF programs to struct gk_config

[mengxiang0811]

There is a conflict that needs to be addressed for file lua/examples/policy.lua.

[AltraMayor]

gk: add BPF programs to struct gk_config

[cjdoucette]

These changes are just needed because of the update to the DPDK library that Qiaobin did.

[cjdoucette]

When running Gatekeeper with BPF, I get this error:

resolve_xsym(1): EBPF_PSEUDO_CALL to external function: init_ctx_to_cookie
evaluate: destination is not a pointer at pc: 5
rte_bpf_elf_load(fname="./lua/bpf/granted.bpf", sname="init") failed, error code: 22
GATEKEEPER GK: gk_load_bpf_flow_handler(): file "./lua/bpf/granted.bpf" does not have the BPF program "init"
GATEKEEPER: config: ./lua/gk.lua:114: Failed to load BPF program: ./lua/bpf/granted.bpf
GATEKEEPER: main: failed to configure Gatekeeper

[AltraMayor]

I have not yet addressed the load issue that Cody found, but the code already reflects the other suggestions.

[mengxiang0811]

gk: add the BPF state to flow entries

[mengxiang0811]

ggu: extend protocol to include BPF decisions

[mengxiang0811]

gt: add support to sending BPF policy decisions

[mengxiang0811]

bpf: add the first BPF programs

I cannot comment in the commit messages. There is a typo: granted.pdf should be granted.bpf.

[mengxiang0811]

The commits are out-of-order now, please make them in chronological order.

[mengxiang0811]

gk: add BPF programs to struct gk_config

[AltraMayor]

The code is ready for another review. All suggestions were incorporated and bugs fixed.

In order to test the code, remember to update the submodule DPDK since it has been updated.

Although the patches are in proper order in git, GitHub is having the bug of not showing them in correct order. I guess it has something to do with the fact that I didn't need to edit all patches to incorporate the suggestions. One can find the proper order of the patches as well as verify that the patches are correctly ordered in git here.

[mengxiang0811]

gk: add the BPF state to flow entries

[cjdoucette]

There's a compilation error when using bpf/Makefile:

ubuntu@ip-172-31-0-224:~/gatekeeper/bpf$ make
clang -O2 -m32 -target bpf -I../include -I/home/ubuntu/gatekeeper/dependencies/dpdk/x86_64-native-linuxapp-gcc/include -Wno-int-to-void-pointer-cast -o granted.bpf -c granted.c
In file included from granted.c:25:
In file included from /usr/lib/llvm-6.0/lib/clang/6.0.0/include/stdint.h:61:
/usr/include/stdint.h:26:10: fatal error: 'bits/libc-header-start.h' file not found
#include <bits/libc-header-start.h>
         ^~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Makefile:17: recipe for target 'granted.bpf' failed
make: *** [granted.bpf] Error 1

It seems to be fixed by installing libc6-dev-i386. Could you add this package requirement to README.md?

[cjdoucette]

I also get this error from gt/main.c when running lookup_simple_policy() in Lua:

GATEKEEPER GT: Error running function `lookup_policy': ./lua/examples/policy.lua:9: attempt to call global 'decision_granted' (a nil value), at lcore 1

I believe this is due to parts of the policy like:

local function dcs_default(policy)
        return decision_granted(policy,
                1024,   -- tx_rate_kb_sec
                300,    -- cap_expire_sec
                240000, -- next_renewal_ms
                3000)   -- renewal_step_ms
end

The reference to decision_granted is nil as it comes from policylib but isn't properly referenced. I tried policylib.c.decision_granted but that doesn't appear to be the right reference either. Any ideas?

Once this bug is solved, we'll need to same kind of fix for the other functions in that file. I'll change the policy to call decision_granted_bpf() instead of decision_granted() to test the BPF code.

[cjdoucette]

Oh, I got it to work by using policylib.decision_granted. So if you could find the other occurrences of this issue in this file and replace them that will solve the issue.

[cjdoucette]

Those are the only two issues for testing: (1) add a package to README.md and (2) add the prefix policylib. where needed in the example policy file lua/examples/policy.lua.

By making small changes to my local code to get past these issues, I was able to use BPF programs on both IPv4 and IPv6 packets to both forward granted packets to the destination and to drop packets at Gatekeeper.