1. use tc load BPF Program

Given a tc Compilation of BPF Object file  prog.o, Can pass  tc  Command to load it into a network Network devices （netdevice）. But with XDP Different , Does the device support attach BPF The program does not depend on the driver  （ That is, any network device supports tc BPF）. The following command can convert the program attach To  em1  Of ingress  The Internet ：

$ tc qdisc add dev em1 clsact

$ tc filter add dev em1 ingress bpf da obj prog.o

The first step is to create a  clsact qdisc (Linux Queuing rules ,Linux queueing discipline).

clsact  It's a dummy qdisc, and  ingress qdisc similar , You can hold （hold） Classifier and action （classifier and actions）, But do not perform real queuing （queueing）. Back attach bpf  The classifier needs it .clsact qdisc Two special hook：ingress and egress, Classifiers can attach To these two hook spot . these two items. hook All in datapath Of On the critical transceiver path , equipment  em1  Each package will pass through these two points . these two items. hook They will be separated by the following Kernel function call ：

• ingress hook：__netif_receive_skb_core() -> sch_handle_ingress()
• egress hook：__dev_queue_xmit() -> sch_handle_egress()

  Similarly , Put the program attach To  egress hook：

$ tc filter add dev em1 egress bpf da obj prog.o

 

The second order ,tc filter  Chose to be in  da（direct-action） Use... In mode  bpf.da  yes Recommended mode , And you should always specify this parameter . Roughly speaking ,da  Pattern representation  bpf  The classifier does not need to To call an external  tc action modular . in fact  bpf  The classifier does not need to call external modules at all , because For all the packet mangling、 Forwarding or other types of action Can be here alone BPF Complete within the program , Therefore, the execution will be significantly faster .

After configuring these two commands , The procedure is attach It's done , Next, as long as a package passes through the device , It will trigger This program executes . and XDP similar , If the default is not used section name , That can be specified when loading , example As specified section by  foobar：

$ tc filter add dev em1 egress bpf da obj prog.o sec foobar

View already attach The program ：

 

$ tc filter show dev em1 ingress

filter protocol all pref 49152 bpf

filter protocol all pref 49152 bpf handle 0x1 prog.o:[ingress] direct-action id 1 tag c5f7825e5dac396f

$ tc filter show dev em1 egress

filter protocol all pref 49152 bpf

filter protocol all pref 49152 bpf handle 0x1 prog.o:[egress] direct-action id 2 tag b2fd5adc0f262714

In the output  prog.o:[ingress]  Express section ingress  The program in is from file  prog.o  Add Carried , and  bpf  Working in  direct-action  Pattern . The of the program is also printed on it  id  and  tag, among  tag  It's instruction flow （instruction stream） Hash , It can be associated with the corresponding object file or with perf  Look at the call stack information .id  It is the only one in the operating system layer BPF Program identifier , It can be used  bpftool  Further view or dump Relevant program information .

Program priority （pref） And handle （handle）

Above  show  In command ,tc And printed out  pref 49152  and  handle 0x1. If not before Explicitly specify... From the command line , These two data will be automatically generated .pref  Indicates priority , If multiple points are specified Classer , They will be executed in order of priority from high to low ;handle  Is an identifier , In multiple instances where the same classifier is loaded Instances and their priority （pref） This identifier will be used in the same case . because   stay BPF In the scene of , A single program is enough , therefore  pref  and  handle  Usually you can ignore .

Unless you intend to replace later atoms attached BPF Program , Otherwise, it is not recommended to explicitly specify... When loading  pref  and  handle. The advantage of explicitly specifying these two parameters is , Carry out later  replace  In operation , There's no need to move Query these two values in a state . Explicitly specify  pref  and  handle  Load command at ：

$ tc filter add dev em1 ingress pref 1 handle 1 bpf da obj prog.o sec foobar
 
$ tc filter show dev em1 ingress
filter protocol all pref 1 bpf
filter protocol all pref 1 bpf handle 0x1 prog.o:[foobar] direct-action id 1 tag c5f7825e5dac396f

  The corresponding atom  replace  command ： take  ingress hook Replace the existing program at with  prog.o  In file  foobar section New in BPF Program

$ tc filter replace dev em1 ingress pref 1 handle 1 bpf da obj prog.o sec foobar

2.  use tc Delete BPF Program

We should start from  ingress  and  egress  Delete all attach The program

$ tc filter del dev em1 ingress
$ tc filter del dev em1 egress

From you to netdevice Delete the whole  clsact qdisc（ Will implicitly delete attach To  ingress  and  egress hook All the above programs ）, perform

$ tc qdisc del dev em1 clsact

3. offload To the network card

If the network card driver supports tc BPF Program , Then you can also put them offload To the network card .Netronome Of nfp Network card pair XDP and tc BPF All programs support offload.

$ tc qdisc add dev em1 clsact
$ tc filter replace dev em1 ingress pref 1 handle 1 bpf skip_sw da obj prog.o
Error: TC offload is disabled on net device.
We have an error talking to the kernel

If the above error is explicitly , You need to enable the network card first  hw-tc-offload  function ：

$ ethtool -K em1 hw-tc-offload on
 
$ tc qdisc add dev em1 clsact
$ tc filter replace dev em1 ingress pref 1 handle 1 bpf skip_sw da obj prog.o
$ tc filter show dev em1 ingress
filter protocol all pref 1 bpf
filter protocol all pref 1 bpf handle 0x1 prog.o:[classifier] direct-action skip_sw in_hw id 19 tag 57cd311f2e27366b

Among them  in_hw  The flag indicates that the program has been offload To the network card .

Be careful ,tc and XDP offload Cannot load at the same time , Therefore, it must be indicated that tc still XDP offload Options .