XDP ingress program for the load balancer. Handles incoming packets: parses headers, looks up routing, performs DNAT.
XDP ingress program for the load balancer. Handles incoming packets: parses headers, looks up routing, performs DNAT.
(attach-to-interface prog iface & {:keys [mode] :or {mode :skb}})Attach XDP program to a network interface.
prog: BpfProgram record or program FD iface: Interface name (e.g., "eth0") mode: :skb (generic), :drv (native), or :hw (hardware)
Attach XDP program to a network interface. prog: BpfProgram record or program FD iface: Interface name (e.g., "eth0") mode: :skb (generic), :drv (native), or :hw (hardware)
(attach-to-interfaces prog interfaces & opts)Attach XDP program to multiple interfaces.
Attach XDP program to multiple interfaces.
(build-ipv4-filter-program)Build XDP program that passes IPv4 packets and drops others. Uses clj-ebpf.net primitives for packet parsing.
Build XDP program that passes IPv4 packets and drops others. Uses clj-ebpf.net primitives for packet parsing.
(build-xdp-dnat-program listen-map-fd
config-map-fd
sni-map-fd
conntrack-map-fd
rate-limit-config-fd
rate-limit-src-fd
rate-limit-backend-fd)Build XDP ingress program that performs DNAT on incoming packets.
This program:
Routing priority:
Register allocation: r6 = saved XDP context (callee-saved) r7 = data pointer (callee-saved) r8 = data_end pointer (callee-saved) r9 = IP header pointer / map value ptr (callee-saved) r0-r5 = scratch, clobbered by helpers
Uses clj-ebpf.asm label-based assembly for automatic jump offset resolution.
Build XDP ingress program that performs DNAT on incoming packets. This program: 1. Parses IPv4/TCP or IPv4/UDP packets 2. Applies per-source rate limiting (if configured) 3. For TCP port 443, attempts SNI-based routing (TLS ClientHello parsing) 4. Falls back to listen map lookup by (ifindex, dst_port) 5. Falls back to config map LPM lookup by source IP 6. If match found, applies per-backend rate limiting (if configured) 7. Performs DNAT (rewrites dst IP and port) 8. Updates IP and L4 checksums 9. Creates conntrack entry for TC SNAT to use on reply path 10. Returns XDP_PASS to let kernel routing deliver packet Routing priority: 1. Source IP exact/CIDR match (config map) 2. SNI hostname match (sni map, for TLS traffic) 3. Default target (listen map) Register allocation: r6 = saved XDP context (callee-saved) r7 = data pointer (callee-saved) r8 = data_end pointer (callee-saved) r9 = IP header pointer / map value ptr (callee-saved) r0-r5 = scratch, clobbered by helpers Uses clj-ebpf.asm label-based assembly for automatic jump offset resolution.
(build-xdp-dnat-program-unified listen-map-fd
config-map-fd
sni-map-fd
conntrack-map-fd
rate-limit-config-fd
rate-limit-src-fd
rate-limit-backend-fd)Build unified XDP ingress program that performs DNAT on both IPv4 and IPv6 packets.
This program supports dual-stack operation:
Uses unified map formats:
Register allocation: r6 = saved XDP context (callee-saved) r7 = data pointer (callee-saved) r8 = data_end pointer (callee-saved) r9 = IP header pointer / map value ptr (callee-saved) r0-r5 = scratch, clobbered by helpers
Build unified XDP ingress program that performs DNAT on both IPv4 and IPv6 packets. This program supports dual-stack operation: 1. Parses EtherType and branches for IPv4 or IPv6 2. For IPv4: Parses 20-byte min header, stores addresses in 16-byte unified format 3. For IPv6: Parses fixed 40-byte header 4. Applies NAT using unified maps 5. Updates checksums (IP header checksum for IPv4 only) 6. Creates unified conntrack entries Uses unified map formats: - Listen map key: 8 bytes (ifindex(4) + port(2) + af(1) + pad(1)) - LPM key: 20 bytes (prefix_len(4) + ip(16)) - Route value: 168 bytes (header(8) + 8 targets × 20 bytes each) - Conntrack key: 40 bytes - Conntrack value: 96 bytes Register allocation: r6 = saved XDP context (callee-saved) r7 = data pointer (callee-saved) r8 = data_end pointer (callee-saved) r9 = IP header pointer / map value ptr (callee-saved) r0-r5 = scratch, clobbered by helpers
(build-xdp-ingress-program map-fds)Build the XDP ingress program.
Performs DNAT on incoming packets:
Rate limiting (if configured):
map-fds: Map containing :listen-map, optionally :config-map, :sni-map, :conntrack-map, and rate limit maps
Build the XDP ingress program.
Performs DNAT on incoming packets:
1. For TCP port 443, attempts SNI-based routing (TLS ClientHello parsing)
2. Falls back to listen map lookup by (ifindex, dst_port)
3. Falls back to config map LPM lookup by source IP
4. If match found, rewrites destination IP/port
5. Updates IP and L4 checksums
6. Creates conntrack entry for TC SNAT
7. Returns XDP_PASS to let kernel routing deliver packet
Rate limiting (if configured):
- Per-source: Applied after parsing source IP
- Per-backend: Applied after target selection
map-fds: Map containing :listen-map, optionally :config-map, :sni-map, :conntrack-map,
and rate limit maps(build-xdp-ingress-program-unified map-fds)Build the unified XDP ingress program for IPv4/IPv6 dual-stack.
Performs DNAT on incoming packets:
map-fds: Map containing unified maps from create-all-maps-unified
Build the unified XDP ingress program for IPv4/IPv6 dual-stack. Performs DNAT on incoming packets: 1. Branches on EtherType (IPv4 or IPv6) 2. Looks up listen map by (ifindex, dst_port, af) 3. If match found, rewrites destination IP/port 4. Updates checksums (IP header for IPv4 only, L4 for both) 5. Creates unified conntrack entry 6. Returns XDP_PASS map-fds: Map containing unified maps from create-all-maps-unified
(build-xdp-pass-program)Build a simple XDP program that passes all packets. This is useful for initial testing of program loading/attachment.
Build a simple XDP program that passes all packets. This is useful for initial testing of program loading/attachment.
(detach-from-interface iface & {:keys [mode] :or {mode :skb}})Detach XDP program from an interface.
Detach XDP program from an interface.
(detach-from-interfaces interfaces & opts)Detach XDP program from multiple interfaces.
Detach XDP program from multiple interfaces.
(dump-program-bytecode maps)Dump program bytecode for debugging.
Dump program bytecode for debugging.
(load-program maps)Load the XDP ingress program. Returns a BpfProgram record.
Load the XDP ingress program. Returns a BpfProgram record.
(load-program-unified maps)Load the unified XDP ingress program for IPv4/IPv6 dual-stack. Returns a BpfProgram record.
Load the unified XDP ingress program for IPv4/IPv6 dual-stack. Returns a BpfProgram record.
(verify-program maps)Verify the XDP program can be loaded (dry run). Returns {:valid true} or {:valid false :error <message>}
Verify the XDP program can be loaded (dry run).
Returns {:valid true} or {:valid false :error <message>}(xdp-apply-csum-diff old-csum-reg diff-reg scratch-reg)Apply a checksum difference to an existing checksum. old-csum-reg: Register containing old checksum (16-bit, will be modified) diff-reg: Register containing the difference from csum_diff scratch-reg: Scratch register
Result: old-csum-reg contains new 16-bit checksum
Apply a checksum difference to an existing checksum. old-csum-reg: Register containing old checksum (16-bit, will be modified) diff-reg: Register containing the difference from csum_diff scratch-reg: Scratch register Result: old-csum-reg contains new 16-bit checksum
(xdp-fold-csum csum-reg scratch-reg)Fold a 32-bit checksum to 16 bits in XDP. csum-reg will contain the folded result. scratch-reg is clobbered.
Fold a 32-bit checksum to 16 bits in XDP. csum-reg will contain the folded result. scratch-reg is clobbered.
(xdp-load-data-ptrs-32 data-reg data-end-reg ctx-reg)Load data and data_end pointers from XDP context using 32-bit loads. The kernel requires 32-bit access to xdp_md fields.
data-reg: Register to store data pointer data-end-reg: Register to store data_end pointer ctx-reg: XDP context register (typically :r1)
Load data and data_end pointers from XDP context using 32-bit loads. The kernel requires 32-bit access to xdp_md fields. data-reg: Register to store data pointer data-end-reg: Register to store data_end pointer ctx-reg: XDP context register (typically :r1)
(xdp-update-csum-for-port-change csum-reg old-port-reg new-port-reg scratch-reg)Update checksum for a 2-byte port change. csum-reg: Register containing current checksum (will be modified) old-port-reg: Register containing old port value new-port-reg: Register containing new port value scratch-reg: Scratch register
Uses incremental checksum: new_csum = ~(~old_csum + ~old_val + new_val)
Update checksum for a 2-byte port change. csum-reg: Register containing current checksum (will be modified) old-port-reg: Register containing old port value new-port-reg: Register containing new port value scratch-reg: Scratch register Uses incremental checksum: new_csum = ~(~old_csum + ~old_val + new_val)
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |