[vtep] add tun datapath driver + afxdp wrapper (APO-794)#3
Merged
Conversation
Adds the tun VTEP I/O driver -- the kernel-device overlay for the
backplane/Envoy cluster VTEP -- over the vtep.Datapath/EngineXfrm seam,
plus a thin afxdp wrapper so all three drivers (afxdp/tun/netstack) now
satisfy vtep.Datapath.
The tun driver splices a /dev/net/tun device (overlay, raw L3) to a UDP
underlay through the cross-buffer icx.Handler. The engine emits full
Ethernet+IP+UDP+Geneve frames but the backplane pod has only NET_ADMIN
(no CAP_NET_RAW), so the underlay is a plain UDP socket and the driver
peels the outer headers on TX / synthesizes them on RX -- the same bridge
apoxy-cli's l2pc performs. Structure:
- vtep/tun/datapath.go cross-platform pump core (outbound TUN->engine->UDP,
inbound UDP->engine->TUN, keepalive ToPhy), Run/Close,
static 1280 inner-MTU clamp, owned device+underlay.
- vtep/tun/underlay.go udpUnderlay: peel/synthesize over net.UDPConn.
- vtep/tun/device_linux.go real /dev/net/tun via wireguard/tun + offload disable
+ netlink addr/route/MTU (RouteReplace, idempotent),
behind Open().
- vtep/afxdp/datapath.go wraps forwarder.Forwarder (in-place hot loop untouched)
as vtep.Datapath. cli/main.go is NOT repointed -- pure
addition, node path byte-identical.
Decap is bounded for the worst case (PhyToVirt's AES-GCM Open does not clamp
output to the destination buffer, unlike the APO-667 encap bound), and the
read pumps back off + give up on persistent errors rather than busy-spin.
Tests: unit (peel/synthesize, pump plumbing, lifecycle, config) + integration
(two real handlers exchanging AES-GCM Geneve over a real loopback UDP underlay)
+ an oversized-decap regression + a root-gated real-/dev/net/tun smoke test.
Verified on darwin (race-clean) and on a real linux kernel (full module suite
+ the privileged device path).
Adds golang.zx2c4.com/wireguard (tun device) as a direct dependency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the tun VTEP I/O driver (APO-794) — the kernel-device overlay for the backplane/Envoy cluster VTEP — over the
vtep.Datapath/EngineXfrmseam, plus a thin afxdp wrapper so all three drivers (afxdp/tun/netstack) now satisfyvtep.Datapath.Driver
The tun driver splices a
/dev/net/tundevice (overlay, raw L3) to a UDP underlay through the cross-buffericx.Handler. The engine emits full Ethernet+IP+UDP+Geneve frames but the backplane pod has only NET_ADMIN (no CAP_NET_RAW), so the underlay is a plain UDP socket and the driver peels the outer headers on TX / synthesizes them on RX — the same bridge apoxy-cli'sl2pcperforms.vtep/tun/datapath.go— cross-platform pump core (outbound TUN→engine→UDP, inbound UDP→engine→TUN, keepaliveToPhy), Run/Close, static 1280 inner-MTU clamp, owned device+underlay.vtep/tun/underlay.go—udpUnderlay: peel/synthesize overnet.UDPConn.vtep/tun/device_linux.go— real/dev/net/tunviawireguard/tun+ offload disable + netlink addr/route/MTU (RouteReplace, idempotent), behindOpen().vtep/afxdp/datapath.go— wrapsforwarder.Forwarder(in-place hot loop untouched) asvtep.Datapath.cli/main.gois not repointed — pure addition, node path byte-identical.Safety
PhyToVirt's AES-GCMOpendoes not clamp output to the destination buffer, unlike the APO-667 encap bound) — found + fixed with a regression that reproduces the originalslice bounds out of rangepanic.Tests
Unit (peel/synthesize, pump plumbing, lifecycle, config) + integration (two real handlers exchanging AES-GCM Geneve over a real loopback UDP underlay) + an oversized-decap regression + a root-gated real-
/dev/net/tunsmoke test.Verified on darwin (race-clean) and on a real linux kernel via OrbStack: full module test suite passes, and the privileged device path (
Open→ CreateTUN → offload-disable → netlink → Run/Close) passes as root. Running on real linux caught theRouteAdd→RouteReplaceconnected-route collision fixed here.Adds
golang.zx2c4.com/wireguard(tun device) as a direct dependency.🤖 Generated with Claude Code