# Copyright 2017-2021 Authors of Cilium # SPDX-License-Identifier: Apache-2.0 include ../Makefile.defs .PHONY: all bpf_all build_all subdirs install clean gen_compile_commands SUBDIRS = sockops custom BPF_SIMPLE = bpf_network.o bpf_alignchecker.o BPF_SIMPLE_C = $(patsubst %.o,%.c,${BPF_SIMPLE}) BPF_SIMPLE_LL = $(patsubst %.o,%.ll,${BPF_SIMPLE}) BPF_TEST=tests/bpf_ct_tests.o BPF = bpf_lxc.o bpf_overlay.o bpf_sock.o bpf_host.o bpf_xdp.o $(BPF_SIMPLE) TARGET=cilium-probe-kernel-hz KERNEL ?= "netnext" include ./Makefile.bpf ifeq ("$(PKG_BUILD)","") all: $(TARGET) bpf_all bpf_all: $(BPF) subdirs build_all: force @touch $(BUILD_PERMUTATIONS_DEP) @$(ECHO_CHECK)/*.c BUILD_PERMUTATIONS=1 $(QUIET) $(MAKE) $(SUBMAKEOPTS) bpf_all BUILD_PERMUTATIONS=1 BUILD_PERMUTATIONS ?= "" BPF_SIMPLE_OPTIONS += \ -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_IPSEC=1 -DIP_POOLS=1 ifneq ("$(KERNEL)","49") BPF_SIMPLE_OPTIONS += -DHAVE_LPM_TRIE_MAP_TYPE -DHAVE_LRU_HASH_MAP_TYPE endif $(BPF_SIMPLE_LL): $(BPF_SIMPLE_C) @$(ECHO_CC) $(QUIET) ${CLANG} ${BPF_SIMPLE_OPTIONS} ${CLANG_FLAGS} -c $(patsubst %.ll,%.c,$@) -o $@ $(BPF_SIMPLE): $(BPF_SIMPLE_LL) @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) # Hack to get make to replace : with a space null := space := ${null} ${null} # The following option combinations are compile tested LB_OPTIONS = \ -DSKIP_DEBUG: \ -DENABLE_IPV4: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPV4_FRAGMENTS: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS: \ -DENABLE_IPV6: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_UDP: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_TCP: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_ENCAP_HOST_REMAP: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_UDP:-DENABLE_NODEPORT: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_SRC_RANGE_CHECK: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_SESSION_AFFINITY:-DENABLE_BANDWIDTH_MANAGER:-DENABLE_SRC_RANGE_CHECK:-DLB_SELECTION:-DLB_SELECTION_MAGLEV:-DENABLE_SOCKET_LB_HOST_ONLY # These options are intended to max out the BPF program complexity. it is load # tested as well. MAX_BASE_OPTIONS = -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 \ -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 \ -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 \ -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 \ -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 ifeq ("$(KERNEL)","49") # IPSec is incompatible with BPF NodePort so we only enable on 4.9. MAX_BASE_OPTIONS += -DENABLE_IPSEC=1 -DIP_POOLS=1 else MAX_BASE_OPTIONS += -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 \ -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 \ -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 \ -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 \ -DENABLE_IPV4_FRAGMENTS=1 ifeq ("$(KERNEL)","54") MAX_BASE_OPTIONS += -DENABLE_BANDWIDTH_MANAGER=1 else ifeq ("$(KERNEL)","netnext") # We define ENABLE_CUSTOM_CALLS only for net-next (vs. net-next and 4.19) to work # around program size issue #15539. # We define ETH_HLEN only for net-next, as bpf_skb_change_head is non-available # on 4.{9,19}. MAX_BASE_OPTIONS += -DENABLE_TPROXY=1 -DENABLE_REDIRECT_FAST=1 -DENABLE_BANDWIDTH_MANAGER=1 \ -DENABLE_CUSTOM_CALLS=1 -DETH_HLEN=0 -DENABLE_WIREGUARD endif endif ifndef MAX_LB_OPTIONS MAX_LB_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_NAT46=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 ifneq ("$(KERNEL)","49") MAX_LB_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 endif endif bpf_sock.ll: bpf_sock.c $(LIB) $(QUIET) set -e; \ if [ $(BUILD_PERMUTATIONS) != "" ]; then \ $(foreach OPTS,$(LB_OPTIONS), \ $(ECHO_CC) " [$(subst :,=1$(space),$(OPTS))]"; \ ${CLANG} $(subst :,=1$(space),$(OPTS)) ${CLANG_FLAGS} -c $< -o $@; \ ${LLC} ${LLC_FLAGS} -o /dev/null $@; ) \ fi @$(ECHO_CC) $(QUIET) ${CLANG} ${MAX_LB_OPTIONS} ${CLANG_FLAGS} -c $< -o $@ bpf_sock.o: bpf_sock.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) ifndef MAX_OVERLAY_OPTIONS MAX_OVERLAY_OPTIONS = $(MAX_BASE_OPTIONS) -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 ifneq ("$(KERNEL)","49") MAX_OVERLAY_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 endif endif bpf_overlay.ll: bpf_overlay.c $(LIB) $(QUIET) set -e; \ if [ $(BUILD_PERMUTATIONS) != "" ]; then \ $(foreach OPTS,$(LB_OPTIONS), \ $(ECHO_CC) " [$(subst :,=1$(space),$(OPTS)) -DENCAP_IFINDEX=1]"; \ ${CLANG} $(subst :,=1$(space),$(OPTS)) -DENCAP_IFINDEX=1 ${CLANG_FLAGS} -c $< -o $@; \ ${LLC} ${LLC_FLAGS} -o /dev/null $@; ) \ fi @$(ECHO_CC) $(QUIET) ${CLANG} ${MAX_OVERLAY_OPTIONS} ${CLANG_FLAGS} -c $< -o $@ bpf_overlay.o: bpf_overlay.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) HOST_OPTIONS = $(LXC_OPTIONS) \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_FIREWALL: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_HOST_FIREWALL: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_DSR: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_DSR: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DHAVE_FIB_LOOKUP:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_DSR: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE:-DENABLE_EGRESS_GATEWAY \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DHAVE_FIB_LOOKUP:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_DSR: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_HOST_FIREWALL: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER:-DENABLE_HOST_FIREWALL: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_NODEPORT_ACCELERATION:-DENABLE_DSR:-DENABLE_DSR_HYBRID:-DENABLE_PREFILTER:-DENABLE_SESSION_AFFINITY:-DENABLE_HOST_FIREWALL: ifndef MAX_HOST_OPTIONS MAX_HOST_OPTIONS = $(MAX_BASE_OPTIONS) -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 # Egress Gateway should only be enabled for >= 5.2 kernels ifneq (,$(filter $(KERNEL),"54" "netnext")) MAX_HOST_OPTIONS += -DENABLE_EGRESS_GATEWAY=1 endif endif bpf_host.ll: bpf_host.c $(LIB) $(QUIET) set -e; \ if [ $(BUILD_PERMUTATIONS) != "" ]; then \ $(foreach OPTS,$(HOST_OPTIONS), \ $(ECHO_CC) " [$(subst :,=1$(space),$(OPTS))]"; \ ${CLANG} $(subst :,=1$(space),$(OPTS)) ${CLANG_FLAGS} -c $< -o $@; \ ${LLC} ${LLC_FLAGS} -o /dev/null $@; ) \ fi @$(ECHO_CC) $(QUIET) ${CLANG} ${MAX_HOST_OPTIONS} ${CLANG_FLAGS} -c $< -o $@ bpf_host.o: bpf_host.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) XDP_OPTIONS = $(LB_OPTIONS) \ -DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_DSR:-DFROM_HOST: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_DSR:-DFROM_HOST: \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE: \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_MASQUERADE: \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_DSR: \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_HOST_SERVICES_UDP:-DENABLE_HOST_SERVICES_TCP:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \ -DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 ifndef MAX_XDP_OPTIONS MAX_XDP_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_PREFILTER=1 ifneq ("$(KERNEL)","49") MAX_XDP_OPTIONS += -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 endif endif bpf_xdp.ll: bpf_xdp.c $(LIB) $(QUIET) set -e; \ if [ $(BUILD_PERMUTATIONS) != "" ]; then \ $(foreach OPTS,$(XDP_OPTIONS), \ $(ECHO_CC) " [$(subst :,=1$(space),$(OPTS))]"; \ ${CLANG} $(subst :,=1$(space),$(OPTS)) ${CLANG_FLAGS} -c $< -o $@; \ ${LLC} ${LLC_FLAGS} -o /dev/null $@; ) \ fi @$(ECHO_CC) $(QUIET) ${CLANG} ${MAX_XDP_OPTIONS} ${CLANG_FLAGS} -c $< -o $@ bpf_xdp.o: bpf_xdp.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) # The following option combinations are compile tested LXC_OPTIONS = \ -DALLOW_ICMP_FRAG_NEEDED: \ -DSKIP_DEBUG: \ -DHAVE_LPM_TRIE_MAP_TYPE: \ -DHAVE_LRU_HASH_MAP_TYPE: \ -DENABLE_IPV4: \ -DENABLE_IPV6: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DIP_POOLS: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DHAVE_LPM_TRIE_MAP_TYPE: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DHAVE_LPM_TRIE_MAP_TYPE:-DENABLE_EGRESS_GATEWAY: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV4_FRAGMENTS: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPSEC:-DIP_POOLS: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DHAVE_LPM_TRIE_MAP_TYPE: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV4: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV4:-DENABLE_ROUTING: \ -DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV4:-DENABLE_IPSEC:-DIP_POOLS:-DENABLE_ENCAP_HOST_REMAP: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV6:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE: \ -DENABLE_IPV4:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DENABLE_IPV6:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY: \ -DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_REDIRECT:-DENABLE_IPV4:-DENABLE_IPV6:-DPOLICY_VERDICT_NOTIFY: \ -DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_HOST_REDIRECT:-DENABLE_IPV4:-DENABLE_IPV6:-DPOLICY_VERDICT_NOTIFY:-DENABLE_NAT46: \ -DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_IPV4:-DENABLE_IPV6:-DPOLICY_VERDICT_NOTIFY: \ -DENCAP_IFINDEX:-DTUNNEL_MODE:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_IPV4:-DENABLE_IPV6:-DPOLICY_VERDICT_NOTIFY: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DPOLICY_VERDICT_NOTIFY:-DUSE_BPF_PROG_FOR_INGRESS_POLICY: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST:-DENABLE_SKIP_FIB: \ -DENABLE_IPV4:-DENABLE_IPV6:-DENCAP_IFINDEX:-DTUNNEL_MODE:-DHAVE_LPM_TRIE_MAP_TYPE:-DHAVE_LRU_HASH_MAP_TYPE:-DENABLE_TPROXY:-DENABLE_REDIRECT_FAST:-DENABLE_SKIP_FIB:-DENABLE_WIREGUARD: # These options are intended to max out the BPF program complexity. it is load # tested as well. ifndef MAX_LXC_OPTIONS MAX_LXC_OPTIONS = $(MAX_BASE_OPTIONS) -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 # Egress Gateway should only be enabled for >= 5.2 kernels ifneq (,$(filter $(KERNEL),"54" "netnext")) MAX_LXC_OPTIONS += -DENABLE_EGRESS_GATEWAY=1 endif endif bpf_lxc.ll: bpf_lxc.c $(LIB) $(QUIET) set -e; \ if [ $(BUILD_PERMUTATIONS) != "" ]; then \ $(foreach OPTS,$(LXC_OPTIONS), \ $(ECHO_CC) " [$(subst :,=1$(space),$(OPTS))]"; \ ${CLANG} $(subst :,=1$(space),$(OPTS)) ${CLANG_FLAGS} -c $< -o $@; \ ${LLC} ${LLC_FLAGS} -o /dev/null $@; ) \ fi @$(ECHO_CC) $(QUIET) ${CLANG} ${MAX_LXC_OPTIONS} ${CLANG_FLAGS} -c $< -o $@ bpf_lxc.o: bpf_lxc.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) CT_TEST_OPTIONS = -DENABLE_IPV4 -DENABLE_IPV6 -DENABLE_HOST_REDIRECT -DENABLE_NAT46 \ -DENABLE_ROUTING -DENABLE_IPSEC -DIP_POOLS -DPOLICY_VERDICT_NOTIFY tests/bpf_ct_tests.ll: tests/bpf_ct_tests.c $(LIB) @$(ECHO_CC) $(QUIET) ${CLANG} $(patsubst %,%=1,${CT_TEST_OPTIONS}) ${CLANG_FLAGS} -c $< -o $@ tests/bpf_ct_tests.o: tests/bpf_ct_tests.ll @$(ECHO_CC) $(QUIET) ${LLC} ${LLC_FLAGS} -filetype=obj -o $@ $(patsubst %.o,%.ll,$@) .PHONY: go_prog_test go_prog_test: $(BPF_TEST) $(GO) test -tags privileged_tests -exec sudo ./tests/prog_test subdirs: $(SUBDIRS) $(QUIET) $(foreach TARGET,$(SUBDIRS), \ $(MAKE) $(SUBMAKEOPTS) -C $(TARGET) &&) true else all: $(TARGET) endif $(TARGET): %: %.c @$(ECHO_CC) $(QUIET) ${HOST_CC} -Wall -O2 -Wno-format-truncation -I include/ $@.c -o $@ $(QUIET) ${HOST_STRIP} $@ install: $(QUIET)$(INSTALL) -m 0755 $(TARGET) $(DESTDIR)$(BINDIR) install-binary: install install-bash-completion: clean: @$(ECHO_CLEAN) $(QUIET) $(foreach TARGET,$(SUBDIRS), \ $(MAKE) $(SUBMAKEOPTS) -C $(TARGET) clean;) $(QUIET)rm -fr *.o *.ll *.i *.s $(QUIET)rm -f $(TARGET) BEAR_CLI = $(shell which bear 2> /dev/null) gen_compile_commands: ifeq (, $(BEAR_CLI)) @echo "bear cli must be in $PATH to generate json compilation database" else bear -- make endif