QUIC: ngx_quic_bpf module.

The quic kernel bpf helper inspects packet payload for DCID, extracts key
and routes the packet into socket matching the key.

Due to reuseport feature, each worker owns a personal socket, which is
identified by the same key, used to create DCID.

BPF objects are locked in RAM and are subject to RLIMIT_MEMLOCK.
The "ulimit -l" command may be used to setup proper limits, if maps
cannot be created with EPERM or updated with ETOOLONG.

3 files changed, 61 insertions, 0 deletions

diff --git a/auto/modules b/auto/modules
index 299e245ef..b3a697e71 100644
--- a/auto/modules
+++ b/auto/modules
@@ -1345,6 +1345,22 @@ if [ $USE_OPENSSL$USE_OPENSSL_QUIC = YESYES ]; then
     ngx_module_order=
 
     . auto/module
+
+    if [ $NGX_QUIC_BPF$BPF_FOUND$SO_COOKIE_FOUND = YESYESYES ]; then
+        ngx_module_type=CORE
+        ngx_module_name=ngx_quic_bpf_module
+        ngx_module_incs=
+        ngx_module_deps=
+        ngx_module_srcs="src/event/quic/ngx_event_quic_bpf.c \
+                         src/event/quic/ngx_event_quic_bpf_code.c"
+        ngx_module_libs=
+        ngx_module_link=YES
+        ngx_module_order=
+
+        . auto/module
+
+        have=NGX_QUIC_BPF . auto/have
+    fi
 fi
 
 
diff --git a/auto/options b/auto/options
index ad3583058..d677dd970 100644
--- a/auto/options
+++ b/auto/options
@@ -45,6 +45,8 @@ USE_THREADS=NO
 
 NGX_FILE_AIO=NO
 
+NGX_QUIC_BPF=YES
+
 HTTP=YES
 
 NGX_HTTP_LOG_PATH=
@@ -170,6 +172,7 @@ NGX_GOOGLE_PERFTOOLS=NO
 NGX_CPP_TEST=NO
 
 BPF_FOUND=NO
+SO_COOKIE_FOUND=NO
 
 NGX_LIBATOMIC=NO
 
@@ -216,6 +219,8 @@ do
 
         --with-file-aio)                 NGX_FILE_AIO=YES           ;;
 
+        --without-quic_bpf_module)       NGX_QUIC_BPF=NO            ;;
+
         --with-ipv6)
             NGX_POST_CONF_MSG="$NGX_POST_CONF_MSG
 $0: warning: the \"--with-ipv6\" option is deprecated"
@@ -450,6 +455,8 @@ cat << END
 
   --with-file-aio                    enable file AIO support
 
+  --without-quic_bpf_module          disable ngx_quic_bpf_module
+
   --with-http_ssl_module             enable ngx_http_ssl_module
   --with-http_quic_module            enable ngx_http_quic_module
   --with-http_v2_module              enable ngx_http_v2_module
diff --git a/auto/os/linux b/auto/os/linux
index f257d1afe..4649f7aa8 100644
--- a/auto/os/linux
+++ b/auto/os/linux
@@ -234,3 +234,41 @@ if [ $ngx_found = yes ]; then
     CORE_SRCS="$CORE_SRCS src/core/ngx_bpf.c"
     CORE_DEPS="$CORE_DEPS src/core/ngx_bpf.h"
 fi
+
+
+# SO_COOKIE socket option
+
+ngx_feature="SO_COOKIE"
+ngx_feature_name="NGX_HAVE_SO_COOKIE"
+ngx_feature_run=no
+ngx_feature_incs="#include <sys/socket.h>
+                  #include <stdint.h>"
+ngx_feature_path=
+ngx_feature_libs=
+ngx_feature_test="socklen_t optlen = sizeof(uint64_t);
+              uint64_t cookie;
+              getsockopt(0, SOL_SOCKET, SO_COOKIE, &cookie, &optlen)"
+. auto/feature
+
+if [ $ngx_found = yes ]; then
+    SO_COOKIE_FOUND=YES
+    have=NGX_HAVE_SO_COOKIE . auto/have
+fi
+
+
+# ngx_quic_bpf module uses sockhash to select socket from reuseport group,
+# support appeared in Linux-5.7:
+#
+# commit: 9fed9000c5c6cacfcaaa48aff74818072ae294cc
+# bpf: Allow selecting reuseport socket from a SOCKMAP/SOCKHASH
+#
+if [ $NGX_QUIC_BPF$BPF_FOUND = YESYES ]; then
+    echo $ngx_n "checking for kernel with reuseport/BPF support...$ngx_c"
+    if [ $version -lt 329472 ]; then
+        echo " not found (at least 5.7 is required)"
+        NGX_QUIC_BPF=NO
+    else
+        echo " found"
+    fi
+fi
+