aya: add support for netkit attachments#1553
Open
rcanderson23 wants to merge 2 commits into
Open
Conversation
✅ Deploy Preview for aya-rs-docs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
rcanderson23
force-pushed
the
netkit-attachments
branch
3 times, most recently
from
918dbeb to
4dda68b
Compare
rcanderson23
force-pushed
the
netkit-attachments
branch
from
4dda68b to
c300e3c
Compare
Adds support for netkit primary and peer attachments. This refactors the attachments from one that covers tc and tcx and hiding the attachment type from the user to making the user explicitly choose which attachment they are using. Closes: aya-rs#1540
Adds netkit and ifindex helpers for netkit related tests. Adds query_netkit to match query_tcx used in integration tests.
rcanderson23
force-pushed
the
netkit-attachments
branch
from
c300e3c to
29d185f
Compare
mccormickt
added a commit
to mccormickt/aurae
that referenced
this pull request
Jun 10, 2026
…a tcx The daemon now loads the guard-tcx-cell-net classifier once at network init (degrading with a warning when the object is missing — the pre-guard behavior) and activates it per cell inside create_cell_interface: insert the cell's policy/redirect/stats map entries, attach at tc(x) ingress on the netkit primary, and only then move the peer into the cell netns — so a cell can never emit unfiltered traffic. Guard activation failure is fatal for that cell: when the guard exists we never hand out an unguarded interface. cell_interfaces now tracks per-cell state (primary name, ifindex, delegated prefix, owned tc link) instead of just the name, and the new reclaim_cell_interface_sync() detaches the link and removes map entries synchronously so non-async teardown paths can reuse it. Attachment uses aya's stock SchedClassifier, which picks the TCX multi-prog API on kernels >= 6.6. Once aya lands netkit link support (aya-rs/aya#1553) the same program can move to the BPF_NETKIT_PRIMARY/PEER hooks without bytecode changes.
mccormickt
added a commit
to mccormickt/aurae
that referenced
this pull request
Jun 10, 2026
…a tcx The daemon now loads the guard-tcx-cell-net classifier once at network init (degrading with a warning when the object is missing — the pre-guard behavior) and activates it per cell inside create_cell_interface: insert the cell's policy/redirect/stats map entries, attach at tc(x) ingress on the netkit primary, and only then move the peer into the cell netns — so a cell can never emit unfiltered traffic. Guard activation failure is fatal for that cell: when the guard exists we never hand out an unguarded interface. cell_interfaces now tracks per-cell state (primary name, ifindex, delegated prefix, owned tc link) instead of just the name, and the new reclaim_cell_interface_sync() detaches the link and removes map entries synchronously so non-async teardown paths can reuse it. Attachment uses aya's stock SchedClassifier, which picks the TCX multi-prog API on kernels >= 6.6. Once aya lands netkit link support (aya-rs/aya#1553) the same program can move to the BPF_NETKIT_PRIMARY/PEER hooks without bytecode changes.
mccormickt
added a commit
to mccormickt/aurae
that referenced
this pull request
Jun 10, 2026
…a tcx The daemon now loads the guard-tcx-cell-net classifier once at network init (degrading with a warning when the object is missing — the pre-guard behavior) and activates it per cell inside create_cell_interface: insert the cell's policy/redirect/stats map entries, attach at tc(x) ingress on the netkit primary, and only then move the peer into the cell netns — so a cell can never emit unfiltered traffic. Guard activation failure is fatal for that cell: when the guard exists we never hand out an unguarded interface. cell_interfaces now tracks per-cell state (primary name, ifindex, delegated prefix, owned tc link) instead of just the name, and the new reclaim_cell_interface_sync() detaches the link and removes map entries synchronously so non-async teardown paths can reuse it. Attachment uses aya's stock SchedClassifier, which picks the TCX multi-prog API on kernels >= 6.6. Once aya lands netkit link support (aya-rs/aya#1553) the same program can move to the BPF_NETKIT_PRIMARY/PEER hooks without bytecode changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for netkit primary and peer attachments. This refactors the
attachments from one that covers tc and tcx and hiding the attachment
type from the user to making the user explicitly choose which attachment
they are using.
Added/updated tests?
We strongly encourage you to add a test for your changes.
have not been included
Checklist
cargo +nightly fmt.You can find failing lints with
cargo xtask clippy.cargo test.cargo xtask public-api --bless.(Optional) What GIF best describes this PR or how it makes you feel?
This change is