Docker Community Forums

Share and learn in the Docker community.

XDP program not work well with container's veth


(Eliteelite) #1

I wanna load XDP program to container’s veth.
Firstly, I created two containers:
docker run -d --name host1 -h host1 exp:v1.0, and
docker run -d --name host2 -h host2 exp:v1.0,
where exp:v1.0 is the image I had created from training/webapp. And now host1 was binded to veth02b9ec2 with IP address 172.17.0.2, and host2 to vethf2e33b9 with ip_addr 172.17.0.3.

My XDP program is as follows:
#include <linux/bpf.h>
#include “bpf_helpers.h”

#define u32 unsigned int
#define u16 unsigned short
#define u64 unsigned long long

SEC(“test_xdp”) int test_xdp_main(struct xdp_md *ctx)
{
return XDP_DROP;
}

char license[] SEC(“license”) = “GPL”;

which means all the arriving packets will be dropped.

Then, I compiled it with clang and loaded it to veth02b9ec2:
clang -O2 -Wall -target bpf -c test_xdp.c -o test_xdp.o, and
ip link set dev veth02b9ec2 xdp obj test_xdp.o section test_xdp verbose.
And the XDP program successfully loaded in veth02b9ec2.

But when I ping 172.17.0.3 in host1 whose IP is 172.17.0.2, it seemed that XDP didn’t work at all. However, when I loaded this XDP program in docker0, and ping 172.17.0.1 or the address outside the container network at host1, the XDP program worked very well and ping failed.

My iproute2 version is ss180129, clang version is 4.0.0 and docker version is 1.12.6. I hope someone can help me out.