From 6fe7e77f7612ec6895febc7ed1096d08c13408ac Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Fri, 4 Apr 2025 07:00:29 +0000
Subject: [PATCH] refactor(relay): fail if eBPF offloading is requested but
 fails (#8656)

It happens a bunch of times to me during testing that I'd forget to set
the right interface onto which the eBPF kernel should be loaded and was
wondering why it didn't work. Defaulting to `eth0` wasn't a very smart
decision because it means users cannot disable the eBPF kernel at all
(other than via the feature-flag).

It makes more sense to default to not loading the program at all AND
hard-fail if we are requested to load it but cannot. This allows us to
catch configuration errors early.
---
 rust/relay/server/src/main.rs                   | 17 +++++++++++------
 .../modules/google-cloud/apps/relay/main.tf     |  4 ++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/rust/relay/server/src/main.rs b/rust/relay/server/src/main.rs
index 416385bb0..18a670cc6 100644
--- a/rust/relay/server/src/main.rs
+++ b/rust/relay/server/src/main.rs
@@ -82,9 +82,11 @@ struct Args {
     #[arg(long, env, hide = true)]
     google_cloud_project_id: Option<String>,
 
-    /// Which interface to load the eBPF program onto.
-    #[arg(long, env, hide = true, default_value = "eth0")]
-    primary_interface: String,
+    /// Enable offloading of TURN traffic to an eBPF program.
+    ///
+    /// Requires the name of the network interface the XDP program should be loaded onto.
+    #[arg(long, env, hide = true)]
+    ebpf_offloading: Option<String>,
 
     #[command(flatten)]
     health_check: http_health_check::HealthCheckArgs,
@@ -136,9 +138,12 @@ fn main() {
 async fn try_main(args: Args) -> Result<()> {
     setup_tracing(&args)?;
 
-    let mut ebpf = ebpf::Program::try_load(&args.primary_interface)
-        .inspect_err(|e| tracing::info!("Failed to load eBPF TURN router: {e:#}"))
-        .ok();
+    let mut ebpf = args
+        .ebpf_offloading
+        .as_deref()
+        .map(ebpf::Program::try_load)
+        .transpose()
+        .context("Failed to load eBPF TURN router")?;
 
     if let Some(ebpf) = ebpf.as_mut() {
         ebpf.set_config(Config {
diff --git a/terraform/modules/google-cloud/apps/relay/main.tf b/terraform/modules/google-cloud/apps/relay/main.tf
index 8423552c6..e7d7a2bef 100644
--- a/terraform/modules/google-cloud/apps/relay/main.tf
+++ b/terraform/modules/google-cloud/apps/relay/main.tf
@@ -48,6 +48,10 @@ locals {
     {
       name  = "FIREZONE_API_URL"
       value = var.api_url
+    },
+    {
+      name  = "EBPF_OFFLOADING"
+      value = "eth0"
     }
   ], var.application_environment_variables)
 }