mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
d9f1b42595
Data has shown that we are doing a significant amount of relaying in userspace because the latency of which candidates establish first matters - if an IPv6 to IPv4 path establishes first, we could often pick that, which would bypass the eBPF relaying altogether. To address this, we now perform address translation when relaying so these paths are covered. Preliminary benchmarking on Azure has shown this performs around ~1.5 Gbps for a single client - gateway path, scaling linearly with the number clients up to the core count. On GCP, performance will be a fraction of that because we need to attach the program in SKB_MODE (generic) based on the fact the `gve` driver there does not support the needed `bpf_xdp_adjust_head` call. To keep the verifier happy (and make the verifier error trace log usable) throughout this large refactor, we unfortunately had to drop down to pointer arithmetic in this process. This however means that we have full control (and visibility) over how the bytes are loaded, stored, and copied. Each struct / abstraction adds a little bit of overhead on the stack which pushed us over the 512-byte limit. Since we are generally loading only one set of packet headers onto the stack to then copy into their new locations, our actual stack usage should be well the 512-byte limit. Further performance analysis is required to push past the current per-core 1.5 Gbps limit. This, along with CI support for integration testing these codepaths is left for a later date as this PR is already quite large and needs to soak test for a bit in a live environment before we push to prod. Fixes #10192