[Feature] Add a config option to allow users to disable eBPF programs on interfaces

[aojea]

Since some network plugings like Cilium attach eBPF programts to all interfaces, once a workload claims and interface it may want to get total ownership, so they should be able to express the intent to get the interface in a clean state without the existing eBPF programs. However, there maybe other eBPF programs that people may want to keep (we need to validate this), as some security or monitoring.

Implementation wise it should not be much difficult, we already have logic that allow to get the existing programs attached to both the TC and TCX hooks

dranet/pkg/inventory/net.go

Lines 74 to 119 in 5b1390b

	func getTcFilters(link netlink.Link) ([]string, bool) {
	isTcEBPF := false
	filterNames := sets.Set[string]{}
	for _, parent := range []uint32{netlink.HANDLE_MIN_INGRESS, netlink.HANDLE_MIN_EGRESS} {
	filters, err := netlink.FilterList(link, parent)
	if err == nil {
	for _, f := range filters {
	if bpffFilter, ok := f.(*netlink.BpfFilter); ok {
	isTcEBPF = true
	filterNames.Insert(bpffFilter.Name)
	}
	}
	}
	}
	return filterNames.UnsortedList(), isTcEBPF
	}
	// see https://github.com/cilium/ebpf/issues/1117
	func getTcxFilters(device netlink.Link) ([]string, bool) {
	isTcxEBPF := false
	programNames := sets.Set[string]{}
	for _, attach := range []ebpf.AttachType{ebpf.AttachTCXIngress, ebpf.AttachTCXEgress} {
	result, err := link.QueryPrograms(link.QueryOptions{
	Target: int(device.Attrs().Index),
	Attach: attach,
	})
	if err != nil {
	continue
	}
	isTcxEBPF = true
	for _, p := range result.Programs {
	prog, err := ebpf.NewProgramFromID(p.ID)
	if err != nil {
	continue
	}
	defer prog.Close()
	pi, err := prog.Info()
	if err != nil {
	continue
	}
	programNames.Insert(pi.Name)
	}
	}
	return programNames.UnsortedList(), isTcxEBPF

So it is just deciding on the API

dranet/pkg/apis/types.go

Lines 35 to 65 in 5b1390b

	type InterfaceConfig struct {
	// Name is the desired logical name of the interface inside the Pod (e.g., "net0", "eth_app").
	// If not specified, DraNet may use or derive a name from the original interface.
	Name string `json:"name,omitempty"`
	// Addresses is a list of IP addresses in CIDR format (e.g., "192.168.1.10/24")
	// to be assigned to the interface.
	Addresses []string `json:"addresses,omitempty"`
	// MTU is the Maximum Transmission Unit for the interface.
	MTU *int32 `json:"mtu,omitempty"`
	// HardwareAddr is the MAC address of the interface.
	HardwareAddr *string `json:"hardwareAddr,omitempty"`
	// GSOMaxSize sets the maximum Generic Segmentation Offload size for IPv6.
	// Managed by `ip link set <dev> gso_max_size <val>`. For enabling Big TCP.
	GSOMaxSize *int32 `json:"gsoMaxSize,omitempty"`
	// GROMaxSize sets the maximum Generic Receive Offload size for IPv6.
	// Managed by `ip link set <dev> gro_max_size <val>`. For enabling Big TCP.
	GROMaxSize *int32 `json:"groMaxSize,omitempty"`
	// GSOv4MaxSize sets the maximum Generic Segmentation Offload size.
	// Managed by `ip link set <dev> gso_ipv4_max_size <val>`. For enabling Big TCP.
	GSOIPv4MaxSize *int32 `json:"gsoIPv4MaxSize,omitempty"`
	// GROv4MaxSize sets the maximum Generic Receive Offload size.
	// Managed by `ip link set <dev> gro_ipv4_max_size <val>`. For enabling Big TCP.
	GROIPv4MaxSize *int32 `json:"groIPv4MaxSize,omitempty"`
	}

and then on the corresponding hook, to detach the programs

[aojea]

If someone want to take a look https://github.com/google/dranet/pull/125/files , it is also missing the e2e tests with bats