net: implement a backend for tap devices

Implement a new backend that allows network interfaces to use a tap
device on the host to read/write frames.

Signed-off-by: Sergio Lopez <[email protected]>

Author: slp

include/libkrun.h

@@ -370,6 +370,36 @@ int32_t krun_add_net_unixgram(uint32_t ctx_id,
                               uint32_t features,
                               uint32_t flags);
 
+/**
+ * Adds an independent virtio-net device with the tap backend.
+ * Call to this function disables TSI backend.
+
+ * The "krun_add_net_*" functions can be called multiple times for
+ * adding multiple virtio-net devices. In the guest the interfaces
+ * will appear in the same order as they are added (that is, the
+ * first added interface will be "eth0", the second "eth1"...)
+ *
+ * Arguments:
+ *  "ctx_id"      - the configuration context ID.
+ *  "c_tap_name"  - a null-terminated string representing the tap
+ *                  device name.
+ *  "c_mac"       - MAC address as an array of 6 uint8_t entries.
+ *  "features"    - virtio-net features for the network interface.
+ *  "flags"       - generic flags for the network interface.
+ *
+ * Notes:
+ * If no network devices are added, networking uses the TSI backend.
+ * This function should be called before krun_set_port_map.
+ *
+ * Returns:
+ *  Zero on success or a negative error number on failure.
+ */
+int32_t krun_add_net_tap(uint32_t ctx_id,
+                         char *c_tap_name,
+                         uint8_t *const c_mac,
+                         uint32_t features,
+                         uint32_t flags);
+
 /**
  * DEPRECATED. Use krun_add_net_unixstream instead.
  *

src/devices/src/virtio/net/backend.rs

@@ -1,3 +1,4 @@
+use std::io;
 use std::os::fd::RawFd;
 
 #[allow(dead_code)]
@@ -7,6 +8,11 @@ pub enum ConnectError {
     CreateSocket(nix::Error),
     Binding(nix::Error),
     SendingMagic(nix::Error),
+    // Tap backend errors.
+    OpenNetTun(io::Error),
+    TunSetIff(io::Error),
+    TunSetVnetHdrSz(io::Error),
+    TunSetOffload(io::Error),
 }
 
 #[allow(dead_code)]

src/devices/src/virtio/net/device.rs

@@ -65,6 +65,8 @@ pub enum VirtioNetBackend {
     UnixstreamPath(PathBuf),
     UnixgramFd(RawFd),
     UnixgramPath(PathBuf, bool),
+    #[cfg(target_os = "linux")]
+    Tap(String),
 }
 
 pub struct Net {

src/devices/src/virtio/net/mod.rs

@@ -15,6 +15,8 @@ pub const TX_INDEX: usize = 1;
 
 mod backend;
 pub mod device;
+#[cfg(target_os = "linux")]
+mod tap;
 mod unixgram;
 mod unixstream;
 mod worker;

src/devices/src/virtio/net/tap.rs

@@ -0,0 +1,110 @@
+use libc::{
+    c_char, c_int, ifreq, IFF_NO_PI, IFF_TAP, IFF_VNET_HDR, O_RDWR, TUN_F_CSUM, TUN_F_TSO4,
+    TUN_F_TSO6,
+};
+use nix::fcntl::{fcntl, FcntlArg, OFlag};
+use nix::unistd::{read, write};
+use nix::{ioctl_write_int, ioctl_write_ptr};
+use std::os::fd::{AsRawFd, RawFd};
+use std::{io, mem, ptr};
+
+use super::backend::{ConnectError, NetBackend, ReadError, WriteError};
+
+ioctl_write_ptr!(tunsetiff, b'T', 202, c_int);
+ioctl_write_int!(tunsetoffload, b'T', 208);
+ioctl_write_ptr!(tunsetvnethdrsz, b'T', 216, c_int);
+
+pub struct Tap {
+    fd: RawFd,
+}
+
+impl Tap {
+    /// Create an endpoint using the file descriptor of a tap device
+    pub fn new(tap_name: String) -> Result<Self, ConnectError> {
+        let fd = unsafe { libc::open(c"/dev/net/tun".as_ptr() as *const _, O_RDWR) };
+
+        if fd < 0 {
+            return Err(ConnectError::OpenNetTun(io::Error::from_raw_os_error(fd)));
+        }
+
+        let mut req: ifreq = unsafe { mem::zeroed() };
+
+        unsafe {
+            ptr::copy_nonoverlapping(
+                tap_name.as_ptr() as *const c_char,
+                req.ifr_name.as_mut_ptr(),
+                tap_name.len(),
+            );
+        }
+
+        req.ifr_ifru.ifru_flags = IFF_TAP as i16 | IFF_NO_PI as i16 | IFF_VNET_HDR as i16;
+
+        unsafe {
+            if let Err(err) = tunsetiff(fd, &mut req as *mut _ as *mut _) {
+                return Err(ConnectError::TunSetIff(io::Error::from(err)));
+            }
+
+            // TODO(slp): replace hardcoded vnet size with cons
+            if let Err(err) = tunsetvnethdrsz(fd, &12) {
+                return Err(ConnectError::TunSetVnetHdrSz(io::Error::from(err)));
+            }
+
+            if let Err(err) = tunsetoffload(fd, (TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6) as u64) {
+                return Err(ConnectError::TunSetOffload(io::Error::from(err)));
+            }
+        }
+
+        match fcntl(fd, FcntlArg::F_GETFL) {
+            Ok(flags) => {
+                if let Err(e) = fcntl(
+                    fd,
+                    FcntlArg::F_SETFL(OFlag::from_bits_truncate(flags) | OFlag::O_NONBLOCK),
+                ) {
+                    warn!("error switching to non-blocking: id={fd}, err={e}");
+                }
+            }
+            Err(e) => error!("couldn't obtain fd flags id={fd}, err={e}"),
+        };
+
+        Ok(Self { fd })
+    }
+}
+
+impl NetBackend for Tap {
+    /// Try to read a frame from the tap devie. If no bytes are available reports
+    /// ReadError::NothingRead.
+    fn read_frame(&mut self, buf: &mut [u8]) -> Result<usize, ReadError> {
+        let frame_length = match read(self.fd, buf) {
+            Ok(f) => f,
+            #[allow(unreachable_patterns)]
+            Err(nix::Error::EAGAIN | nix::Error::EWOULDBLOCK) => {
+                return Err(ReadError::NothingRead)
+            }
+            Err(e) => {
+                return Err(ReadError::Internal(e));
+            }
+        };
+        debug!("Read eth frame from tap: {frame_length} bytes");
+        Ok(frame_length)
+    }
+
+    /// Try to write a frame to the tap device.
+    fn write_frame(&mut self, _hdr_len: usize, buf: &mut [u8]) -> Result<(), WriteError> {
+        let ret = write(self.fd, buf).map_err(WriteError::Internal)?;
+        debug!("Written frame size={}, written={}", buf.len(), ret);
+        Ok(())
+    }
+
+    fn has_unfinished_write(&self) -> bool {
+        false
+    }
+
+    fn try_finish_write(&mut self, _hdr_len: usize, _buf: &[u8]) -> Result<(), WriteError> {
+        // The tap backend doesn't do partial writes.
+        Ok(())
+    }
+
+    fn raw_socket_fd(&self) -> RawFd {
+        self.fd.as_raw_fd()
+    }
+}

src/devices/src/virtio/net/worker.rs

@@ -1,3 +1,5 @@
+#[cfg(target_os = "linux")]
+use crate::virtio::net::tap::Tap;
 use crate::virtio::net::unixgram::Unixgram;
 use crate::virtio::net::unixstream::Unixstream;
 use crate::virtio::net::{MAX_BUFFER_SIZE, QUEUE_SIZE, RX_INDEX, TX_INDEX};
@@ -53,6 +55,10 @@ impl NetWorker {
             VirtioNetBackend::UnixgramPath(path, vfkit_magic) => {
                 Box::new(Unixgram::open(path, vfkit_magic).unwrap()) as Box<dyn NetBackend + Send>
             }
+            #[cfg(target_os = "linux")]
+            VirtioNetBackend::Tap(tap_name) => {
+                Box::new(Tap::new(tap_name).unwrap()) as Box<dyn NetBackend + Send>
+            }
         };
 
         Self {

src/libkrun/src/lib.rs

@@ -876,6 +876,52 @@ pub unsafe extern "C" fn krun_add_net_unixgram(
     KRUN_SUCCESS
 }
 
+#[allow(clippy::missing_safety_doc)]
+#[no_mangle]
+#[cfg(all(target_os = "linux", feature = "net"))]
+pub unsafe extern "C" fn krun_add_net_tap(
+    ctx_id: u32,
+    c_tap_name: *const c_char,
+    c_mac: *const u8,
+    features: u32,
+    flags: u32,
+) -> i32 {
+    if cfg!(not(feature = "net")) {
+        return -libc::ENOTSUP;
+    }
+
+    let tap_name = match CStr::from_ptr(c_tap_name).to_str() {
+        Ok(tap_name) => tap_name.to_string(),
+        Err(e) => {
+            debug!("Error parsing tap_name: {e:?}");
+            return -libc::EINVAL;
+        }
+    };
+
+    let mac: [u8; 6] = match slice::from_raw_parts(c_mac, 6).try_into() {
+        Ok(m) => m,
+        Err(_) => return -libc::EINVAL,
+    };
+
+    if (features & !NET_ALL_FEATURES) != 0 {
+        return -libc::EINVAL;
+    }
+
+    /* The tap backend doesn't support any flags */
+    if flags != 0 {
+        return -libc::EINVAL;
+    }
+
+    match CTX_MAP.lock().unwrap().entry(ctx_id) {
+        Entry::Occupied(mut ctx_cfg) => {
+            let cfg = ctx_cfg.get_mut();
+            create_virtio_net(cfg, VirtioNetBackend::Tap(tap_name), mac, flags);
+        }
+        Entry::Vacant(_) => return -libc::ENOENT,
+    }
+    KRUN_SUCCESS
+}
+
 #[allow(clippy::missing_safety_doc)]
 #[no_mangle]
 #[cfg(feature = "net")]