Add interface-based routing matcher with kernel and DNS integration

[olicesx]

Motivation

• Add support for routing and DNS rules that match ingress/egress interfaces so rules like interface(wan:0eth) and interface(lan:3eth,4eth) can be used to distinguish WAN (out) and LAN (in) traffic.
• Propagate interface metadata from eBPF/kernel routing into userspace routing decisions to allow consistent behavior across kernel and application-level matchers.
• Provide a usable configuration/docs surface and examples for the new interface function in routing and DNS rules.

Description

• Introduces a new match type MatchType_Interface and corresponding enum entries in generated constants and eBPF sync spec (common/consts/*, control/kern/ebpf_sync_defs.h).
• Implements interface parsing and matching in userspace via component/routing/interface_matcher.go and wires the interface function into rule builders for routing and DNS (RoutingMatcherBuilder, RequestMatcherBuilder, ResponseMatcherBuilder).
• Extends kernel eBPF routing and tproxy logic to capture ifindex and direction, store them in routing results, and match interface rules in kernel route evaluation (control/kern/tproxy.c, control/bpf_stub.go), and encodes interface data into BPF match sets.
• Adds userspace support to resolve interface indices for kernel rules and to match by interface in the userspace routing matcher (control/routing_matcher_builder.go, control/routing_matcher_userspace.go), and exposes MatchWithInterface variants for routing and DNS that accept direction and ifname context.
• Integrates interface-aware DNS routing by extracting interface context from UDP requests (control/dns_control.go) and adding RequestSelectWithInterface / ResponseSelectWithInterface and related plumbing in DNS component (component/dns/*).
• Updates documentation and example files to document the interface matcher syntax and semantics (README.md, config/desc.go, example.dae, hack/templates/example-config.md).
• Adds unit tests for interface parsing/matching (component/routing/interface_matcher_test.go, component/dns/interface_routing_test.go).

Testing

• Ran go test ./component/routing -run TestParseInterfaceMatchers,TestMatchInterfaceDirectionAndName and the tests passed.
• Ran go test ./component/dns -run TestRequestInterfaceMatcher and the test passed.
• Verified build of modified packages containing new match types and function signatures by running go test ./... on the changed modules, which completed successfully.
• No automated kernel/eBPF runtime tests were executed in CI as part of this change, only unit tests for parsing and userspace matching.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 089817f44a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR adds an interface(...) matcher that can be used in both traffic routing and DNS routing rules, and plumbs kernel-derived interface metadata (ifindex + direction) through to userspace match evaluation so routing decisions can be interface-aware end-to-end.

Changes:

• Introduces a new match type/function (MatchType_Interface / interface(...)) and wires it into routing + DNS rule builders and matchers.
• Extends eBPF routing/tproxy logic to record ifindex + direction and evaluate interface match rules in-kernel.
• Updates docs/examples and adds unit tests for interface parsing/matching and DNS interface routing.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
hack/templates/example-config.md	Adds interface matcher examples to generated example config docs.
example.dae	Adds commented interface matcher examples for routing and DNS config.
control/utils.go	Passes direction + interface name context into userspace routing matcher; derives ifname from ifindex.
control/routing_matcher_userspace.go	Adds MatchWithInterface and evaluates MatchType_Interface in userspace matcher loop.
control/routing_matcher_builder.go	Registers interface function; builds interface match sets; resolves ifindex for kernel rules.
control/kern/tproxy.c	Adds ifindex + direction_in to routing result; adds kernel-side interface match evaluation; propagates skb ifindex.
control/kern/ebpf_sync_defs.h	Adds MatchType_Interface to the shared enum used for eBPF/userspace sync.
control/dns_control.go	Extracts interface context from BPF routing result and routes DNS requests/responses with interface-aware selectors.
control/bpf_stub.go	Extends Go stub bpfRoutingResult struct with Ifindex and DirectionIn fields.
config/desc.go	Documents the new interface function in routing and DNS sections.
component/routing/interface_matcher_test.go	Adds tests for interface matcher parsing and direction/name matching.
component/routing/interface_matcher.go	Implements parsing + matching logic for interface(wan:...) / interface(lan:...).
component/dns/response_routing.go	Adds interface-aware matching to DNS response routing builder + matcher (MatchWithInterface).
component/dns/request_routing.go	Adds interface-aware matching to DNS request routing builder + matcher (MatchWithInterface).
component/dns/interface_routing_test.go	Adds a DNS request routing test covering interface matcher behavior.
component/dns/dns.go	Adds RequestSelectWithInterface / ResponseSelectWithInterface and calls interface-aware matchers.
common/consts/routing.go	Adds Function_Interface = "interface".
common/consts/ebpf_sync_spec.json	Extends eBPF sync spec to include Interface match type.
common/consts/ebpf_generated.go	Adds generated MatchType_Interface constant.
README.md	Documents interface matcher availability and basic syntax.

Comments suppressed due to low confidence (2)

control/utils.go:46

• net.InterfaceByIndex is called on every Route() invocation to derive ifname. This is on a hot path and can be relatively expensive (netlink/syscall per call depending on platform), and it is now in the critical routing decision loop. Consider caching ifindex -> ifname (e.g., sync.Map with occasional refresh, or wiring into the existing interface/link monitoring) and only resolving on cache miss.

	if routingResult.Ifindex > 0 {
		if iface, e := net.InterfaceByIndex(int(routingResult.Ifindex)); e == nil {
			ifname = iface.Name
		}

control/dns_control.go:889

• dnsInterfaceContext resolves ifindex -> ifname via net.InterfaceByIndex for each UDP DNS request/response routing decision. Given DNS QPS can be high, this repeated lookup can add significant overhead. Consider sharing a cached resolver (e.g., sync.Map keyed by ifindex) with periodic invalidation or using the existing link monitor to keep names up to date.

	iface, err := net.InterfaceByIndex(int(req.routingResult.Ifindex))
	if err != nil {
		return direction, ""
	}
	return direction, iface.Name

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In kernel route evaluation, MatchType_Interface uses _is_wan to decide zone semantics (wan vs lan). But _is_wan is defined as ctx->params->flag[2] (the first byte of the process name buffer), and in WAN egress paths pid_pname can be NULL (cookie missing) so flag[2] stays 0. That will incorrectly treat WAN egress traffic as non-WAN and prevent interface(wan:...) rules from ever matching in kernspace for those flows. Consider adding an explicit boolean/enum field in route_params (or a dedicated flag byte) to represent direction/zone (WAN egress vs LAN ingress) and set it unconditionally before calling route(), then use that field here instead of _is_wan.

Suggested change

	if (match_set->iface.zone == 1 && _is_wan)
	direction_ok = true;
	if (match_set->iface.zone == 2 && !_is_wan)
	/* zone: 1 => WAN egress, 2 => LAN ingress */
	if (match_set->iface.zone == 1 && match_outbound)
	direction_ok = true;
	if (match_set->iface.zone == 2 && !match_outbound)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e01de00390

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Resolve route interface names in host namespace

Route now converts routingResult.Ifindex with net.InterfaceByIndex directly, but that ifindex is written by tc eBPF from skb->ifindex on host-side interfaces, while packet serving is started under GetDaeNetns().With(...) (cmd/run.go), so this lookup can run in daens and return empty/wrong names. In that case MatchWithInterface receives ifname="", and interface-based userspace rerouting decisions (including control-plane reroute paths) silently miss.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail unresolved interface rules instead of matching negations

The interface matcher bails out immediately when match_set->iface.ifindex == 0, and builder can intentionally emit ifindex=0 when resolution fails (it logs a warning and keeps the rule). With current rule reduction, that makes good_subrule stay false, so negated rules like !interface(...) are treated as matched for all packets while unresolved, which can broadly misroute traffic until the next reload.

Useful? React with 👍 / 👎.

[olicesx]

---

Code review

Found 2 issues:

1. Potential nil pointer dereference in addInterface functions for DNS routing (functions directly dereference upstream.Name without nil check, while similar functions like addQName and addQType explicitly check for nil)

dae/component/dns/request_routing.go

Lines 112 to 113 in 59020de

	func (b *RequestMatcherBuilder) addInterface(f *config_parser.Function, values []routing.InterfaceMatcher, upstream *routing.Outbound) (err error) {
	upstreamId, err := b.upstreamToId(upstream.Name)

dae/component/dns/response_routing.go

Lines 162 to 163 in 59020de

	func (b *ResponseMatcherBuilder) addInterface(f *config_parser.Function, values []routing.InterfaceMatcher, upstream *routing.Outbound) (err error) {
	upstreamId, err := b.upstreamToId(upstream.Name)

2. Binary structure change to bpfRoutingResult requires synchronization between kernel and userspace (adding Ifindex uint32 and DirectionIn uint8 changes struct layout; verify that kernel C struct and Go struct remain ABI-compatible, especially regarding padding between Dscp and Ifindex)

dae/control/bpf_stub.go

Lines 87 to 100 in 59020de

	}
	type bpfRoutingResult struct {
	_ structs.HostLayout
	Mark uint32
	Must uint8
	Mac [6]uint8
	Outbound uint8
	Pname [16]uint8
	Pid uint32
	Dscp uint8
	Ifindex uint32
	DirectionIn uint8
	}

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[olicesx]

---

Update on code review

After further analysis, both issues I reported appear to be false positives:

1. Nil pointer dereference: The parameter is always allocated by (see ) and is never nil. Existing functions like and use the same pattern without nil checks.

2. Binary structure mismatch: The PR correctly updates both the C kernel struct () and Go stub (), and ensures proper padding alignment. The layouts are compatible.

Please disregard my previous review - the code follows existing patterns correctly.