netring 0.4.0

High-performance zero-copy packet I/O for Linux (AF_PACKET TPACKET_V3 + AF_XDP)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

# Architecture

## Overview

```
┌─────────────────────────────────────────────────────┐
│                  User Application                    │
├─────────────────────────────────────────────────────┤
│  Public API                                          │
│  Capture / Injector  (AF_PACKET)                     │
│  XdpSocket            (AF_XDP, feature af-xdp)       │
│  Bridge               (paired AF_PACKET RX+TX)       │
│  AsyncCapture / AsyncInjector  (feature tokio)       │
│  PacketStream                  (feature tokio)       │
│  ChannelCapture                (feature channel)     │
├─────────────────────────────────────────────────────┤
│  Backend internals                                   │
│  src/afpacket/   socket, ring, fanout, filter, ffi   │
│  src/afxdp/      socket, ring, umem, batch, ffi      │
│  src/syscall.rs  EINTR-safe poll/sendto wrappers     │
├─────────────────────────────────────────────────────┤
│  nix 0.31 (mmap, poll)  +  libc (setsockopt, bind)   │
├─────────────────────────────────────────────────────┤
│  Linux Kernel  (TPACKET_V3, AF_XDP)                  │
└─────────────────────────────────────────────────────┘
```

## One type per role

netring used to have a "high-level vs low-level" split — `Capture` wrapped
`AfPacketRx`, `Injector` wrapped `AfPacketTx`. As of 0.4 those are merged.
Each role is one type:

```rust
let mut cap = Capture::open("eth0")?;       // simple
// or
let mut cap = Capture::builder()             // configured
    .interface("eth0")
    .promiscuous(true)
    .build()?;

for pkt in cap.packets().take(100) { /* zero-copy */ }
// or
while let Some(batch) = cap.next_batch_blocking(timeout)? { /* batches */ }
```

The same type exposes both the flat iterator (`packets()`) and the
batch-level access (`next_batch`, `next_batch_blocking`). Old user code
referencing `AfPacketRx` / `AfPacketTx` still compiles via deprecated type
aliases.

## Zero-copy lifetime model

```
Capture (owns fd + mmap ring)
    │ next_batch(&mut self) → PacketBatch<'_>
    │   (mutable borrow held — one batch at a time)
    └── PacketBatch<'_> (borrows ring, RAII block release)
            │ iter() → BatchIter<'_>
            └── Packet<'_> (&[u8] into mmap region)
                    └── to_owned() → OwnedPacket (escapes ring)
```

**Key invariant:** `Packet<'a>` borrows from `PacketBatch<'a>` which borrows
from `&'a mut Capture`. The compiler enforces that packet references cannot
outlive the batch, and the batch cannot outlive the ring. When the batch
drops, it writes `TP_STATUS_KERNEL` to return the block to the kernel.

The flat iterator (`Capture::packets`) uses `'static`-lifetime erasure
internally to thread the batch through `Iterator::next()` (which can't
express a lifetime tied to its own state). `for` loop consumption is sound;
`.collect()` across blocks is not — see the rustdoc on `Capture::packets`
for the full soundness note.

## Ring buffer memory layout

```
mmap region (block_size × block_count bytes):
┌────────────────┬────────────────┬────────────────┬───┐
│    Block 0     │    Block 1     │    Block 2     │...│
└────────────────┴────────────────┴────────────────┘

Each block:
┌──────────────────────────────────────┐
│ tpacket_block_desc (48 bytes)        │
│   block_status, num_pkts, seq_num    │
├──────────────────────────────────────┤
│ tpacket3_hdr → sockaddr_ll → data    │
│ tpacket3_hdr → sockaddr_ll → data    │
│ ... (linked list via tp_next_offset) │
├──────────────────────────────────────┤
│ [unused space]                       │
└──────────────────────────────────────┘
```

Blocks cycle between kernel-owned (`TP_STATUS_KERNEL`) and user-owned
(`TP_STATUS_USER`). Memory ordering uses `Acquire` on read, `Release` on
return.

`BatchIter::next` bounds-checks both the `tpacket3_hdr` and the
`sockaddr_ll` that follows it before constructing each `Packet` (so
`pkt.direction()`, `pkt.source_ll_addr()` are sound).

## Struct drop ordering

Field declaration order matters — Rust drops fields top to bottom:

```rust
pub struct Capture {
    ring: MmapRing,   // dropped first → munmap
    fd: OwnedFd,      // dropped second → close(fd)
    ...
}
```

`munmap` must happen before `close(fd)` to avoid the kernel reclaiming
ring memory while we might still be referencing it during drop.

## Async adapters (feature: `tokio`)

### `AsyncCapture<S>` — generic over any `PacketSource + AsRawFd`

Wraps the source in `tokio::io::unix::AsyncFd`. Provides:

- `readable() → ReadableGuard` — recommended; clears tokio readiness only
  on `None` to eliminate the wait/read race window.
- `try_recv_batch().await` — single-call zero-copy.
- `recv().await → Vec<OwnedPacket>``Send` future, use with
  `tokio::spawn` and channel sinks.
- `into_stream() → PacketStream<S>``futures_core::Stream<Item = ...>`
  for combinator-style code.

`PacketBatch` is `!Send` (mmap ring is `!Sync` on the user side because
of cached cursor state). Choose between `try_recv_batch` (zero-copy,
`!Send`) and `recv` (owned, `Send`) based on whether the surrounding
future needs to cross task boundaries.

### `AsyncInjector` — TX with backpressure

`send(data).await` awaits `POLLOUT` when the ring is full instead of
returning `None`. Mirrors `AsyncCapture` for symmetry.

### `Bridge::run_async`

Uses `tokio::select!` over `AsyncFd::readable()` on both RX fds — no
`poll(2)` syscall, the tokio reactor drives the loop.

## Channel adapter (feature: `channel`)

`ChannelCapture` spawns a dedicated thread that calls
`next_batch_blocking()` in a loop, copies packets via `to_owned()`, and
sends them over a bounded crossbeam channel. Runtime-agnostic — works
with any async runtime or synchronous code.

## TX path

TPACKET_V3 TX uses V1 frame-based semantics (not block-based):

- Flat array of fixed-size frames
- Status flow: `AVAILABLE → SEND_REQUEST → kernel sends → AVAILABLE` (or
  `WRONG_FORMAT` on rejection)
- `sendto(fd, NULL, 0, ...)` triggers kernel transmission
- `TxSlot::send()` marks the frame; `TxSlot::Drop` discards if not sent
- `Injector::allocate` scans forward up to `frame_count` slots so dropped
  slots and `WRONG_FORMAT`-rejected slots get reused promptly

## AF_XDP backend (feature: `af-xdp`)

Direct AF_XDP syscalls (`socket`, `setsockopt`, `mmap`, `bind`) via `libc`.
Same pure-Rust approach as AF_PACKET — no C library dependencies.

```
src/afxdp/
  ├── mod.rs    XdpSocket + XdpSocketBuilder + XdpMode (public API)
  ├── batch.rs  XdpBatch / XdpPacket / XdpBatchIter (zero-copy view)
  ├── stats.rs  XdpStats (decoded xdp_statistics)
  ├── socket.rs socket(AF_XDP), setsockopt, getsockopt, bind
  ├── umem.rs   UMEM mmap + frame allocator (free list, bounds-checked)
  ├── ring.rs   4 ring types (Fill, RX, TX, Completion) + token API
  └── ffi.rs    libc re-exports (XDP constants/structs)
```

Ring model: 4 shared rings (Fill, RX, TX, Completion) over UMEM.
Producer/consumer protocol with `AtomicU32` (`Acquire`/`Release` ordering),
single producer / single consumer per ring (no `fetch_add`). Operations
use `PeekToken` / `ReserveToken` to make bounds checks runtime-explicit.

`XdpMode` controls UMEM partitioning between the fill ring (RX) and the
free list (TX): pick `Tx` for transmit-only workloads, `Rx` for
receive-only, or accept the default `RxTx` 50/50 split.

Requires: Linux 5.4+, XDP-capable NIC driver, external XDP BPF program
for RX (TX-only mode skips the BPF requirement entirely).

## EINTR-safe syscalls

`src/syscall.rs` wraps `nix::poll::poll` and `libc::sendto` with
EINTR-retry loops. Every blocking site in the crate routes through these
helpers, so users never see spurious `Error::Io` from a signal landing
mid-syscall.