Address reviewer's comments.

Among which: added lint check for *either* license text or SPDX line in
headers. Use the latter in all new files.

Author: jiceathome

.golangci.yml

@@ -41,24 +41,29 @@ linters:
           msg: spell trust root certificate as trc / TRC
     goheader:
       values:
-        regexp:
-          copyright-lines: |-
-            (Copyright 20[0-9][0-9] .*)(
-            Copyright 20[0-9][0-9] .*)*
-      template: |-
-        {{copyright-lines}}
-
-        Licensed under the Apache License, Version 2.0 (the "License");
-        you may not use this file except in compliance with the License.
-        You may obtain a copy of the License at
+        const:
+          LICENSE_TEXT: |-
+            Licensed under the Apache License, Version 2.0 \(the "License"\);
+            you may not use this file except in compliance with the License.
+            You may obtain a copy of the License at
 
-          http://www.apache.org/licenses/LICENSE-2.0
+              http://www.apache.org/licenses/LICENSE-2.0
 
-        Unless required by applicable law or agreed to in writing, software
-        distributed under the License is distributed on an "AS IS" BASIS,
-        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-        See the License for the specific language governing permissions and
-        limitations under the License.
+            Unless required by applicable law or agreed to in writing, software
+            distributed under the License is distributed on an "AS IS" BASIS,
+            WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+            See the License for the specific language governing permissions and
+            limitations under the License.
+          SPDX_LINE: |-
+            SPDX-License-Identifier: Apache-2.0
+        regexp:
+          copyright_lines: |-
+            (Copyright 20[0-9][0-9] .*)
+            (Copyright 20[0-9][0-9] .*)*
+          license: |-
+            ({{SPDX_LINE}})|({{LICENSE_TEXT}})
+      template: |-
+        {{copyright_lines}}{{license}}
     lll:
       line-length: 100
       tab-width: 4

MODULE.bazel.lock

@@ -60,7 +60,7 @@ func newMpktSender(tp *afpacket.TPacket) *mpktSender {
 
 	// If we're going to send, we need to make sure we're not receiving our own stuff. The default
 	// behaviour is less than clear. The loopback doesn't work with veth, but likely does with
-	// else.
+	// everything else.
 	err = unix.SetsockoptInt(sender.fd, unix.SOL_PACKET, unix.PACKET_IGNORE_OUTGOING, 1)
 	if err != nil {
 		panic(err)

acceptance/router_benchmark/brload/mmsg.go

@@ -193,13 +193,12 @@ class RouterBMTest(base.TestBase, RouterBM):
     Pretend traffic is injected by brload's. See the test cases for details.
     """
 
-    # TODO(jiceatscion): We construct intf_map during setup and we use it later, during
-    # _run(). As a result, running setup, run, at teardown separately is difficult.
-    # During run and teardown, we reconstruct the map without actually setup the
-    # interfaces. This assumes that brload isn't being changed in-between, since the map is
-    # based on the requirements that it outputs.
-    debug_run: bool = DEBUG_RUN
+    # We construct intf_map during setup and we use it later, during _run(). As a result, running
+    # setup, run, and teardown separately is difficult.  During run and teardown, we reconstruct the
+    # map without actually setup the interfaces. This assumes that brload isn't being changed
+    # in-between, since the map is based on the requirements that it outputs.
 
+    debug_run: bool = DEBUG_RUN
     router_cpus: list[int] = [0]
 
     # Used by the RouterBM mixin:

acceptance/router_benchmark/test.py

@@ -1,6 +1,6 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
 
 //go:build ignore
 
@@ -11,15 +11,18 @@
 #include <linux/udp.h>
 #include "bpf_helpers.h"
 
-// This tells our bpf program which address/port(s) goes to the AF_PACKET socket
-// and therefore not to the kernel.
+// kfilter: the kernel-side filter. The purpose of this program is to prevent the traffic that goes
+// to the AF_PACKET socket from getting to the regular kernel networking stack as well. If it did,
+// the kernel would expand resources processing the traffic, generating ICMP responses AND sending
+// them!
 //
-// This is a set of (address/port) pairs. Ports must be in network byte order.
+// This is still not ideal because I have yet to find a way to dispatch traffic before it is cloned
+// for AF_PACKET handling but after it is turned into an SKB. To solve that problem we would need to
+// go to XDP.
 //
-// The same port numbers are used by sockfilter to perform the opposite filtering. We may have many
-// addrPorts to filter for a given interface. We could have several one-addrPort filters in series,
-// we would easily exceed the number of filters that can be attached to an interface (not
-// mentionning this would be inefficient). So we need a map with multiple ports.
+// This might not be as bad as it looks though: traffic is cloned via c-o-w and it might even not be
+// cloned until the AF_PACKET tap has made a drop/keep decision. The traffic that we keep is
+// definitely cloned; so...  dear cow, a third swiss industry is now counting on you.
 
 typedef struct {
   __u8 ip_addr[16];
@@ -28,28 +31,23 @@ typedef struct {
   __u8 padding; // just to make it clear what the real size of the struct is.
 } addrPort;
 
+// k_map_flt tells our bpf program which address/port(s) go to the AF_PACKET socket and therefore
+// not to the kernel. Ports must be in network byte order.
+//
+// The same data is used by sockfilter to perform the opposite filtering. We may have many
+// pairs to filter for a given interface. We could have several one-addrPort filters in series,
+// but we would easily exceed the number of filters that can be attached to an interface (not
+// mentionning this would be inefficient). So we need a map with multiple pairs.
 struct {
   __uint(type, BPF_MAP_TYPE_HASH);
   __type(key, addrPort); // An IP address and a port number.
   __type(value, __u8); // Nothing. The map is just a set of keys.
   __uint(max_entries, 64);
 } k_map_flt SEC(".maps");
 
-// The traffic that goes to the AF_PACKET socket, must not get to the regular kernel networking
-// stack; else it will expand resources processing it, generating ICMP responses AND sending them!
-// That is the purpose of this program.
-// 
 // This is a very simple classifier type of filter: it looks at the packet's protocol and dest
 // port. If it is UDP and if the port is found in sock_map_filt, then the packet is dropped (because
 // the AF_PACKET socket will get and process it).
-//
-// This is not ideal because I have yet to find a way to dispatch traffic before it is cloned
-// for AF_PACKET handling but after it is turned into an SKB. To solve that problem we need to go to
-// XDP.
-//
-// This might not be as bad as it looks though: traffic is cloned via c-o-w and it might even not be
-// cloned until the AF_PACKET tap has made a drop/keep decision. The traffic that we keep is
-// definitely cloned; so...  dear cow, a third swiss industry is now counting on you.
 SEC("tcx/ingress")
 int bpf_k_filter(struct __sk_buff *skb)
 {

private/underlay/ebpf/kfilter.c

@@ -1,18 +1,6 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 // Placeholder for generated code during lint.
 

private/underlay/ebpf/kfilter_lint.go

@@ -1,18 +1,6 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package ebpf
 

private/underlay/ebpf/portfilter.go

@@ -1,18 +1,6 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package ebpf_test