!1443 backport sockmap feature patches from OLK-5.10 (a8f4a42f) · Commits · EulixOS / Software / Kernel

include/net/netfilter/nf_conntrack.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -381,4 +381,8 @@ int nf_ct_handle_fragments(struct net net, struct sk_buff skb,
		#define MODULE_ALIAS_NFCT_HELPER(helper) \
		MODULE_ALIAS("nfct-helper-" helper)

		typedef int (bpf_getorigdst_opt_func)(struct sock sk, int optname,
		void optval, int optlen, int dir);
		extern bpf_getorigdst_opt_func bpf_getorigdst_opt;

		#endif /* _NF_CONNTRACK_H */

include/net/sock.h

+11 −0

Original line number	Diff line number	Diff line
		@@ -300,6 +300,7 @@ struct sk_filter;
		* @sk_ack_backlog: current listen backlog
		* @sk_max_ack_backlog: listen backlog set in listen()
		* @sk_uid: user id of owner
		* @sk_gid: group id of owner
		* @sk_prefer_busy_poll: prefer busypolling over softirq processing
		* @sk_busy_poll_budget: napi processing budget when busypolling
		* @sk_priority: %SO_PRIORITY setting
		@@ -543,6 +544,10 @@ struct sock {
		struct bpf_local_storage __rcu *sk_bpf_storage;
		#endif
		struct rcu_head sk_rcu;
		union {
		kgid_t sk_gid;
		u64 sk_gid_padding;
		};
		netns_tracker ns_tracker;
		struct hlist_node sk_bind2_node;
		};
		@@ -2095,6 +2100,7 @@ static inline void sock_graft(struct sock sk, struct socket parent)
		parent->sk = sk;
		sk_set_socket(sk, parent);
		sk->sk_uid = SOCK_INODE(parent)->i_uid;
		sk->sk_gid = SOCK_INODE(parent)->i_gid;
		security_sock_graft(sk, parent);
		write_unlock_bh(&sk->sk_callback_lock);
		}
		@@ -2107,6 +2113,11 @@ static inline kuid_t sock_net_uid(const struct net net, const struct sock sk)
		return sk ? sk->sk_uid : make_kuid(net->user_ns, 0);
		}

		static inline kgid_t sock_net_gid(const struct net net, const struct sock sk)
		{
		return sk ? sk->sk_gid : make_kgid(net->user_ns, 0);
		}

		static inline u32 net_tx_rndhash(void)
		{
		u32 v = get_random_u32();

include/uapi/linux/bpf.h

+15 −0

Original line number	Diff line number	Diff line
		@@ -5559,6 +5559,19 @@ union bpf_attr {
		* 0 on success.
		*
		* -ENOENT if the bpf_local_storage cannot be found.
		*
		* u64 bpf_get_sockops_uid_gid(void *sockops)
		* Description
		* Get sock's uid and gid
		* Return
		* A 64-bit integer containing the current GID and UID, and
		* created as such: current_gid << 32 \\| current_uid.
		*
		* int bpf_sk_original_addr(void bpf_socket, int optname, char optval, int optlen)
		* Description
		* Get Ipv4 origdst or replysrc. Works with IPv4.
		* Return
		* 0 on success, or a negative error in case of failure.
		*/
		#define ___BPF_FUNC_MAPPER(FN, ctx...) \
		FN(unspec, 0, ##ctx) \
		@@ -5773,6 +5786,8 @@ union bpf_attr {
		FN(user_ringbuf_drain, 209, ##ctx) \
		FN(cgrp_storage_get, 210, ##ctx) \
		FN(cgrp_storage_delete, 211, ##ctx) \
		FN(get_sockops_uid_gid, 212, ##ctx) \
		FN(sk_original_addr, 213, ##ctx) \
		/* */

		/* backwards-compatibility macros for users of __BPF_FUNC_MAPPER that don't

include/uapi/linux/netfilter_ipv4.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -50,6 +50,8 @@ enum nf_ip_hook_priorities {
		/* 2.2 firewalling (+ masq) went from 64 through 76 */
		/* 2.4 firewalling went 64 through 67. */
		#define SO_ORIGINAL_DST 80
		#define BPF_SO_ORIGINAL_DST 800
		#define BPF_SO_REPLY_SRC 801


		#endif /* _UAPI__LINUX_IP_NETFILTER_H */

net/core/filter.c

+74 −0

Original line number	Diff line number	Diff line
		@@ -5487,6 +5487,76 @@ static const struct bpf_func_proto bpf_sock_addr_setsockopt_proto = {
		.arg5_type = ARG_CONST_SIZE,
		};

		BPF_CALL_1(bpf_get_sockops_uid_gid, struct bpf_sock_ops_kern *, bpf_sock)
		{
		struct sock *sk = bpf_sock->sk;
		kuid_t uid;
		kgid_t gid;

		if (!sk \|\| !sk_fullsock(sk))
		return -EINVAL;

		uid = sock_net_uid(sock_net(sk), sk);
		gid = sock_net_gid(sock_net(sk), sk);

		return ((u64)from_kgid_munged(sock_net(sk)->user_ns, gid)) << 32 \|
		from_kuid_munged(sock_net(sk)->user_ns, uid);
		}

		static const struct bpf_func_proto bpf_get_sockops_uid_gid_proto = {
		.func = bpf_get_sockops_uid_gid,
		.gpl_only = false,
		.ret_type = RET_INTEGER,
		.arg1_type = ARG_PTR_TO_CTX,
		};

		#include <net/netfilter/nf_conntrack.h>
		#include <linux/netfilter_ipv4.h>

		bpf_getorigdst_opt_func bpf_getorigdst_opt;
		EXPORT_SYMBOL(bpf_getorigdst_opt);

		BPF_CALL_4(bpf_sk_original_addr, struct bpf_sock_ops_kern *, bpf_sock,
		int, optname, char *, optval, int, optlen)
		{
		struct sock *sk = bpf_sock->sk;
		int ret = -EINVAL;

		if (!sk_fullsock(sk))
		goto err_clear;

		if (optname != BPF_SO_ORIGINAL_DST && optname != BPF_SO_REPLY_SRC)
		goto err_clear;

		if (!bpf_getorigdst_opt)
		goto err_clear;
		#if IS_ENABLED(CONFIG_NF_CONNTRACK)
		if (optname == BPF_SO_ORIGINAL_DST)
		ret = bpf_getorigdst_opt(sk, optname, optval, &optlen,
		IP_CT_DIR_ORIGINAL);
		else if (optname == BPF_SO_REPLY_SRC)
		ret = bpf_getorigdst_opt(sk, optname, optval, &optlen,
		IP_CT_DIR_REPLY);
		if (ret < 0)
		goto err_clear;

		return 0;
		#endif
		err_clear:
		memset(optval, 0, optlen);
		return ret;
		}

		static const struct bpf_func_proto bpf_sk_original_addr_proto = {
		.func = bpf_sk_original_addr,
		.gpl_only = false,
		.ret_type = RET_INTEGER,
		.arg1_type = ARG_PTR_TO_CTX,
		.arg2_type = ARG_ANYTHING,
		.arg3_type = ARG_PTR_TO_UNINIT_MEM,
		.arg4_type = ARG_CONST_SIZE,
		};

		BPF_CALL_5(bpf_sock_addr_getsockopt, struct bpf_sock_addr_kern *, ctx,
		int, level, int, optname, char *, optval, int, optlen)
		{
		@@ -8126,6 +8196,10 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
		return &bpf_sk_storage_delete_proto;
		case BPF_FUNC_get_netns_cookie:
		return &bpf_get_netns_cookie_sock_ops_proto;
		case BPF_FUNC_get_sockops_uid_gid:
		return &bpf_get_sockops_uid_gid_proto;
		case BPF_FUNC_sk_original_addr:
		return &bpf_sk_original_addr_proto;
		#ifdef CONFIG_INET
		case BPF_FUNC_load_hdr_opt:
		return &bpf_sock_ops_load_hdr_opt_proto;