Commit fd9c663b authored by Florian Westphal's avatar Florian Westphal Committed by Alexei Starovoitov
Browse files

bpf: minimal support for programs hooked into netfilter framework 



This adds minimal support for BPF_PROG_TYPE_NETFILTER bpf programs
that will be invoked via the NF_HOOK() points in the ip stack.

Invocation incurs an indirect call.  This is not a necessity: Its
possible to add 'DEFINE_BPF_DISPATCHER(nf_progs)' and handle the
program invocation with the same method already done for xdp progs.

This isn't done here to keep the size of this chunk down.

Verifier restricts verdicts to either DROP or ACCEPT.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20230421170300.24115-3-fw@strlen.de


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 84601d6e

include/linux/bpf_types.h

+4 −0
Original line number Diff line number Diff line
@@ -79,6 +79,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm, 
#endif

BPF_PROG_TYPE(BPF_PROG_TYPE_SYSCALL, bpf_syscall,

	      void *, void *)

#ifdef CONFIG_NETFILTER

BPF_PROG_TYPE(BPF_PROG_TYPE_NETFILTER, netfilter,

	      struct bpf_nf_ctx, struct bpf_nf_ctx)

#endif



BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)

BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_ARRAY, percpu_array_map_ops)

include/net/netfilter/nf_bpf_link.h

+5 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */



struct bpf_nf_ctx {

	const struct nf_hook_state *state;

	struct sk_buff *skb;

};



#if IS_ENABLED(CONFIG_NETFILTER_BPF_LINK)

int bpf_nf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);

#else

kernel/bpf/btf.c

+6 −0
Original line number Diff line number Diff line
@@ -25,6 +25,9 @@ 
#include <linux/bsearch.h>

#include <linux/kobject.h>

#include <linux/sysfs.h>



#include <net/netfilter/nf_bpf_link.h>



#include <net/sock.h>

#include "../tools/lib/bpf/relo_core.h"
@@ -212,6 +215,7 @@ enum btf_kfunc_hook { 
	BTF_KFUNC_HOOK_SK_SKB,

	BTF_KFUNC_HOOK_SOCKET_FILTER,

	BTF_KFUNC_HOOK_LWT,

	BTF_KFUNC_HOOK_NETFILTER,

	BTF_KFUNC_HOOK_MAX,

};
@@ -7802,6 +7806,8 @@ static int bpf_prog_type_to_kfunc_hook(enum bpf_prog_type prog_type) 
	case BPF_PROG_TYPE_LWT_XMIT:

	case BPF_PROG_TYPE_LWT_SEG6LOCAL:

		return BTF_KFUNC_HOOK_LWT;

	case BPF_PROG_TYPE_NETFILTER:

		return BTF_KFUNC_HOOK_NETFILTER;

	default:

		return BTF_KFUNC_HOOK_MAX;

	}

kernel/bpf/verifier.c

+3 −0
Original line number Diff line number Diff line
@@ -13816,6 +13816,9 @@ static int check_return_code(struct bpf_verifier_env *env) 
		}

		break;









	case BPF_PROG_TYPE_NETFILTER:









		range = tnum_range(NF_DROP, NF_ACCEPT);









		break;









	case BPF_PROG_TYPE_EXT:









		/* freplace program can return anything as its return value









		 * depends on the to-be-replaced kernel func or bpf program.
































net/core/filter.c



+1
−0






























Original line number
Diff line number
Diff line







@@ -11717,6 +11717,7 @@ static int __init bpf_kfunc_init(void)







	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_LWT_IN, &bpf_kfunc_set_skb);









	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_LWT_XMIT, &bpf_kfunc_set_skb);









	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_LWT_SEG6LOCAL, &bpf_kfunc_set_skb);









	ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_NETFILTER, &bpf_kfunc_set_skb);









	return ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_XDP, &bpf_kfunc_set_xdp);









}









late_initcall(bpf_kfunc_init);