Add header containing bpfilter structures definitions, for test purposes.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- tools/include/uapi/linux/bpfilter.h | 175 ++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 tools/include/uapi/linux/bpfilter.h

diff --git a/tools/include/uapi/linux/bpfilter.h b/tools/include/uapi/linux/bpfilter.h new file mode 100644 index 000000000000..295fd9caa3c8 --- /dev/null +++ b/tools/include/uapi/linux/bpfilter.h @@ -0,0 +1,175 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _UAPI_LINUX_BPFILTER_H +#define _UAPI_LINUX_BPFILTER_H + +#include <linux/if.h> +#include <linux/const.h> + +#define BPFILTER_STANDARD_TARGET "" +#define BPFILTER_ERROR_TARGET "ERROR" + +enum { + BPFILTER_IPT_SO_SET_REPLACE = 64, + BPFILTER_IPT_SO_SET_ADD_COUNTERS = 65, + BPFILTER_IPT_SET_MAX, +}; + +enum { + BPFILTER_IPT_SO_GET_INFO = 64, + BPFILTER_IPT_SO_GET_ENTRIES = 65, + BPFILTER_IPT_SO_GET_REVISION_MATCH = 66, + BPFILTER_IPT_SO_GET_REVISION_TARGET = 67, + BPFILTER_IPT_GET_MAX, +}; + +enum { + BPFILTER_XT_TABLE_MAXNAMELEN = 32, + BPFILTER_FUNCTION_MAXNAMELEN = 30, + BPFILTER_EXTENSION_MAXNAMELEN = 29, +}; + +enum { + BPFILTER_NF_DROP = 0, + BPFILTER_NF_ACCEPT = 1, + BPFILTER_NF_STOLEN = 2, + BPFILTER_NF_QUEUE = 3, + BPFILTER_NF_REPEAT = 4, + BPFILTER_NF_STOP = 5, + BPFILTER_NF_MAX_VERDICT = BPFILTER_NF_STOP, + BPFILTER_RETURN = (-BPFILTER_NF_REPEAT - 1), +}; + +enum { + BPFILTER_INET_HOOK_PRE_ROUTING = 0, + BPFILTER_INET_HOOK_LOCAL_IN = 1, + BPFILTER_INET_HOOK_FORWARD = 2, + BPFILTER_INET_HOOK_LOCAL_OUT = 3, + BPFILTER_INET_HOOK_POST_ROUTING = 4, + BPFILTER_INET_HOOK_MAX, +}; + +enum { + BPFILTER_IPT_F_MASK = 0x03, + BPFILTER_IPT_INV_MASK = 0x7f +}; + +struct bpfilter_ipt_match { + union { + struct { + __u16 match_size; + char name[BPFILTER_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + void *match; + } kernel; + __u16 match_size; + } u; + unsigned char data[]; +}; + +struct bpfilter_ipt_target { + union { + struct { + __u16 target_size; + char name[BPFILTER_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + void *target; + } kernel; + __u16 target_size; + } u; + unsigned char data[]; +}; + +struct bpfilter_ipt_standard_target { + struct bpfilter_ipt_target target; + int verdict; +}; + +struct bpfilter_ipt_error_target { + struct bpfilter_ipt_target target; + char error_name[BPFILTER_FUNCTION_MAXNAMELEN]; +}; + +struct bpfilter_ipt_get_info { + char name[BPFILTER_XT_TABLE_MAXNAMELEN]; + __u32 valid_hooks; + __u32 hook_entry[BPFILTER_INET_HOOK_MAX]; + __u32 underflow[BPFILTER_INET_HOOK_MAX]; + __u32 num_entries; + __u32 size; +}; + +struct bpfilter_ipt_counters { + __u64 packet_cnt; + __u64 byte_cnt; +}; + +struct bpfilter_ipt_counters_info { + char name[BPFILTER_XT_TABLE_MAXNAMELEN]; + __u32 num_counters; + struct bpfilter_ipt_counters counters[]; +}; + +struct bpfilter_ipt_get_revision { + char name[BPFILTER_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +struct bpfilter_ipt_ip { + __u32 src; + __u32 dst; + __u32 src_mask; + __u32 dst_mask; + char in_iface[IFNAMSIZ]; + char out_iface[IFNAMSIZ]; + __u8 in_iface_mask[IFNAMSIZ]; + __u8 out_iface_mask[IFNAMSIZ]; + __u16 protocol; + __u8 flags; + __u8 invflags; +}; + +struct bpfilter_ipt_entry { + struct bpfilter_ipt_ip ip; + __u32 bfcache; + __u16 target_offset; + __u16 next_offset; + __u32 comefrom; + struct bpfilter_ipt_counters counters; + __u8 elems[]; +}; + +struct bpfilter_ipt_standard_entry { + struct bpfilter_ipt_entry entry; + struct bpfilter_ipt_standard_target target; +}; + +struct bpfilter_ipt_error_entry { + struct bpfilter_ipt_entry entry; + struct bpfilter_ipt_error_target target; +}; + +struct bpfilter_ipt_get_entries { + char name[BPFILTER_XT_TABLE_MAXNAMELEN]; + __u32 size; + struct bpfilter_ipt_entry entries[]; +}; + +struct bpfilter_ipt_replace { + char name[BPFILTER_XT_TABLE_MAXNAMELEN]; + __u32 valid_hooks; + __u32 num_entries; + __u32 size; + __u32 hook_entry[BPFILTER_INET_HOOK_MAX]; + __u32 underflow[BPFILTER_INET_HOOK_MAX]; + __u32 num_counters; + struct bpfilter_ipt_counters *cntrs; + struct bpfilter_ipt_entry entries[]; +}; + +#endif /* _UAPI_LINUX_BPFILTER_H */

Introduce common code for an associative container. This common code will be used for maps of matches, targets, and tables. Hash search tables from libc are used as an index.

The supported sets of operations is: create, find, upsert, free.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 2 +- net/bpfilter/map-common.c | 51 +++++++++++++++ net/bpfilter/map-common.h | 19 ++++++ .../testing/selftests/bpf/bpfilter/.gitignore | 2 + tools/testing/selftests/bpf/bpfilter/Makefile | 19 ++++++ .../testing/selftests/bpf/bpfilter/test_map.c | 63 +++++++++++++++++++ 6 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 net/bpfilter/map-common.c create mode 100644 net/bpfilter/map-common.h create mode 100644 tools/testing/selftests/bpf/bpfilter/.gitignore create mode 100644 tools/testing/selftests/bpf/bpfilter/Makefile create mode 100644 tools/testing/selftests/bpf/bpfilter/test_map.c

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index 8d9c726ba1a5..1b0c399c19df 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -4,7 +4,7 @@ #

userprogs := bpfilter_umh -bpfilter_umh-objs := main.o logger.o +bpfilter_umh-objs := main.o logger.o map-common.o userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

ifeq ($(CONFIG_BPFILTER_UMH), y) diff --git a/net/bpfilter/map-common.c b/net/bpfilter/map-common.c new file mode 100644 index 000000000000..cc6c3a59b315 --- /dev/null +++ b/net/bpfilter/map-common.c @@ -0,0 +1,51 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#include "map-common.h" + +#include <linux/err.h> + +#include <errno.h> +#include <string.h> + +int create_map(struct hsearch_data *htab, size_t nelem) +{ + memset(htab, 0, sizeof(*htab)); + if (!hcreate_r(nelem, htab)) + return -errno; + + return 0; +} + +void *map_find(struct hsearch_data *htab, const char *key) +{ + const ENTRY needle = { .key = (char *)key }; + ENTRY *found; + + if (!hsearch_r(needle, FIND, &found, htab)) + return ERR_PTR(-ENOENT); + + return found->data; +} + +int map_upsert(struct hsearch_data *htab, const char *key, void *value) +{ + const ENTRY needle = { .key = (char *)key, .data = value }; + ENTRY *found; + + if (!hsearch_r(needle, ENTER, &found, htab)) + return -errno; + + found->key = (char *)key; + found->data = value; + + return 0; +} + +void free_map(struct hsearch_data *htab) +{ + hdestroy_r(htab); +} diff --git a/net/bpfilter/map-common.h b/net/bpfilter/map-common.h new file mode 100644 index 000000000000..666a4ffe9b29 --- /dev/null +++ b/net/bpfilter/map-common.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_MAP_COMMON_H +#define NET_BPFILTER_MAP_COMMON_H + +#define _GNU_SOURCE + +#include <search.h> + +int create_map(struct hsearch_data *htab, size_t nelem); +void *map_find(struct hsearch_data *htab, const char *key); +int map_upsert(struct hsearch_data *htab, const char *key, void *value); +void free_map(struct hsearch_data *htab); + +#endif // NET_BPFILTER_MAP_COMMON_H diff --git a/tools/testing/selftests/bpf/bpfilter/.gitignore b/tools/testing/selftests/bpf/bpfilter/.gitignore new file mode 100644 index 000000000000..983fd06cbefa --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/.gitignore @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +test_map diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile new file mode 100644 index 000000000000..c262aad8c2a4 --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/Makefile @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: GPL-2.0 + +top_srcdir = ../../../../.. +TOOLSDIR := $(abspath ../../../../) +TOOLSINCDIR := $(TOOLSDIR)/include +APIDIR := $(TOOLSINCDIR)/uapi +BPFILTERSRCDIR := $(top_srcdir)/net/bpfilter + +CFLAGS += -Wall -g -pthread -I$(TOOLSINCDIR) -I$(APIDIR) -I$(BPFILTERSRCDIR) + +TEST_GEN_PROGS += test_map + +KSFT_KHDR_INSTALL := 1 + +include ../../lib.mk + +BPFILTER_MAP_SRCS := $(BPFILTERSRCDIR)/map-common.c + +$(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS) diff --git a/tools/testing/selftests/bpf/bpfilter/test_map.c b/tools/testing/selftests/bpf/bpfilter/test_map.c new file mode 100644 index 000000000000..7ed737b78816 --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/test_map.c @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "map-common.h" + +#include <linux/err.h> + +#include "../../kselftest_harness.h" + +FIXTURE(test_map) +{ + struct hsearch_data map; + const char *key; + void *expected; + void *actual; +}; + +FIXTURE_SETUP(test_map) +{ + const int max_nelements = 100; + + create_map(&self->map, max_nelements); + self->key = "key"; + self->expected = "expected"; + self->actual = "actual"; +} + +FIXTURE_TEARDOWN(test_map) +{ + free_map(&self->map); +} + +TEST_F(test_map, upsert_and_find) +{ + void *found; + + found = map_find(&self->map, self->key); + ASSERT_TRUE(IS_ERR(found)) + ASSERT_EQ(-ENOENT, PTR_ERR(found)) + + ASSERT_EQ(0, map_upsert(&self->map, self->key, self->expected)); + ASSERT_EQ(0, map_upsert(&self->map, self->key, self->expected)); + ASSERT_EQ(0, map_upsert(&self->map, self->key, self->actual)); + + found = map_find(&self->map, self->key); + + ASSERT_FALSE(IS_ERR(found)); + ASSERT_STREQ(self->actual, found); +} + +TEST_F(test_map, update) +{ + void *found; + + ASSERT_EQ(0, map_upsert(&self->map, self->key, self->actual)); + ASSERT_EQ(0, map_upsert(&self->map, self->key, self->expected)); + + found = map_find(&self->map, self->key); + + ASSERT_FALSE(IS_ERR(found)); + ASSERT_STREQ(self->expected, found); +} + +TEST_HARNESS_MAIN

Prepare codegen infrastructure to be used by matches, targets, rules, and tables.

struct codegen contains an array of struct bpf_insn representing the generated BPF program.

The current infrastructure allows for multiple BPF program flavours to be supported (TC, XDP...). Most of the logic will be shared, but each flavour will be able to define its own prologue and epilogue bytecode, as well as packet data access. Loading and unloading flow is also flavour-dependent.

Not all required information is known during generation. This commit introduces two bpfilter concepts to resolve this issue: - Fixup: placeholder to replace once code generation is complete. For example, fixup is used to jump to the next rule. The next rule's offset is only known once it has been generated. - Relocation: placeholder to replace before loading the BPF program. BPF maps are an example of features using relocation. Maps are created before the programs are loaded, so their FD is only known at that point in time.

Subprogs are required to support user-defined chains and helper subprograms. All already generated subprogs are stored in subprogs array. This sorted array acts as an index. All subprogs awaiting the generation phase are stored in awaiting_subprogs list.

struct shared_codegen is used to share data between various BPF programs created by BPF filter. The only currently supported shared data is the map containing the counters for each rule defined: a unique map shared between all the programs stores the counters for all the bpfilter programs.

Besides that, there is a runtime_context struct that might be used to store frequently required data such as the size of the packet and pointer to L3/L4 headers. This context is stored on the stack and there are macros to access individual fields of this struct. Immediately after runtime_context on stack, there is a scratchpad area.

The calling convention follows the BPF calling convention with a couple of additions: * CODEGEN_REG_CTX(BPF_REG_9) is a pointer to the program context * CODEGEN_REG_RUNTIME_CTX(BPF_REG_8) is a pointer to the runtime context

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 12 +- net/bpfilter/codegen.c | 530 ++++++++++++++++++ net/bpfilter/codegen.h | 181 ++++++ .../testing/selftests/bpf/bpfilter/.gitignore | 1 + tools/testing/selftests/bpf/bpfilter/Makefile | 19 + 5 files changed, 742 insertions(+), 1 deletion(-) create mode 100644 net/bpfilter/codegen.c create mode 100644 net/bpfilter/codegen.h

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index 9878f5fd8152..ac039f1fac34 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -3,11 +3,21 @@ # Makefile for the Linux BPFILTER layer. #

+LIBBPF_SRCS = $(srctree)/tools/lib/bpf/ +LIBBPF_A = $(obj)/libbpf.a +LIBBPF_OUT = $(abspath $(obj)) + +$(LIBBPF_A): + $(Q)$(MAKE) -C $(LIBBPF_SRCS) O=$(LIBBPF_OUT)/ OUTPUT=$(LIBBPF_OUT)/ $(LIBBPF_OUT)/libbpf.a + userprogs := bpfilter_umh bpfilter_umh-objs := main.o logger.o map-common.o -bpfilter_umh-objs += context.o +bpfilter_umh-objs += context.o codegen.o +bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

+$(obj)/bpfilter_umh: $(LIBBPF_A) + ifeq ($(CONFIG_BPFILTER_UMH), y) # builtin bpfilter_umh should be linked with -static # since rootfs isn't mounted at the time of __init diff --git a/net/bpfilter/codegen.c b/net/bpfilter/codegen.c new file mode 100644 index 000000000000..545bc7aeb77c --- /dev/null +++ b/net/bpfilter/codegen.c @@ -0,0 +1,530 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#include "codegen.h" + +#include "../../include/uapi/linux/bpfilter.h" + +#include <unistd.h> +#include <sys/syscall.h> + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "logger.h" + +enum fixup_insn_type { + FIXUP_INSN_OFF, + FIXUP_INSN_IMM, + __MAX_FIXUP_INSN_TYPE +}; + +static int sys_bpf(int cmd, union bpf_attr *attr, unsigned int size) +{ + return syscall(SYS_bpf, cmd, attr, size); +} + +static __u64 bpf_ptr_to_u64(const void *ptr) +{ + return (__u64)(unsigned long)ptr; +} + +static int subprog_desc_comparator(const void *x, const void *y) +{ + const struct codegen_subprog_desc *subprog_x = *(const struct codegen_subprog_desc **)x; + const struct codegen_subprog_desc *subprog_y = *(const struct codegen_subprog_desc **)y; + + if (subprog_x->type != subprog_y->type) + return subprog_x->type - subprog_y->type; + + if (subprog_x->type == CODEGEN_SUBPROG_USER_CHAIN) + return subprog_x->offset - subprog_y->offset; + + BUG_ON(1); + + return -1; +} + +static const struct codegen_subprog_desc *codegen_find_subprog(struct codegen *codegen, + const struct codegen_subprog_desc **subprog) +{ + const struct codegen_subprog_desc **found; + + found = bsearch(subprog, codegen->subprogs, codegen->subprogs_cur, + sizeof(codegen->subprogs[0]), subprog_desc_comparator); + + return found ? *found : NULL; +} + +static const struct codegen_subprog_desc *codegen_find_user_chain_subprog(struct codegen *codegen, + uint32_t offset) +{ + const struct codegen_subprog_desc subprog = { + .type = CODEGEN_SUBPROG_USER_CHAIN, + .offset = offset + }; + const struct codegen_subprog_desc *subprog_ptr = &subprog; + + return codegen_find_subprog(codegen, &subprog_ptr); +} + +int codegen_push_awaiting_subprog(struct codegen *codegen, + struct codegen_subprog_desc *subprog) +{ + struct list_head *t, *n; + + if (codegen_find_subprog(codegen, (const struct codegen_subprog_desc **)&subprog)) { + free(subprog); + return 0; + } + + list_for_each_safe(t, n, &codegen->awaiting_subprogs) { + struct codegen_subprog_desc *awaiting_subprog; + + awaiting_subprog = list_entry(t, struct codegen_subprog_desc, list); + if (!subprog_desc_comparator(&awaiting_subprog, &subprog)) { + free(subprog); + return 0; + } + } + + list_add_tail(&subprog->list, &codegen->awaiting_subprogs); + + return 0; +} + +static int codegen_fixup_insn(struct bpf_insn *insn, enum fixup_insn_type type, + __s32 v) +{ + switch (type) { + case FIXUP_INSN_OFF: + if (insn->off) { + BFLOG_ERR("missing instruction offset"); + return -EINVAL; + } + + insn->off = v; + + return 0; + case FIXUP_INSN_IMM: + if (insn->imm) { + BFLOG_ERR("missing instruction immediate value"); + return -EINVAL; + } + + insn->imm = v; + + return 0; + default: + BFLOG_ERR("invalid fixup instruction type"); + return -EINVAL; + } +} + +int codegen_fixup(struct codegen *codegen, enum codegen_fixup_type fixup_type) +{ + struct list_head *t, *n; + + list_for_each_safe(t, n, &codegen->fixup) { + enum fixup_insn_type type = __MAX_FIXUP_INSN_TYPE; + struct codegen_fixup_desc *fixup; + struct bpf_insn *insn; + __s32 v; + int r; + + fixup = list_entry(t, struct codegen_fixup_desc, list); + if (fixup->type != fixup_type) + continue; + + if (fixup->type >= __MAX_CODEGEN_FIXUP_TYPE) { + BFLOG_ERR("invalid instruction fixup type: %d", + fixup->type); + return -EINVAL; + } + + if (fixup->insn > codegen->len_cur) { + BFLOG_ERR("invalid instruction fixup offset"); + return -EINVAL; + } + + insn = &codegen->img[fixup->insn]; + + if (fixup_type == CODEGEN_FIXUP_NEXT_RULE || + fixup_type == CODEGEN_FIXUP_END_OF_CHAIN) { + type = FIXUP_INSN_OFF; + v = codegen->len_cur - fixup->insn - 1; + } + + if (fixup_type == CODEGEN_FIXUP_JUMP_TO_CHAIN) { + const struct codegen_subprog_desc *subprog; + + subprog = codegen_find_user_chain_subprog(codegen, + fixup->offset); + if (!subprog) { + BFLOG_ERR("subprogram not found for offset %d", + fixup->offset); + return -EINVAL; + } + + type = FIXUP_INSN_OFF; + v = subprog->insn - fixup->insn - 1; + } + + if (fixup_type == CODEGEN_FIXUP_COUNTERS_INDEX) { + type = FIXUP_INSN_IMM; + BFLOG_DBG("fixup counter for rule %d", codegen->rule_index); + v = codegen->rule_index; + } + + r = codegen_fixup_insn(insn, type, v); + if (r) { + BFLOG_ERR("failed to fixup codegen instruction: %s", + STRERR(r)); + return r; + } + + list_del(t); + free(fixup); + } + + return 0; +} + +int emit_fixup(struct codegen *codegen, enum codegen_fixup_type fixup_type, + struct bpf_insn insn) +{ + struct codegen_fixup_desc *fixup; + + fixup = malloc(sizeof(*fixup)); + if (!fixup) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + INIT_LIST_HEAD(&fixup->list); + fixup->type = fixup_type; + fixup->insn = codegen->len_cur; + list_add_tail(&fixup->list, &codegen->fixup); + + EMIT(codegen, insn); + + return 0; +} + +int emit_add_counter(struct codegen *codegen) +{ + struct bpf_insn insns[2] = { BPF_LD_MAP_FD(BPF_REG_ARG1, 0) }; + struct codegen_reloc_desc *reloc; + + reloc = malloc(sizeof(*reloc)); + if (!reloc) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + INIT_LIST_HEAD(&reloc->list); + reloc->type = CODEGEN_RELOC_MAP; + reloc->map = CODEGEN_MAP_COUNTERS; + reloc->insn = codegen->len_cur; + list_add_tail(&reloc->list, &codegen->relocs); + + EMIT(codegen, insns[0]); + EMIT(codegen, insns[1]); + + EMIT_FIXUP(codegen, CODEGEN_FIXUP_COUNTERS_INDEX, + BPF_ST_MEM(BPF_W, BPF_REG_10, STACK_SCRATCHPAD_OFFSET - 4, 0)); + EMIT(codegen, BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_10)); + EMIT(codegen, + BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, STACK_SCRATCHPAD_OFFSET - 4)); + EMIT(codegen, BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem)); + EMIT(codegen, BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 14)); + + reloc = malloc(sizeof(*reloc)); + if (!reloc) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + INIT_LIST_HEAD(&reloc->list); + reloc->type = CODEGEN_RELOC_MAP; + reloc->map = CODEGEN_MAP_COUNTERS; + reloc->insn = codegen->len_cur; + list_add_tail(&reloc->list, &codegen->relocs); + + EMIT(codegen, insns[0]); + EMIT(codegen, insns[1]); + + EMIT(codegen, BPF_LDX_MEM(BPF_DW, CODEGEN_REG_SCRATCH5, BPF_REG_0, 0)); + EMIT(codegen, BPF_LDX_MEM(BPF_DW, CODEGEN_REG_SCRATCH4, BPF_REG_0, 8)); + EMIT(codegen, BPF_LDX_MEM(BPF_W, CODEGEN_REG_SCRATCH3, CODEGEN_REG_RUNTIME_CTX, + STACK_RUNTIME_CONTEXT_OFFSET(data_size))); + EMIT(codegen, BPF_ALU64_IMM(BPF_ADD, CODEGEN_REG_SCRATCH5, 1)); + EMIT(codegen, + BPF_ALU64_REG(BPF_ADD, CODEGEN_REG_SCRATCH4, CODEGEN_REG_SCRATCH3)); + EMIT(codegen, BPF_STX_MEM(BPF_DW, BPF_REG_0, CODEGEN_REG_SCRATCH5, 0)); + EMIT(codegen, BPF_STX_MEM(BPF_DW, BPF_REG_0, CODEGEN_REG_SCRATCH4, 8)); + EMIT(codegen, BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_10)); + EMIT(codegen, + BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, STACK_SCRATCHPAD_OFFSET - 4)); + EMIT(codegen, BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_0)); + EMIT(codegen, BPF_MOV32_IMM(BPF_REG_ARG4, BPF_EXIST)); + EMIT(codegen, BPF_EMIT_CALL(BPF_FUNC_map_update_elem)); + + return 0; +} + +static int codegen_reloc(struct codegen *codegen) +{ + struct shared_codegen *shared_codegen; + struct list_head *t; + + shared_codegen = codegen->shared_codegen; + + list_for_each(t, &codegen->relocs) { + struct codegen_reloc_desc *reloc; + struct bpf_insn *insn; + + reloc = list_entry(t, struct codegen_reloc_desc, list); + + if (reloc->insn >= codegen->len_cur) { + BFLOG_ERR("invalid instruction relocation offset"); + return -EINVAL; + } + + insn = &codegen->img[reloc->insn]; + + if (reloc->type == CODEGEN_RELOC_MAP) { + enum codegen_map_type map_type; + + if (codegen->len_cur <= reloc->insn + 1) { + BFLOG_ERR("invalid instruction relocation map offset"); + return -EINVAL; + } + + if (insn->code != (BPF_LD | BPF_DW | BPF_IMM)) { + BFLOG_ERR("invalid instruction relocation code %d", + insn->code); + return -EINVAL; + } + + map_type = insn->imm; + if (map_type < 0 || map_type >= __MAX_CODEGEN_MAP_TYPE) { + BFLOG_ERR("invalid instruction relocation map type: %d", + map_type); + return -EINVAL; + } + + BUG_ON(shared_codegen->maps_fd[map_type] < 0); + insn->imm = shared_codegen->maps_fd[map_type]; + + continue; + } + + BFLOG_ERR("invalid instruction relocation type %d", reloc->type); + return -EINVAL; + } + + return 0; +} + +static int load_maps(struct codegen *codegen) +{ + struct shared_codegen *shared_codegen; + int i; + + shared_codegen = codegen->shared_codegen; + + if (shared_codegen->maps_refcnt++) + return 0; + + for (i = 0; i < __MAX_CODEGEN_MAP_TYPE; ++i) { + int j; + int fd; + int saved_errno; + union bpf_attr *map; + + BUG_ON(shared_codegen->maps_fd[i] > -1); + + map = &shared_codegen->maps[i]; + fd = sys_bpf(BPF_MAP_CREATE, map, sizeof(*map)); + if (fd > -1) { + BFLOG_DBG("opened BPF map with FD %d", fd); + shared_codegen->maps_fd[i] = fd; + continue; + } + + BFLOG_ERR("bpf syscall failed during map creation: %s", + STRERR(fd)); + saved_errno = errno; + + for (j = 0; j < i; ++j) { + close(shared_codegen->maps_fd[j]); + shared_codegen->maps_fd[j] = -1; + } + + return saved_errno; + } + + return 0; +} + +static void unload_maps(struct codegen *codegen) +{ + struct shared_codegen *shared_codegen; + int i; + + shared_codegen = codegen->shared_codegen; + + if (--shared_codegen->maps_refcnt) + return; + + for (i = 0; i < __MAX_CODEGEN_MAP_TYPE; ++i) { + if (shared_codegen->maps_fd[i] > -1) { + close(shared_codegen->maps_fd[i]); + shared_codegen->maps_fd[i] = -1; + } + } +} + +void create_shared_codegen(struct shared_codegen *shared_codegen) +{ + shared_codegen->maps_refcnt = 0; + + shared_codegen->maps[CODEGEN_MAP_COUNTERS].map_type = + BPF_MAP_TYPE_PERCPU_ARRAY; + shared_codegen->maps[CODEGEN_MAP_COUNTERS].key_size = 4; + shared_codegen->maps[CODEGEN_MAP_COUNTERS].value_size = + sizeof(struct bpfilter_ipt_counters); + shared_codegen->maps[CODEGEN_MAP_COUNTERS].max_entries = 0; + snprintf(shared_codegen->maps[CODEGEN_MAP_COUNTERS].map_name, + sizeof(shared_codegen->maps[CODEGEN_MAP_COUNTERS].map_name), + "bpfilter_cntrs"); + shared_codegen->maps_fd[CODEGEN_MAP_COUNTERS] = -1; +} + +int create_codegen(struct codegen *codegen, enum bpf_prog_type type) +{ + int r; + + memset(codegen, 0, sizeof(*codegen)); + + switch (type) { + default: + BFLOG_ERR("unsupported BPF program type %d", type); + return -EINVAL; + } + + codegen->prog_type = type; + + codegen->log_buf_size = 1 << 20; + codegen->log_buf = malloc(codegen->log_buf_size); + if (!codegen->log_buf) { + BFLOG_ERR("out of memory"); + r = -ENOMEM; + goto err_free; + } + + codegen->len_max = BPF_MAXINSNS; + codegen->img = malloc(codegen->len_max * sizeof(codegen->img[0])); + if (!codegen->img) { + BFLOG_ERR("out of memory"); + r = -ENOMEM; + goto err_free; + } + + codegen->shared_codegen = NULL; + + INIT_LIST_HEAD(&codegen->fixup); + INIT_LIST_HEAD(&codegen->relocs); + INIT_LIST_HEAD(&codegen->awaiting_subprogs); + + return 0; + +err_free: + free(codegen->img); + + return r; +} + +int load_img(struct codegen *codegen) +{ + union bpf_attr attr = {}; + int fd; + int r; + + r = load_maps(codegen); + if (r) { + BFLOG_ERR("failed to load maps: %s", STRERR(r)); + return r; + } + + r = codegen_reloc(codegen); + if (r) { + BFLOG_ERR("failed to generate relocations: %s", STRERR(r)); + return r; + } + + attr.prog_type = codegen->prog_type; + attr.insns = bpf_ptr_to_u64(codegen->img); + attr.insn_cnt = codegen->len_cur; + attr.license = bpf_ptr_to_u64("GPL"); + attr.prog_ifindex = 0; + snprintf(attr.prog_name, sizeof(attr.prog_name), "bpfilter"); + + if (codegen->log_buf && codegen->log_buf_size) { + attr.log_buf = bpf_ptr_to_u64(codegen->log_buf); + attr.log_size = codegen->log_buf_size; + attr.log_level = 1; + } + + fd = sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr)); + if (fd == -1) { + BFLOG_ERR("failed to load BPF program: %s", codegen->log_buf); + return -errno; + } + + return fd; +} + +void unload_img(struct codegen *codegen) +{ + unload_maps(codegen); +} + +void free_codegen(struct codegen *codegen) +{ + struct list_head *t, *n; + int i; + + list_for_each_safe(t, n, &codegen->fixup) { + struct codegen_fixup_desc *fixup; + + fixup = list_entry(t, struct codegen_fixup_desc, list); + free(fixup); + } + + list_for_each_safe(t, n, &codegen->relocs) { + struct codegen_reloc_desc *reloc; + + reloc = list_entry(t, struct codegen_reloc_desc, list); + free(reloc); + } + + list_for_each_safe(t, n, &codegen->awaiting_subprogs) { + struct codegen_subprog_desc *subprog; + + subprog = list_entry(t, struct codegen_subprog_desc, list); + free(subprog); + } + + for (i = 0; i < codegen->subprogs_cur; ++i) + free(codegen->subprogs[i]); + free(codegen->subprogs); + + free(codegen->log_buf); + free(codegen->img); +} diff --git a/net/bpfilter/codegen.h b/net/bpfilter/codegen.h new file mode 100644 index 000000000000..cca45a13c4aa --- /dev/null +++ b/net/bpfilter/codegen.h @@ -0,0 +1,181 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_CODEGEN_H +#define NET_BPFILTER_CODEGEN_H + +#include <linux/bpf.h> +#include <linux/filter.h> +#include <linux/list.h> + +#include <bpf/libbpf.h> + +#include <errno.h> +#include <stddef.h> +#include <stdint.h> + +struct context; + +#define CODEGEN_REG_RETVAL BPF_REG_0 +#define CODEGEN_REG_SCRATCH1 BPF_REG_1 +#define CODEGEN_REG_SCRATCH2 BPF_REG_2 +#define CODEGEN_REG_SCRATCH3 BPF_REG_3 +#define CODEGEN_REG_SCRATCH4 BPF_REG_4 +#define CODEGEN_REG_SCRATCH5 BPF_REG_5 +#define CODEGEN_REG_DATA_END CODEGEN_REG_SCRATCH5 +#define CODEGEN_REG_L3 BPF_REG_6 +#define CODEGEN_REG_L4 BPF_REG_7 +#define CODEGEN_REG_RUNTIME_CTX BPF_REG_8 +#define CODEGEN_REG_CTX BPF_REG_9 + +#define EMIT(codegen, x) \ + do { \ + typeof(codegen) __codegen = codegen; \ + if ((__codegen)->len_cur + 1 > (__codegen)->len_max) \ + return -ENOMEM; \ + (__codegen)->img[codegen->len_cur++] = (x); \ + } while (0) + +#define EMIT_FIXUP(codegen, fixup_type, insn) \ + do { \ + const int __err = emit_fixup((codegen), (fixup_type), (insn)); \ + if (__err) \ + return __err; \ + } while (0) + +#define EMIT_ADD_COUNTER(codegen) \ + do { \ + const int __err = emit_add_counter(codegen); \ + if (__err) \ + return __err; \ + } while (0) + +#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ +#define EMIT_LITTLE_ENDIAN(codegen, x) EMIT(codegen, x) +#else +#define EMIT_LITTLE_ENDIAN(codegen, x) +#endif + +struct runtime_context { + uint32_t data_size; + void *l3; + void *l4; +}; + +#define STACK_RUNTIME_CONTEXT_OFFSET(field) \ + (-(short)(offsetof(struct runtime_context, field) + \ + sizeof(((struct runtime_context *)NULL)->field))) + +#define STACK_SCRATCHPAD_OFFSET (-(short)sizeof(struct runtime_context)) + +enum codegen_map_type { + CODEGEN_MAP_COUNTERS, + __MAX_CODEGEN_MAP_TYPE +}; + +enum codegen_fixup_type { + CODEGEN_FIXUP_NEXT_RULE, + CODEGEN_FIXUP_END_OF_CHAIN, + CODEGEN_FIXUP_JUMP_TO_CHAIN, + CODEGEN_FIXUP_COUNTERS_INDEX, + __MAX_CODEGEN_FIXUP_TYPE +}; + +struct codegen_fixup_desc { + struct list_head list; + enum codegen_fixup_type type; + uint32_t insn; + union { + uint32_t offset; + }; +}; + +enum codegen_reloc_type { + CODEGEN_RELOC_MAP, + __MAX_CODEGEN_RELOC_TYPE +}; + +struct codegen_reloc_desc { + struct list_head list; + enum codegen_reloc_type type; + uint32_t insn; + union { + struct { + enum codegen_map_type map; + // TODO: add BTF + }; + }; +}; + +enum codegen_subprog_type { + CODEGEN_SUBPROG_USER_CHAIN, +}; + +struct codegen_subprog_desc { + struct list_head list; + enum codegen_subprog_type type; + uint32_t insn; + union { + uint32_t offset; + }; +}; + +struct codegen_ops; +struct shared_codegen; + +struct codegen { + struct context *ctx; + struct bpf_insn *img; + char *log_buf; + size_t log_buf_size; + int iptables_hook; + union { + enum bpf_tc_attach_point bpf_tc_hook; + }; + enum bpf_prog_type prog_type; + uint32_t len_cur; + uint32_t len_max; + uint32_t rule_index; + const struct codegen_ops *codegen_ops; + struct shared_codegen *shared_codegen; + struct list_head fixup; + struct list_head relocs; + struct list_head awaiting_subprogs; + uint16_t subprogs_cur; + uint16_t subprogs_max; + struct codegen_subprog_desc **subprogs; + void *img_ctx; +}; + +struct shared_codegen { + int maps_refcnt; + union bpf_attr maps[__MAX_CODEGEN_MAP_TYPE]; + int maps_fd[__MAX_CODEGEN_MAP_TYPE]; +}; + +struct codegen_ops { + int (*gen_inline_prologue)(struct codegen *codegen); + int (*load_packet_data)(struct codegen *codegen, int dst_reg); + int (*load_packet_data_end)(struct codegen *codegen, int dst_reg); + int (*emit_ret_code)(struct codegen *codegen, int ret_code); + int (*gen_inline_epilogue)(struct codegen *codegen); + int (*load_img)(struct codegen *codegen); + void (*unload_img)(struct codegen *codegen); +}; + +void create_shared_codegen(struct shared_codegen *shared_codegen); +int create_codegen(struct codegen *codegen, enum bpf_prog_type type); +int codegen_push_awaiting_subprog(struct codegen *codegen, + struct codegen_subprog_desc *subprog); +int codegen_fixup(struct codegen *codegen, enum codegen_fixup_type fixup_type); +int emit_fixup(struct codegen *codegen, enum codegen_fixup_type fixup_type, + struct bpf_insn insn); +int emit_add_counter(struct codegen *codegen); +int load_img(struct codegen *codegen); +void unload_img(struct codegen *codegen); +void free_codegen(struct codegen *codegen); + +#endif // NET_BPFILTER_CODEGEN_H diff --git a/tools/testing/selftests/bpf/bpfilter/.gitignore b/tools/testing/selftests/bpf/bpfilter/.gitignore index 983fd06cbefa..39ec0c09dff4 100644 --- a/tools/testing/selftests/bpf/bpfilter/.gitignore +++ b/tools/testing/selftests/bpf/bpfilter/.gitignore @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only +tools/** test_map diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile index c262aad8c2a4..e3b8bf76a10c 100644 --- a/tools/testing/selftests/bpf/bpfilter/Makefile +++ b/tools/testing/selftests/bpf/bpfilter/Makefile @@ -5,6 +5,8 @@ TOOLSDIR := $(abspath ../../../../) TOOLSINCDIR := $(TOOLSDIR)/include APIDIR := $(TOOLSINCDIR)/uapi BPFILTERSRCDIR := $(top_srcdir)/net/bpfilter +LIBDIR := $(TOOLSDIR)/lib +BPFDIR := $(LIBDIR)/bpf

CFLAGS += -Wall -g -pthread -I$(TOOLSINCDIR) -I$(APIDIR) -I$(BPFILTERSRCDIR)

@@ -14,6 +16,23 @@ KSFT_KHDR_INSTALL := 1

include ../../lib.mk

+SCRATCH_DIR := $(OUTPUT)/tools +BUILD_DIR := $(SCRATCH_DIR)/build +BPFOBJ_DIR := $(BUILD_DIR)/libbpf +BPFOBJ := $(BPFOBJ_DIR)/libbpf.a + +MAKE_DIRS := $(BPFOBJ_DIR) +$(MAKE_DIRS): + $(call msg,MKDIR,,$@) + $(Q)mkdir -p $@ + +$(BPFOBJ): $(wildcard $(BPFDIR)/*.[ch] $(BPFDIR)/Makefile) \ + ../../../../include/uapi/linux/bpf.h \ + | $(INCLUDE_DIR) $(BUILD_DIR)/libbpf + $(Q)$(MAKE) $(submake_extras) -C $(BPFDIR) OUTPUT=$(BUILD_DIR)/libbpf/ \ + DESTDIR=$(SCRATCH_DIR) prefix= all install_headers + BPFILTER_MAP_SRCS := $(BPFILTERSRCDIR)/map-common.c +BPFILTER_CODEGEN_SRCS := $(BPFILTERSRCDIR)/codegen.c $(BPFOBJ) -lelf -lz

$(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS)

struct match_ops defines a polymorphic interface for matches. A match consists of pointers to struct match_ops and struct xt_entry_match which contains a payload for the match's type.

The match interface supports the following operations: - check: validate a rule's match. - gen_inline: generate eBPF bytecode for the match.

All match_ops structures are kept in a map by their name.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 1 + net/bpfilter/context.c | 43 ++++++++++++ net/bpfilter/context.h | 3 + net/bpfilter/match.c | 55 +++++++++++++++ net/bpfilter/match.h | 35 ++++++++++ .../testing/selftests/bpf/bpfilter/.gitignore | 1 + tools/testing/selftests/bpf/bpfilter/Makefile | 7 ++ .../selftests/bpf/bpfilter/bpfilter_util.h | 22 ++++++ .../selftests/bpf/bpfilter/test_match.c | 69 +++++++++++++++++++ 9 files changed, 236 insertions(+) create mode 100644 net/bpfilter/match.c create mode 100644 net/bpfilter/match.h create mode 100644 tools/testing/selftests/bpf/bpfilter/bpfilter_util.h create mode 100644 tools/testing/selftests/bpf/bpfilter/test_match.c

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index ac039f1fac34..2f8d867a6038 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -13,6 +13,7 @@ $(LIBBPF_A): userprogs := bpfilter_umh bpfilter_umh-objs := main.o logger.o map-common.o bpfilter_umh-objs += context.o codegen.o +bpfilter_umh-objs += match.o bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

diff --git a/net/bpfilter/context.c b/net/bpfilter/context.c index fdfd5fe78424..b5e172412fab 100644 --- a/net/bpfilter/context.c +++ b/net/bpfilter/context.c @@ -8,11 +8,54 @@

#include "context.h"

+#include <linux/kernel.h> + +#include <string.h> + +#include "logger.h" +#include "map-common.h" +#include "match.h" + +static const struct match_ops *match_ops[] = { }; + +static int init_match_ops_map(struct context *ctx) +{ + int r; + + r = create_map(&ctx->match_ops_map, ARRAY_SIZE(match_ops)); + if (r) { + BFLOG_ERR("failed to create matches map: %s", STRERR(r)); + return r; + } + + for (int i = 0; i < ARRAY_SIZE(match_ops); ++i) { + const struct match_ops *m = match_ops[i]; + + r = map_upsert(&ctx->match_ops_map, m->name, (void *)m); + if (r) { + BFLOG_ERR("failed to upsert in matches map: %s", + STRERR(r)); + return r; + } + } + + return 0; +} + int create_context(struct context *ctx) { + int r; + + r = init_match_ops_map(ctx); + if (r) { + BFLOG_ERR("failed to initialize matches map: %s", STRERR(r)); + return r; + } + return 0; }

void free_context(struct context *ctx) { + free_map(&ctx->match_ops_map); } diff --git a/net/bpfilter/context.h b/net/bpfilter/context.h index df41b9707a81..e36aa8ebf57e 100644 --- a/net/bpfilter/context.h +++ b/net/bpfilter/context.h @@ -7,7 +7,10 @@ #ifndef NET_BPFILTER_CONTEXT_H #define NET_BPFILTER_CONTEXT_H

+#include <search.h> + struct context { + struct hsearch_data match_ops_map; };

int create_context(struct context *ctx); diff --git a/net/bpfilter/match.c b/net/bpfilter/match.c new file mode 100644 index 000000000000..fdb0926442a8 --- /dev/null +++ b/net/bpfilter/match.c @@ -0,0 +1,55 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#define _GNU_SOURCE + +#include "match.h" + +#include <linux/err.h> + +#include <errno.h> +#include <string.h> + +#include "context.h" +#include "logger.h" +#include "map-common.h" + +int init_match(struct context *ctx, const struct bpfilter_ipt_match *ipt_match, + struct match *match) +{ + const size_t maxlen = sizeof(ipt_match->u.user.name); + const struct match_ops *found; + int r; + + if (strnlen(ipt_match->u.user.name, maxlen) == maxlen) { + BFLOG_ERR("failed to init match: name too long"); + return -EINVAL; + } + + found = map_find(&ctx->match_ops_map, ipt_match->u.user.name); + if (IS_ERR(found)) { + BFLOG_ERR("failed to find match by name: '%s'", + ipt_match->u.user.name); + return PTR_ERR(found); + } + + if (found->size + sizeof(*ipt_match) != ipt_match->u.match_size || + found->revision != ipt_match->u.user.revision) { + BFLOG_ERR("invalid match: '%s'", ipt_match->u.user.name); + return -EINVAL; + } + + r = found->check(ctx, ipt_match); + if (r) { + BFLOG_ERR("match check failed: %s", STRERR(r)); + return r; + } + + match->match_ops = found; + match->ipt_match = ipt_match; + + return 0; +} diff --git a/net/bpfilter/match.h b/net/bpfilter/match.h new file mode 100644 index 000000000000..c6541e6a6567 --- /dev/null +++ b/net/bpfilter/match.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_MATCH_H +#define NET_BPFILTER_MATCH_H + +#include "../../include/uapi/linux/bpfilter.h" + +#include <stdint.h> + +struct bpfilter_ipt_match; +struct codegen; +struct context; +struct match; + +struct match_ops { + char name[BPFILTER_EXTENSION_MAXNAMELEN]; + uint8_t revision; + uint16_t size; + int (*check)(struct context *ctx, const struct bpfilter_ipt_match *ipt_match); + int (*gen_inline)(struct codegen *ctx, const struct match *match); +}; + +struct match { + const struct match_ops *match_ops; + const struct bpfilter_ipt_match *ipt_match; +}; + +int init_match(struct context *ctx, const struct bpfilter_ipt_match *ipt_match, + struct match *match); + +#endif // NET_BPFILTER_MATCH_H diff --git a/tools/testing/selftests/bpf/bpfilter/.gitignore b/tools/testing/selftests/bpf/bpfilter/.gitignore index 39ec0c09dff4..9ac1b3caf246 100644 --- a/tools/testing/selftests/bpf/bpfilter/.gitignore +++ b/tools/testing/selftests/bpf/bpfilter/.gitignore @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0-only tools/** test_map +test_match diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile index e3b8bf76a10c..10642c1d6a87 100644 --- a/tools/testing/selftests/bpf/bpfilter/Makefile +++ b/tools/testing/selftests/bpf/bpfilter/Makefile @@ -11,6 +11,7 @@ BPFDIR := $(LIBDIR)/bpf CFLAGS += -Wall -g -pthread -I$(TOOLSINCDIR) -I$(APIDIR) -I$(BPFILTERSRCDIR)

TEST_GEN_PROGS += test_map +TEST_GEN_PROGS += test_match

KSFT_KHDR_INSTALL := 1

@@ -34,5 +35,11 @@ $(BPFOBJ): $(wildcard $(BPFDIR)/*.[ch] $(BPFDIR)/Makefile) \

BPFILTER_MAP_SRCS := $(BPFILTERSRCDIR)/map-common.c BPFILTER_CODEGEN_SRCS := $(BPFILTERSRCDIR)/codegen.c $(BPFOBJ) -lelf -lz +BPFILTER_MATCH_SRCS := $(BPFILTERSRCDIR)/match.c + +BPFILTER_COMMON_SRCS := $(BPFILTER_MAP_SRCS) +BPFILTER_COMMON_SRCS += $(BPFILTERSRCDIR)/context.c $(BPFILTERSRCDIR)/logger.c +BPFILTER_COMMON_SRCS += $(BPFILTER_MATCH_SRCS)

$(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS) +$(OUTPUT)/test_match: test_match.c $(BPFILTER_COMMON_SRCS) diff --git a/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h new file mode 100644 index 000000000000..705fd1777a67 --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef BPFILTER_UTIL_H +#define BPFILTER_UTIL_H + +#include <linux/netfilter/x_tables.h> + +#include <stdio.h> +#include <stdint.h> +#include <string.h> + +static inline void init_entry_match(struct xt_entry_match *match, + uint16_t size, uint8_t revision, + const char *name) +{ + memset(match, 0, sizeof(*match)); + sprintf(match->u.user.name, "%s", name); + match->u.user.match_size = size; + match->u.user.revision = revision; +} + +#endif // BPFILTER_UTIL_H diff --git a/tools/testing/selftests/bpf/bpfilter/test_match.c b/tools/testing/selftests/bpf/bpfilter/test_match.c new file mode 100644 index 000000000000..4a0dc1b14e4d --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/test_match.c @@ -0,0 +1,69 @@ +// SPDX-License-Identifier: GPL-2.0 + +#define _GNU_SOURCE + +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter/xt_tcpudp.h> + +#include "../../kselftest_harness.h" + +#include "context.h" +#include "logger.h" +#include "match.h" + +#include "bpfilter_util.h" + +/** + * struct udp_match - Dummy test structure. + * + * This structure provides enough space to allow for name too long, so it + * doesn't overwrite anything. + */ +struct udp_match { + struct xt_entry_match ipt_match; + char placeholder[32]; +}; + +FIXTURE(test_match_init) +{ + struct context ctx; + struct udp_match udp_match; + struct match match; +}; + +FIXTURE_SETUP(test_match_init) +{ + logger_set_file(stderr); + ASSERT_EQ(0, create_context(&self->ctx)); +}; + +FIXTURE_TEARDOWN(test_match_init) +{ + free_context(&self->ctx); +} + +TEST_F(test_match_init, name_too_long) +{ + init_entry_match(&self->udp_match.ipt_match, sizeof(self->udp_match), 0, + "this match name is supposed to be way too long..."); + + ASSERT_EQ(init_match(&self->ctx, + (const struct bpfilter_ipt_match *)&self->udp_match + .ipt_match, + &self->match), + -EINVAL); +} + +TEST_F(test_match_init, not_found) +{ + init_entry_match(&self->udp_match.ipt_match, sizeof(self->udp_match), 0, + "doesn't exist"); + + ASSERT_EQ(init_match(&self->ctx, + (const struct bpfilter_ipt_match *)&self->udp_match + .ipt_match, + &self->match), + -ENOENT); +} + +TEST_HARNESS_MAIN

Add target structure, containing a pointer to a target_ops structure and a pointer to an xt_entry_target structure. The later containing the payload for the target's type.

target_ops structure provides two operations: - check: validates the target. - gen_inline: generate the eBPF bytecode for the target.

All target_ops are kept in a map by their name.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 2 +- net/bpfilter/context.c | 42 ++++ net/bpfilter/context.h | 1 + net/bpfilter/target.c | 203 ++++++++++++++++++ net/bpfilter/target.h | 57 +++++ .../testing/selftests/bpf/bpfilter/.gitignore | 1 + tools/testing/selftests/bpf/bpfilter/Makefile | 5 +- .../selftests/bpf/bpfilter/bpfilter_util.h | 23 ++ .../selftests/bpf/bpfilter/test_target.c | 83 +++++++ 9 files changed, 415 insertions(+), 2 deletions(-) create mode 100644 net/bpfilter/target.c create mode 100644 net/bpfilter/target.h create mode 100644 tools/testing/selftests/bpf/bpfilter/test_target.c

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index 345341a9ee30..7e642e0ae932 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -13,7 +13,7 @@ $(LIBBPF_A): userprogs := bpfilter_umh bpfilter_umh-objs := main.o logger.o map-common.o bpfilter_umh-objs += context.o codegen.o -bpfilter_umh-objs += match.o xt_udp.o +bpfilter_umh-objs += match.o xt_udp.o target.o bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

diff --git a/net/bpfilter/context.c b/net/bpfilter/context.c index f420fb8b6507..ac07b678baa7 100644 --- a/net/bpfilter/context.c +++ b/net/bpfilter/context.c @@ -15,6 +15,7 @@ #include "logger.h" #include "map-common.h" #include "match.h" +#include "target.h"

static const struct match_ops *match_ops[] = { &xt_udp };

@@ -42,6 +43,35 @@ static int init_match_ops_map(struct context *ctx) return 0; }

+static const struct target_ops *target_ops[] = { + &standard_target_ops, + &error_target_ops +}; + +static int init_target_ops_map(struct context *ctx) +{ + int r; + + r = create_map(&ctx->target_ops_map, ARRAY_SIZE(target_ops)); + if (r) { + BFLOG_ERR("failed to create targets map: %s", STRERR(r)); + return r; + } + + for (int i = 0; i < ARRAY_SIZE(target_ops); ++i) { + const struct target_ops *t = target_ops[i]; + + r = map_upsert(&ctx->target_ops_map, t->name, (void *)t); + if (r) { + BFLOG_ERR("failed to upsert in targets map: %s", + STRERR(r)); + return r; + } + } + + return 0; +} + int create_context(struct context *ctx) { int r; @@ -52,10 +82,22 @@ int create_context(struct context *ctx) return r; }

+ r = init_target_ops_map(ctx); + if (r) { + BFLOG_ERR("failed to initialize targets map: %s", STRERR(r)); + goto err_free_match_ops_map; + } + return 0; + +err_free_match_ops_map: + free_map(&ctx->match_ops_map); + + return r; }

void free_context(struct context *ctx) { + free_map(&ctx->target_ops_map); free_map(&ctx->match_ops_map); } diff --git a/net/bpfilter/context.h b/net/bpfilter/context.h index e36aa8ebf57e..f9c34a9968b8 100644 --- a/net/bpfilter/context.h +++ b/net/bpfilter/context.h @@ -11,6 +11,7 @@

struct context { struct hsearch_data match_ops_map; + struct hsearch_data target_ops_map; };

int create_context(struct context *ctx); diff --git a/net/bpfilter/target.c b/net/bpfilter/target.c new file mode 100644 index 000000000000..a96ec7735c0e --- /dev/null +++ b/net/bpfilter/target.c @@ -0,0 +1,203 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#define _GNU_SOURCE + +#include "target.h" + +#include <linux/err.h> +#include <linux/filter.h> +#include <linux/list.h> +#include <linux/netfilter/x_tables.h> + +#include <errno.h> +#include <string.h> + +#include "codegen.h" +#include "context.h" +#include "logger.h" +#include "map-common.h" + +static const struct target_ops *target_ops_map_find(struct hsearch_data *map, + const char *name) +{ + const size_t len = strnlen(name, BPFILTER_EXTENSION_MAXNAMELEN); + + if (len < BPFILTER_EXTENSION_MAXNAMELEN) + return map_find(map, name); + + return ERR_PTR(-EINVAL); +} + +static int standard_target_check(struct context *ctx, + const struct bpfilter_ipt_target *ipt_target) +{ + const struct bpfilter_ipt_standard_target *standard_target; + + standard_target = (const struct bpfilter_ipt_standard_target *)ipt_target; + + // Positive values of verdict denote a jump offset into a blob. + if (standard_target->verdict > 0) + return 0; + + // Special values like ACCEPT, DROP, RETURN are encoded as negative values. + if (standard_target->verdict < 0) { + if (standard_target->verdict == BPFILTER_RETURN) + return 0; + + switch (convert_verdict(standard_target->verdict)) { + case BPFILTER_NF_ACCEPT: + case BPFILTER_NF_DROP: + case BPFILTER_NF_QUEUE: + return 0; + } + } + + BFLOG_ERR("unsupported verdict: %d", standard_target->verdict); + + return -EINVAL; +} + +static int standard_target_gen_inline(struct codegen *ctx, + const struct target *target) +{ + const struct bpfilter_ipt_standard_target *standard_target; + int r; + + standard_target = (const struct bpfilter_ipt_standard_target *)target->ipt_target; + + if (standard_target->verdict >= 0) { + struct codegen_subprog_desc *subprog; + struct codegen_fixup_desc *fixup; + + subprog = malloc(sizeof(*subprog)); + if (!subprog) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + INIT_LIST_HEAD(&subprog->list); + subprog->type = CODEGEN_SUBPROG_USER_CHAIN; + subprog->insn = 0; + subprog->offset = standard_target->verdict; + + fixup = malloc(sizeof(*fixup)); + if (!fixup) { + BFLOG_ERR("out of memory"); + free(subprog); + return -ENOMEM; + } + + INIT_LIST_HEAD(&fixup->list); + fixup->type = CODEGEN_FIXUP_JUMP_TO_CHAIN; + fixup->insn = ctx->len_cur; + fixup->offset = standard_target->verdict; + + list_add_tail(&fixup->list, &ctx->fixup); + + r = codegen_push_awaiting_subprog(ctx, subprog); + if (r) { + BFLOG_ERR("failed to push awaiting subprog: %s", + STRERR(r)); + return r; + } + + EMIT(ctx, BPF_JMP_IMM(BPF_JA, 0, 0, 0)); + + return 0; + } + + if (standard_target->verdict == BPFILTER_RETURN) { + EMIT(ctx, BPF_EXIT_INSN()); + return 0; + } + + r = ctx->codegen_ops->emit_ret_code(ctx, convert_verdict(standard_target->verdict)); + if (r) { + BFLOG_ERR("failed to emit return code: %s", STRERR(r)); + return r; + } + + EMIT(ctx, BPF_EXIT_INSN()); + + return 0; +} + +const struct target_ops standard_target_ops = { + .name = "", + .revision = 0, + .size = sizeof(struct xt_standard_target), + .check = standard_target_check, + .gen_inline = standard_target_gen_inline, +}; + +static int error_target_check(struct context *ctx, + const struct bpfilter_ipt_target *ipt_target) +{ + const struct bpfilter_ipt_error_target *error_target; + size_t maxlen; + + error_target = (const struct bpfilter_ipt_error_target *)ipt_target; + maxlen = sizeof(error_target->error_name); + if (strnlen(error_target->error_name, maxlen) == maxlen) { + BFLOG_ERR("failed to check error target: too long errorname"); + return -EINVAL; + } + + return 0; +} + +static int error_target_gen_inline(struct codegen *ctx, + const struct target *target) +{ + return -EINVAL; +} + +const struct target_ops error_target_ops = { + .name = "ERROR", + .revision = 0, + .size = sizeof(struct xt_error_target), + .check = error_target_check, + .gen_inline = error_target_gen_inline, +}; + +int init_target(struct context *ctx, + const struct bpfilter_ipt_target *ipt_target, + struct target *target) +{ + const size_t maxlen = sizeof(ipt_target->u.user.name); + const struct target_ops *found; + int r; + + if (strnlen(ipt_target->u.user.name, maxlen) == maxlen) { + BFLOG_ERR("cannot init target: too long target name '%s'", + ipt_target->u.user.name); + return -EINVAL; + } + + found = target_ops_map_find(&ctx->target_ops_map, + ipt_target->u.user.name); + if (IS_ERR(found)) { + BFLOG_ERR("cannot find target by name '%s' in map", + ipt_target->u.user.name); + return PTR_ERR(found); + } + + if (found->size != ipt_target->u.target_size || + found->revision != ipt_target->u.user.revision) { + BFLOG_ERR("invalid target size: '%s'", ipt_target->u.user.name); + return -EINVAL; + } + + r = found->check(ctx, ipt_target); + if (r) + return r; + + target->target_ops = found; + target->ipt_target = ipt_target; + + return 0; +} diff --git a/net/bpfilter/target.h b/net/bpfilter/target.h new file mode 100644 index 000000000000..57bae658b6a2 --- /dev/null +++ b/net/bpfilter/target.h @@ -0,0 +1,57 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_TARGET_H +#define NET_BPFILTER_TARGET_H + +#include "../../include/uapi/linux/bpfilter.h" + +#include <stdint.h> + +struct codegen; +struct context; +struct target; +struct target_ops_map; + +struct target_ops { + char name[BPFILTER_EXTENSION_MAXNAMELEN]; + uint8_t revision; + uint16_t size; + int (*check)(struct context *ctx, + const struct bpfilter_ipt_target *ipt_target); + int (*gen_inline)(struct codegen *ctx, const struct target *target); +}; + +struct target { + const struct target_ops *target_ops; + const struct bpfilter_ipt_target *ipt_target; +}; + +extern const struct target_ops standard_target_ops; +extern const struct target_ops error_target_ops; + +/* Restore verdict's special value(ACCEPT, DROP, etc.) from its negative + * representation. + */ +static inline int convert_verdict(int verdict) +{ + return -verdict - 1; +} + +static inline int standard_target_verdict(const struct bpfilter_ipt_target *ipt_target) +{ + const struct bpfilter_ipt_standard_target *standard_target; + + standard_target = (const struct bpfilter_ipt_standard_target *)ipt_target; + + return standard_target->verdict; +} + +int init_target(struct context *ctx, + const struct bpfilter_ipt_target *ipt_target, + struct target *target); + +#endif // NET_BPFILTER_TARGET_H diff --git a/tools/testing/selftests/bpf/bpfilter/.gitignore b/tools/testing/selftests/bpf/bpfilter/.gitignore index f84cc86493df..89912a44109f 100644 --- a/tools/testing/selftests/bpf/bpfilter/.gitignore +++ b/tools/testing/selftests/bpf/bpfilter/.gitignore @@ -3,3 +3,4 @@ tools/** test_map test_match test_xt_udp +test_target diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile index 97f8d596de36..587951d14c0c 100644 --- a/tools/testing/selftests/bpf/bpfilter/Makefile +++ b/tools/testing/selftests/bpf/bpfilter/Makefile @@ -13,6 +13,7 @@ CFLAGS += -Wall -g -pthread -I$(TOOLSINCDIR) -I$(APIDIR) -I$(BPFILTERSRCDIR) TEST_GEN_PROGS += test_map TEST_GEN_PROGS += test_match TEST_GEN_PROGS += test_xt_udp +TEST_GEN_PROGS += test_target

KSFT_KHDR_INSTALL := 1

@@ -37,11 +38,13 @@ $(BPFOBJ): $(wildcard $(BPFDIR)/*.[ch] $(BPFDIR)/Makefile) \ BPFILTER_MAP_SRCS := $(BPFILTERSRCDIR)/map-common.c BPFILTER_CODEGEN_SRCS := $(BPFILTERSRCDIR)/codegen.c $(BPFOBJ) -lelf -lz BPFILTER_MATCH_SRCS := $(BPFILTERSRCDIR)/match.c $(BPFILTERSRCDIR)/xt_udp.c +BPFILTER_TARGET_SRCS := $(BPFILTERSRCDIR)/target.c

BPFILTER_COMMON_SRCS := $(BPFILTER_MAP_SRCS) $(BPFILTER_CODEGEN_SRCS) BPFILTER_COMMON_SRCS += $(BPFILTERSRCDIR)/context.c $(BPFILTERSRCDIR)/logger.c -BPFILTER_COMMON_SRCS += $(BPFILTER_MATCH_SRCS) +BPFILTER_COMMON_SRCS += $(BPFILTER_MATCH_SRCS) $(BPFILTER_TARGET_SRCS)

$(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS) $(OUTPUT)/test_match: test_match.c $(BPFILTER_COMMON_SRCS) $(OUTPUT)/test_xt_udp: test_xt_udp.c $(BPFILTER_COMMON_SRCS) +$(OUTPUT)/test_target: test_target.c $(BPFILTER_COMMON_SRCS) diff --git a/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h index 705fd1777a67..0d6a6bee5514 100644 --- a/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h +++ b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h @@ -19,4 +19,27 @@ static inline void init_entry_match(struct xt_entry_match *match, match->u.user.revision = revision; }

+static inline void init_standard_target(struct xt_standard_target *ipt_target, + int revision, int verdict) +{ + snprintf(ipt_target->target.u.user.name, + sizeof(ipt_target->target.u.user.name), "%s", + BPFILTER_STANDARD_TARGET); + ipt_target->target.u.user.revision = revision; + ipt_target->target.u.user.target_size = sizeof(*ipt_target); + ipt_target->verdict = verdict; +} + +static inline void init_error_target(struct xt_error_target *ipt_target, + int revision, const char *error_name) +{ + snprintf(ipt_target->target.u.user.name, + sizeof(ipt_target->target.u.user.name), "%s", + BPFILTER_ERROR_TARGET); + ipt_target->target.u.user.revision = revision; + ipt_target->target.u.user.target_size = sizeof(*ipt_target); + snprintf(ipt_target->errorname, sizeof(ipt_target->errorname), "%s", + error_name); +} + #endif // BPFILTER_UTIL_H diff --git a/tools/testing/selftests/bpf/bpfilter/test_target.c b/tools/testing/selftests/bpf/bpfilter/test_target.c new file mode 100644 index 000000000000..0ebe4b052a9b --- /dev/null +++ b/tools/testing/selftests/bpf/bpfilter/test_target.c @@ -0,0 +1,83 @@ +// SPDX-License-Identifier: GPL-2.0 + +#define _GNU_SOURCE + +#include <linux/bpfilter.h> +#include <linux/netfilter/x_tables.h> + +#include "../../kselftest_harness.h" + +#include "context.h" +#include "logger.h" +#include "target.h" + +#include "bpfilter_util.h" + +FIXTURE(test_standard_target) +{ + struct context ctx; + struct xt_standard_target ipt_target; + struct target target; +}; + +FIXTURE_VARIANT(test_standard_target) +{ + int verdict; +}; + +FIXTURE_VARIANT_ADD(test_standard_target, accept) { + .verdict = -BPFILTER_NF_ACCEPT - 1, +}; + +FIXTURE_VARIANT_ADD(test_standard_target, drop) { + .verdict = -BPFILTER_NF_DROP - 1, +}; + +FIXTURE_SETUP(test_standard_target) +{ + logger_set_file(stderr); + ASSERT_EQ(0, create_context(&self->ctx)); + + memset(&self->ipt_target, 0, sizeof(self->ipt_target)); + init_standard_target(&self->ipt_target, 0, variant->verdict); +} + +FIXTURE_TEARDOWN(test_standard_target) +{ + free_context(&self->ctx); +} + +TEST_F(test_standard_target, init) +{ + ASSERT_EQ(0, init_target(&self->ctx, (const struct bpfilter_ipt_target *)&self->ipt_target, + &self->target)); +} + +FIXTURE(test_error_target) +{ + struct context ctx; + struct xt_error_target ipt_target; + struct target target; +}; + +FIXTURE_SETUP(test_error_target) +{ + logger_set_file(stderr); + ASSERT_EQ(0, create_context(&self->ctx)); + + memset(&self->ipt_target, 0, sizeof(self->ipt_target)); + init_error_target(&self->ipt_target, 0, "x"); +} + +FIXTURE_TEARDOWN(test_error_target) +{ + free_context(&self->ctx); +} + +TEST_F(test_error_target, init) +{ + ASSERT_EQ(0, init_target(&self->ctx, (const struct bpfilter_ipt_target *)&self->ipt_target, + &self->target)); +} + +TEST_HARNESS_MAIN

The table_ops structure describes a set of operations for an individual table type.

Tables support the following set of operations: - create: create an instance of a table from an ipt_replace blob. - codegen: generate eBPF bytecode for a table. - install: load BPF maps, progs, and attach them. - uninstall: detach loaded BPF maps and progs, and unload them. - free: free all resources used by a table.

Each table keeps an instance of iptables' table blob and an array of rules for this blob. The array of rules provides a more convenient way to interact with the blob's entries, while having a copy of the blob will ease communication with iptables.

All tables created are stored in a map, used for lookups. Also, all tables are linked into a list to ease cleanup.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 2 +- net/bpfilter/context.c | 64 +++ net/bpfilter/context.h | 4 + net/bpfilter/table.c | 391 ++++++++++++++++++ net/bpfilter/table.h | 59 +++ tools/testing/selftests/bpf/bpfilter/Makefile | 2 +- 6 files changed, 520 insertions(+), 2 deletions(-) create mode 100644 net/bpfilter/table.c create mode 100644 net/bpfilter/table.h

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index 759fb6c847d1..9f5b46c70a41 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -13,7 +13,7 @@ $(LIBBPF_A): userprogs := bpfilter_umh bpfilter_umh-objs := main.o logger.o map-common.o bpfilter_umh-objs += context.o codegen.o -bpfilter_umh-objs += match.o xt_udp.o target.o rule.o +bpfilter_umh-objs += match.o xt_udp.o target.o rule.o table.o bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

diff --git a/net/bpfilter/context.c b/net/bpfilter/context.c index ac07b678baa7..81c9751a2a2d 100644 --- a/net/bpfilter/context.c +++ b/net/bpfilter/context.c @@ -9,6 +9,7 @@ #include "context.h"

#include <linux/kernel.h> +#include <linux/list.h>

#include <string.h>

@@ -72,6 +73,39 @@ static int init_target_ops_map(struct context *ctx) return 0; }

+static const struct table_ops *table_ops[] = {}; + +static int init_table_ops_map(struct context *ctx) +{ + int r; + + r = create_map(&ctx->table_ops_map, ARRAY_SIZE(table_ops)); + if (r) { + BFLOG_ERR("failed to create tables map: %s", STRERR(r)); + return r; + } + + for (int i = 0; i < ARRAY_SIZE(table_ops); ++i) { + const struct table_ops *t = table_ops[i]; + + r = map_upsert(&ctx->table_ops_map, t->name, (void *)t); + if (r) { + BFLOG_ERR("failed to upsert in tables map: %s", + STRERR(r)); + return r; + } + } + + return 0; +} + +static int init_table_index(struct context *ctx) +{ + INIT_LIST_HEAD(&ctx->table_index.list); + + return create_map(&ctx->table_index.map, ARRAY_SIZE(table_ops)); +} + int create_context(struct context *ctx) { int r; @@ -88,8 +122,26 @@ int create_context(struct context *ctx) goto err_free_match_ops_map; }

+ r = init_table_ops_map(ctx); + if (r) { + BFLOG_ERR("failed to initialize tables map: %s", STRERR(r)); + goto err_free_target_ops_map; + } + + r = init_table_index(ctx); + if (r) { + BFLOG_ERR("failed to initialize tables index: %s", STRERR(r)); + goto err_free_table_ops_map; + } + return 0;

+err_free_table_ops_map: + free_map(&ctx->table_ops_map); + +err_free_target_ops_map: + free_map(&ctx->target_ops_map); + err_free_match_ops_map: free_map(&ctx->match_ops_map);

@@ -98,6 +150,18 @@ int create_context(struct context *ctx)

void free_context(struct context *ctx) { + struct list_head *t; + struct list_head *n; + + list_for_each_safe(t, n, &ctx->table_index.list) { + struct table *table; + + table = list_entry(t, struct table, list); + table->table_ops->uninstall(ctx, table); + table->table_ops->free(table); + } + free_map(&ctx->table_index.map); + free_map(&ctx->table_ops_map); free_map(&ctx->target_ops_map); free_map(&ctx->match_ops_map); } diff --git a/net/bpfilter/context.h b/net/bpfilter/context.h index f9c34a9968b8..b0e91e37d057 100644 --- a/net/bpfilter/context.h +++ b/net/bpfilter/context.h @@ -9,9 +9,13 @@

#include <search.h>

+#include "table.h" + struct context { struct hsearch_data match_ops_map; struct hsearch_data target_ops_map; + struct hsearch_data table_ops_map; + struct table_index table_index; };

int create_context(struct context *ctx); diff --git a/net/bpfilter/table.c b/net/bpfilter/table.c new file mode 100644 index 000000000000..4094c82c31de --- /dev/null +++ b/net/bpfilter/table.c @@ -0,0 +1,391 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#define _GNU_SOURCE + +#include "table.h" + +#include <linux/err.h> +#include <linux/list.h> + +#include <errno.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "context.h" +#include "logger.h" +#include "rule.h" + +static int rule_offset_comparator(const void *x, const void *y) +{ + const struct rule *rule = y; + + return x - (const void *)rule->ipt_entry; +} + +static bool table_has_hook(const struct table *table, uint32_t hook) +{ + BUG_ON(hook >= BPFILTER_INET_HOOK_MAX); + + return table->valid_hooks & (1 << hook); +} + +static int table_init_rules(struct context *ctx, struct table *table, + const struct bpfilter_ipt_replace *ipt_replace) +{ + uint32_t offset; + + table->entries = malloc(table->size); + if (!table->entries) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + memcpy(table->entries, ipt_replace->entries, table->size); + + table->rules = calloc(table->num_rules, sizeof(table->rules[0])); + if (!table->rules) { + BFLOG_ERR("out of memory"); + return -ENOMEM; + } + + offset = 0; + for (int i = 0; i < table->num_rules; ++i) { + const struct bpfilter_ipt_entry *ipt_entry; + int r; + + if (table->size < offset + sizeof(*ipt_entry)) { + BFLOG_ERR("invalid table size: %d", table->size); + return -EINVAL; + } + + ipt_entry = table->entries + offset; + + if ((uintptr_t)ipt_entry % __alignof__(struct bpfilter_ipt_entry)) { + BFLOG_ERR("invalid alignment for struct ipt_entry"); + return -EINVAL; + } + + if (table->size < offset + ipt_entry->next_offset) { + BFLOG_ERR("invalid table size: %d", table->size); + return -EINVAL; + } + + r = init_rule(ctx, ipt_entry, &table->rules[i]); + if (r) { + BFLOG_ERR("failed to initialize rule: %s", + STRERR(r)); + return r; + } + + table->rules[i].ipt_entry = ipt_entry; + offset += ipt_entry->next_offset; + } + + if (offset != ipt_replace->size) { + BFLOG_ERR("invalid final offset: %d", offset); + return -EINVAL; + } + + if (table->num_rules != ipt_replace->num_entries) { + BFLOG_ERR("mismatch in number of rules: got %d, expected %d", + table->num_rules, ipt_replace->num_entries); + return -EINVAL; + } + + return 0; +} + +static int table_check_hooks(const struct table *table) +{ + uint32_t max_rule_front, max_rule_last; + bool check = false; + + for (int i = 0; i < BPFILTER_INET_HOOK_MAX; ++i) { + if (!table_has_hook(table, i)) + continue; + + if (check) { + if (table->hook_entry[i] <= max_rule_front) { + BFLOG_ERR("invalid hook entry"); + return -EINVAL; + } + + if (table->underflow[i] <= max_rule_last) { + BFLOG_ERR("invalid underflow entry"); + return -EINVAL; + } + } + + max_rule_front = table->hook_entry[i]; + max_rule_last = table->underflow[i]; + check = true; + } + + return 0; +} + +static int table_init_hooks(struct table *table, + const struct bpfilter_ipt_replace *ipt_replace) +{ + for (int i = 0; i < BPFILTER_INET_HOOK_MAX; ++i) { + struct rule *rule_front; + struct rule *rule_last; + int verdict; + + if (!table_has_hook(table, i)) + continue; + + rule_front = table_find_rule_by_offset(table, ipt_replace->hook_entry[i]); + rule_last = table_find_rule_by_offset(table, ipt_replace->underflow[i]); + + if (!rule_front || !rule_last) { + BFLOG_ERR("expected a first and last rule"); + return -EINVAL; + } + + if (!rule_is_unconditional(rule_last)) { + BFLOG_ERR("expected unconditional rule"); + return -EINVAL; + } + + if (!rule_has_standard_target(rule_last)) { + BFLOG_ERR("expected rule for a standard target"); + return -EINVAL; + } + + verdict = standard_target_verdict(rule_last->target.ipt_target); + if (verdict >= 0) { + BFLOG_ERR("expected a valid standard target verdict: %d", + verdict); + return -EINVAL; + } + + verdict = convert_verdict(verdict); + + if (verdict != BPFILTER_NF_DROP && verdict != BPFILTER_NF_ACCEPT) { + BFLOG_ERR("verdict must be either NF_DROP or NF_ACCEPT"); + return -EINVAL; + } + + table->hook_entry[i] = rule_front - table->rules; + table->underflow[i] = rule_last - table->rules; + } + + return table_check_hooks(table); +} + +static struct rule *next_rule(const struct table *table, struct rule *rule) +{ + const uint32_t i = rule - table->rules; + + if (table->num_rules <= i + 1) { + BFLOG_ERR("rule index is out of range"); + return ERR_PTR(-EINVAL); + } + + ++rule; + rule->came_from = i; + + return rule; +} + +static struct rule *backtrack_rule(const struct table *table, struct rule *rule) +{ + uint32_t i = rule - table->rules; + int prev_i; + + do { + rule->hook_mask ^= (1 << BPFILTER_INET_HOOK_MAX); + prev_i = i; + i = rule->came_from; + rule->came_from = 0; + + if (i == prev_i) + return NULL; + + rule = &table->rules[i]; + } while (prev_i == i + 1); + + return next_rule(table, rule); +} + +static int table_check_chain(struct table *table, uint32_t hook, + struct rule *rule) +{ + uint32_t i = rule - table->rules; + + rule->came_from = i; + + for (;;) { + bool visited; + int verdict; + + if (!rule) + return 0; + + if (IS_ERR(rule)) + return PTR_ERR(rule); + + i = rule - table->rules; + + if (table->num_rules <= i) { + BFLOG_ERR("rule index is out of range: %d", i); + return -EINVAL; + } + + if (rule->hook_mask & (1 << BPFILTER_INET_HOOK_MAX)) { + BFLOG_ERR("hook index out of range"); + return -EINVAL; + } + + // already visited + visited = rule->hook_mask & (1 << hook); + rule->hook_mask |= (1 << hook) | (1 << BPFILTER_INET_HOOK_MAX); + + if (visited) { + rule = backtrack_rule(table, rule); + continue; + } + + if (!rule_has_standard_target(rule)) { + rule = next_rule(table, rule); + continue; + } + + verdict = standard_target_verdict(rule->target.ipt_target); + if (verdict > 0) { + rule = table_find_rule_by_offset(table, verdict); + if (!rule) { + BFLOG_ERR("failed to find rule by offset"); + return -EINVAL; + } + + rule->came_from = i; + continue; + } + + if (!rule_is_unconditional(rule)) { + rule = next_rule(table, rule); + continue; + } + + rule = backtrack_rule(table, rule); + } + + return 0; +} + +static int table_check_chains(struct table *table) +{ + int r = 0; + + for (int i = 0, r = 0; !r && i < BPFILTER_INET_HOOK_MAX; ++i) { + if (table_has_hook(table, i)) + r = table_check_chain(table, i, &table->rules[table->hook_entry[i]]); + } + + return r; +} + +struct table *create_table(struct context *ctx, + const struct bpfilter_ipt_replace *ipt_replace) +{ + struct table *table; + int r; + + table = calloc(1, sizeof(*table)); + if (!table) { + BFLOG_ERR("out of memory"); + return ERR_PTR(-ENOMEM); + } + + INIT_LIST_HEAD(&table->list); + table->valid_hooks = ipt_replace->valid_hooks; + table->num_rules = ipt_replace->num_entries; + table->num_counters = ipt_replace->num_counters; + table->size = ipt_replace->size; + + r = table_init_rules(ctx, table, ipt_replace); + if (r) { + BFLOG_ERR("failed to initialise table rules: %s", STRERR(r)); + goto err_free; + } + + r = table_init_hooks(table, ipt_replace); + if (r) { + BFLOG_ERR("failed to initialise table hooks: %s", STRERR(r)); + goto err_free; + } + + r = table_check_chains(table); + if (r) { + BFLOG_ERR("failed to check table chains: %s", STRERR(r)); + goto err_free; + } + + return table; + +err_free: + free_table(table); + + return ERR_PTR(r); +} + +struct rule *table_find_rule_by_offset(const struct table *table, + uint32_t offset) +{ + const struct bpfilter_ipt_entry *key; + + key = table->entries + offset; + + return bsearch(key, table->rules, table->num_rules, + sizeof(table->rules[0]), rule_offset_comparator); +} + +void table_get_info(const struct table *table, + struct bpfilter_ipt_get_info *info) +{ + snprintf(info->name, sizeof(info->name), "%s", table->table_ops->name); + info->valid_hooks = table->valid_hooks; + + for (int i = 0; i < BPFILTER_INET_HOOK_MAX; ++i) { + const struct rule *rule_front, *rule_last; + + if (!table_has_hook(table, i)) { + info->hook_entry[i] = 0; + info->underflow[i] = 0; + continue; + } + + rule_front = &table->rules[table->hook_entry[i]]; + rule_last = &table->rules[table->underflow[i]]; + info->hook_entry[i] = (const void *)rule_front->ipt_entry - table->entries; + info->underflow[i] = (const void *)rule_last->ipt_entry - table->entries; + } + + info->num_entries = table->num_rules; + info->size = table->size; +} + +void free_table(struct table *table) +{ + if (!table) + return; + + list_del(&table->list); + + if (table->rules) { + for (int i = 0; i < table->num_rules; ++i) + free_rule(&table->rules[i]); + free(table->rules); + } + + free(table->entries); + free(table); +} diff --git a/net/bpfilter/table.h b/net/bpfilter/table.h new file mode 100644 index 000000000000..d683005e1755 --- /dev/null +++ b/net/bpfilter/table.h @@ -0,0 +1,59 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_TABLE_H +#define NET_BPFILTER_TABLE_H + +#include "../../include/uapi/linux/bpfilter.h" + +#include <linux/types.h> + +#include <search.h> +#include <stdint.h> + +struct context; +struct rule; +struct table; + +struct table_ops { + char name[BPFILTER_XT_TABLE_MAXNAMELEN]; + struct table *(*create)(struct context *ctx, + const struct bpfilter_ipt_replace *ipt_replace); + int (*codegen)(struct context *ctx, struct table *table); + int (*install)(struct context *ctx, struct table *table); + void (*uninstall)(struct context *ctx, struct table *table); + void (*free)(struct table *table); + void (*update_counters)(struct table *table); +}; + +struct table { + const struct table_ops *table_ops; + uint32_t valid_hooks; + uint32_t num_rules; + uint32_t num_counters; + uint32_t size; + uint32_t hook_entry[BPFILTER_INET_HOOK_MAX]; + uint32_t underflow[BPFILTER_INET_HOOK_MAX]; + struct rule *rules; + void *entries; + void *ctx; + struct list_head list; +}; + +struct table_index { + struct hsearch_data map; + struct list_head list; +}; + +struct table *create_table(struct context *ctx, + const struct bpfilter_ipt_replace *ipt_replace); +struct rule *table_find_rule_by_offset(const struct table *table, + uint32_t offset); +void table_get_info(const struct table *table, + struct bpfilter_ipt_get_info *info); +void free_table(struct table *table); + +#endif // NET_BPFILTER_TABLE_H diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile index 4ef52bfe2d21..53634699d427 100644 --- a/tools/testing/selftests/bpf/bpfilter/Makefile +++ b/tools/testing/selftests/bpf/bpfilter/Makefile @@ -45,7 +45,7 @@ BPFILTER_RULE_SRCS := $(BPFILTERSRCDIR)/rule.c BPFILTER_COMMON_SRCS := $(BPFILTER_MAP_SRCS) $(BPFILTER_CODEGEN_SRCS) BPFILTER_COMMON_SRCS += $(BPFILTERSRCDIR)/context.c $(BPFILTERSRCDIR)/logger.c BPFILTER_COMMON_SRCS += $(BPFILTER_MATCH_SRCS) $(BPFILTER_TARGET_SRCS) -BPFILTER_COMMON_SRCS += $(BPFILTER_RULE_SRCS) +BPFILTER_COMMON_SRCS += $(BPFILTER_RULE_SRCS) $(BPFILTERSRCDIR)/table.c

$(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS) $(OUTPUT)/test_match: test_match.c $(BPFILTER_COMMON_SRCS)

Add support of iptables' setsockopt(2). The parameters of a setsockopt(2) call are passed by struct mbox_request which contains a type of the setsockopt(2) call and its memory buffer description. The supplied memory buffer is read-written by process_vm_readv(2)/process_vm_writev(2).

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/Makefile | 1 + net/bpfilter/sockopt.c | 533 +++++++++++++++++++++++++++++++++++++++++ net/bpfilter/sockopt.h | 15 ++ 3 files changed, 549 insertions(+) create mode 100644 net/bpfilter/sockopt.c create mode 100644 net/bpfilter/sockopt.h

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile index 9f5b46c70a41..4a78a665b3f1 100644 --- a/net/bpfilter/Makefile +++ b/net/bpfilter/Makefile @@ -14,6 +14,7 @@ userprogs := bpfilter_umh bpfilter_umh-objs := main.o logger.o map-common.o bpfilter_umh-objs += context.o codegen.o bpfilter_umh-objs += match.o xt_udp.o target.o rule.o table.o +bpfilter_umh-objs += sockopt.o bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi

diff --git a/net/bpfilter/sockopt.c b/net/bpfilter/sockopt.c new file mode 100644 index 000000000000..15de8e6ee31c --- /dev/null +++ b/net/bpfilter/sockopt.c @@ -0,0 +1,533 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#define _GNU_SOURCE + +#include "sockopt.h" + +#include <linux/err.h> +#include <linux/list.h> +#include <linux/netfilter/x_tables.h> + +#include <sys/types.h> +#include <sys/uio.h> + +#include <errno.h> +#include <limits.h> +#include <stdlib.h> +#include <string.h> + +#include "context.h" +#include "logger.h" +#include "map-common.h" +#include "match.h" +#include "msgfmt.h" +#include "table.h" + +static int pvm_read(pid_t pid, void *to, const void *from, size_t count) +{ + ssize_t total_bytes; + const struct iovec l_iov = { + .iov_base = to, + .iov_len = count + }; + const struct iovec r_iov = { + .iov_base = (void *)from, + .iov_len = count + }; + + total_bytes = process_vm_readv(pid, &l_iov, 1, &r_iov, 1, 0); + if (total_bytes == -1) { + BFLOG_ERR("failed to read from PID %d: %s", pid, STRERR(errno)); + return -errno; + } + + if (total_bytes != count) { + BFLOG_ERR("invalid amount a data transferred: %ld bytes, %ld expected", + total_bytes, count); + return -EFAULT; + } + + return 0; +} + +static int pvm_read_from_offset(pid_t pid, void *to, const void *from, + size_t offset, size_t count) +{ + return pvm_read(pid, to + offset, from + offset, count); +} + +static int pvm_write(pid_t pid, void *to, const void *from, size_t count) +{ + ssize_t total_bytes; + const struct iovec l_iov = { + .iov_base = (void *)from, + .iov_len = count + }; + const struct iovec r_iov = { + .iov_base = to, + .iov_len = count + }; + + total_bytes = process_vm_writev(pid, &l_iov, 1, &r_iov, 1, 0); + if (total_bytes == -1) { + BFLOG_ERR("failed to write to PID %d: %s", pid, STRERR(errno)); + return -errno; + } + + if (total_bytes != count) { + BFLOG_ERR("invalid amount a data transferred: %ld bytes, %ld expected", + total_bytes, count); + return -EFAULT; + } + + return 0; +} + +static int read_ipt_get_info(const struct mbox_request *req, + struct bpfilter_ipt_get_info *info) +{ + int r; + + if (req->len != sizeof(*info)) { + BFLOG_ERR("invalid request size: %d", req->len); + return -EINVAL; + } + + r = pvm_read(req->pid, info, (const void *)req->addr, sizeof(*info)); + if (r) { + BFLOG_ERR("failed to read from PID %d", req->pid); + return r; + } + + info->name[sizeof(info->name) - 1] = '\0'; + + return 0; +} + +static int sockopt_get_info(struct context *ctx, const struct mbox_request *req) +{ + struct bpfilter_ipt_get_info info; + struct table *table; + int r; + + if (req->len != sizeof(info)) { + BFLOG_ERR("invalid request size: %d", req->len); + return -EINVAL; + } + + r = read_ipt_get_info(req, &info); + if (r) { + BFLOG_ERR("failed to read struct ipt_get_info : %s", STRERR(r)); + return r; + } + + table = map_find(&ctx->table_index.map, info.name); + if (IS_ERR(table)) { + BFLOG_ERR("cannot find table '%s' in map", info.name); + return -ENOENT; + } + + table_get_info(table, &info); + + return pvm_write(req->pid, (void *)req->addr, &info, sizeof(info)); +} + +static int read_ipt_get_entries(const struct mbox_request *req, + struct bpfilter_ipt_get_entries *entries) +{ + int r; + + if (req->len < sizeof(*entries)) { + BFLOG_ERR("invalid request size: %d", req->len); + return -EINVAL; + } + + r = pvm_read(req->pid, entries, (const void *)req->addr, + sizeof(*entries)); + if (r) { + BFLOG_ERR("failed to read from PID %d", req->pid); + return r; + } + + entries->name[sizeof(entries->name) - 1] = '\0'; + + return 0; +} + +static int sockopt_get_entries(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_get_entries get_entries; + struct bpfilter_ipt_get_entries *entries; + struct table *table; + int r; + + r = read_ipt_get_entries(req, &get_entries); + if (r) { + BFLOG_ERR("failed to read struct ipt_get_entries: %s", + STRERR(r)); + return r; + } + + table = map_find(&ctx->table_index.map, get_entries.name); + if (IS_ERR(table)) { + BFLOG_ERR("cannot find table '%s' in map", get_entries.name); + return -ENOENT; + } + + if (get_entries.size != table->size) { + BFLOG_ERR("table '%s' get entries size mismatch", + get_entries.name); + return -EINVAL; + } + + entries = (struct bpfilter_ipt_get_entries *)req->addr; + + table->table_ops->update_counters(table); + + r = pvm_write(req->pid, entries->name, table->table_ops->name, + sizeof(entries->name)); + if (r) { + BFLOG_ERR("failed to write to PID %d", req->pid); + return r; + } + + r = pvm_write(req->pid, &entries->size, &table->size, + sizeof(table->size)); + if (r) { + BFLOG_ERR("failed to write to PID %d", req->pid); + return r; + } + + return pvm_write(req->pid, entries->entries, table->entries, table->size); +} + +static int read_ipt_get_revision(const struct mbox_request *req, + struct bpfilter_ipt_get_revision *revision) +{ + int r; + + if (req->len != sizeof(*revision)) { + BFLOG_ERR("invalid request size: %d", req->len); + return -EINVAL; + } + + r = pvm_read(req->pid, revision, (const void *)req->addr, + sizeof(*revision)); + if (r) { + BFLOG_ERR("failed to read to PID %d", req->pid); + return r; + } + + revision->name[sizeof(revision->name) - 1] = '\0'; + + return 0; +} + +static int sockopt_get_revision_match(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_get_revision get_revision; + const struct match_ops *found; + int r; + + r = read_ipt_get_revision(req, &get_revision); + if (r) { + BFLOG_ERR("failed to read struct ipt_get_revision: %s", STRERR(r)); + return r; + } + + found = map_find(&ctx->match_ops_map, get_revision.name); + if (IS_ERR(found)) { + BFLOG_ERR("cannot find match '%s' in map", get_revision.name); + return PTR_ERR(found); + } + + return found->revision; +} + +static int sockopt_get_revision_target(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_get_revision get_revision; + const struct match_ops *found; + int r; + + r = read_ipt_get_revision(req, &get_revision); + if (r) { + BFLOG_ERR("failed to read struct ipt_get_revision: %s", + STRERR(r)); + return r; + } + + found = map_find(&ctx->target_ops_map, get_revision.name); + if (IS_ERR(found)) { + BFLOG_ERR("cannot find target '%s' in map", get_revision.name); + return PTR_ERR(found); + } + + return found->revision; +} + +static struct bpfilter_ipt_replace *read_ipt_replace(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_replace ipt_header; + struct bpfilter_ipt_replace *ipt_replace; + int r; + + if (req->len < sizeof(ipt_header)) { + BFLOG_ERR("invalid request size: %d", req->len); + return ERR_PTR(-EINVAL); + } + + r = pvm_read(req->pid, &ipt_header, (const void *)req->addr, + sizeof(ipt_header)); + if (r) { + BFLOG_ERR("failed to read from PID %d: %s", req->pid, + STRERR(r)); + return ERR_PTR(r); + } + + if (ipt_header.num_counters == 0) { + BFLOG_ERR("no counter defined in struct ipt_header"); + return ERR_PTR(-EINVAL); + } + + if (ipt_header.num_counters >= INT_MAX / sizeof(struct bpfilter_ipt_counters)) { + BFLOG_ERR("too many counters defined: %u", + ipt_header.num_counters); + return ERR_PTR(-ENOMEM); + } + + ipt_header.name[sizeof(ipt_header.name) - 1] = '\0'; + + ipt_replace = malloc(sizeof(ipt_header) + ipt_header.size); + if (!ipt_replace) { + BFLOG_ERR("out of memory"); + return ERR_PTR(-ENOMEM); + } + + memcpy(ipt_replace, &ipt_header, sizeof(ipt_header)); + + r = pvm_read_from_offset(req->pid, ipt_replace, (const void *)req->addr, + sizeof(ipt_header), ipt_header.size); + if (r) { + free(ipt_replace); + BFLOG_ERR("failed to read from PID %u at offset %lu: %s", + req->pid, sizeof(ipt_header), STRERR(r)); + return ERR_PTR(r); + } + + return ipt_replace; +} + +static int sockopt_set_replace(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_replace *ipt_replace; + struct table *table; + struct table *new_table = NULL; + struct table_ops *table_ops; + int r; + + ipt_replace = read_ipt_replace(ctx, req); + if (IS_ERR(ipt_replace)) { + BFLOG_ERR("failed to read struct ipt_replace: %s", + STRERR(PTR_ERR(ipt_replace))); + return PTR_ERR(ipt_replace); + } + + table_ops = map_find(&ctx->table_ops_map, ipt_replace->name); + if (IS_ERR(table_ops)) { + r = PTR_ERR(table_ops); + BFLOG_ERR("cannot find table_ops '%s' in map", ipt_replace->name); + goto cleanup; + } + + new_table = table_ops->create(ctx, ipt_replace); + if (IS_ERR(new_table)) { + r = PTR_ERR(table_ops); + BFLOG_ERR("failed to create table '%s'", ipt_replace->name); + goto cleanup; + } + + r = new_table->table_ops->codegen(ctx, new_table); + if (r) { + BFLOG_ERR("failed to generate code for table '%s'", + ipt_replace->name); + goto cleanup; + } + + table = map_find(&ctx->table_index.map, ipt_replace->name); + if (IS_ERR(table) && PTR_ERR(table) == -ENOENT) + table = NULL; + + if (IS_ERR(table)) { + r = PTR_ERR(table); + BFLOG_ERR("cannot find table '%s' in map", ipt_replace->name); + goto cleanup; + } + + if (table) + table->table_ops->uninstall(ctx, table); + + r = new_table->table_ops->install(ctx, new_table); + if (r) { + BFLOG_ERR("failed to install new table '%s': %s", + ipt_replace->name, STRERR(r)); + if (table) { + int r2 = table->table_ops->install(ctx, table); + + if (r2) + BFLOG_EMERG("failed to restore old table '%s': %s", + table->table_ops->name, + STRERR(r2)); + } + + goto cleanup; + } + + r = map_upsert(&ctx->table_index.map, new_table->table_ops->name, + new_table); + if (r) { + BFLOG_ERR("failed to upsert table map for '%s': %s", + new_table->table_ops->name, STRERR(r)); + goto cleanup; + } + + list_add_tail(&new_table->list, &ctx->table_index.list); + + new_table = table; + +cleanup: + if (!IS_ERR_OR_NULL(new_table)) + new_table->table_ops->free(new_table); + + free(ipt_replace); + + return r; +} + +static struct bpfilter_ipt_counters_info *read_ipt_counters_info(const struct mbox_request *req) +{ + struct bpfilter_ipt_counters_info *info; + size_t size; + int r; + + if (req->len < sizeof(*info)) { + BFLOG_ERR("invalid request size: %d", req->len); + return ERR_PTR(-EINVAL); + } + + info = malloc(req->len); + if (!info) { + BFLOG_ERR("out of memory"); + return ERR_PTR(-ENOMEM); + } + + r = pvm_read(req->pid, info, (const void *)req->addr, sizeof(*info)); + if (r) { + BFLOG_ERR("failed to read from PID %d", req->pid); + goto err_free; + } + + size = info->num_counters * sizeof(info->counters[0]); + if (req->len != sizeof(*info) + size) { + BFLOG_ERR("not enough space to return counters"); + r = -EINVAL; + goto err_free; + } + + info->name[sizeof(info->name) - 1] = '\0'; + + r = pvm_read_from_offset(req->pid, info, (const void *)req->addr, + sizeof(*info), size); + if (r) { + BFLOG_ERR("failed to read from PID %u at offset %lu: %s", + req->pid, sizeof(*info), STRERR(r)); + goto err_free; + } + + return info; + +err_free: + free(info); + + return ERR_PTR(r); +} + +static int sockopt_set_add_counters(struct context *ctx, + const struct mbox_request *req) +{ + struct bpfilter_ipt_counters_info *info; + struct table *table; + int r = 0; + + info = read_ipt_counters_info(req); + if (IS_ERR(info)) { + r = PTR_ERR(info); + BFLOG_ERR("failed to read struct ipt_counters_info: %s", + STRERR(r)); + goto err_free; + } + + table = map_find(&ctx->table_index.map, info->name); + if (IS_ERR(table)) { + r = PTR_ERR(table); + BFLOG_ERR("cannot find table '%s' in map", info->name); + goto err_free; + } + + // TODO handle counters + +err_free: + free(info); + + return r; +} + +static int handle_get_request(struct context *ctx, + const struct mbox_request *req) +{ + switch (req->cmd) { + case 0: + return 0; + case BPFILTER_IPT_SO_GET_INFO: + return sockopt_get_info(ctx, req); + case BPFILTER_IPT_SO_GET_ENTRIES: + return sockopt_get_entries(ctx, req); + case BPFILTER_IPT_SO_GET_REVISION_MATCH: + return sockopt_get_revision_match(ctx, req); + case BPFILTER_IPT_SO_GET_REVISION_TARGET: + return sockopt_get_revision_target(ctx, req); + } + + BFLOG_ERR("unsupported SO_GET command: %d", req->cmd); + return -ENOPROTOOPT; +} + +static int handle_set_request(struct context *ctx, + const struct mbox_request *req) +{ + switch (req->cmd) { + case BPFILTER_IPT_SO_SET_REPLACE: + return sockopt_set_replace(ctx, req); + case BPFILTER_IPT_SO_SET_ADD_COUNTERS: + return sockopt_set_add_counters(ctx, req); + } + + BFLOG_ERR("unsupported SO_SET command: %d", req->cmd); + return -ENOPROTOOPT; +} + +int handle_sockopt_request(struct context *ctx, + const struct mbox_request *req) +{ + return req->is_set ? handle_set_request(ctx, req) : + handle_get_request(ctx, req); +} diff --git a/net/bpfilter/sockopt.h b/net/bpfilter/sockopt.h new file mode 100644 index 000000000000..faf0502959b3 --- /dev/null +++ b/net/bpfilter/sockopt.h @@ -0,0 +1,15 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + +#ifndef NET_BPFILTER_SOCKOPT_H +#define NET_BPFILTER_SOCKOPT_H + +struct context; +struct mbox_request; + +int handle_sockopt_request(struct context *ctx, const struct mbox_request *req); + +#endif // NET_BPFILTER_SOCKOPT_H

Use earlier introduced infrastructure and handle setsockopt(2) calls.

Co-developed-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Dmitrii Banshchikov me@ubique.spb.ru Signed-off-by: Quentin Deslandes qde@naccy.de --- net/bpfilter/main.c | 132 ++++++++++++++++++++++++++++++-------------- 1 file changed, 90 insertions(+), 42 deletions(-)

diff --git a/net/bpfilter/main.c b/net/bpfilter/main.c index 291a92546246..c157277c48b5 100644 --- a/net/bpfilter/main.c +++ b/net/bpfilter/main.c @@ -1,64 +1,112 @@ // SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2021 Telegram FZ-LLC + * Copyright (c) 2022 Meta Platforms, Inc. and affiliates. + */ + #define _GNU_SOURCE -#include <sys/uio.h> + #include <errno.h> #include <stdio.h> -#include <sys/socket.h> -#include <fcntl.h> +#include <stdlib.h> +#include <sys/types.h> #include <unistd.h> -#include "../../include/uapi/linux/bpf.h" -#include <asm/unistd.h> + +#include "context.h" +#include "filter-table.h" +#include "logger.h" #include "msgfmt.h" +#include "sockopt.h"

-FILE *debug_f; +#define do_exact(fd, op, buffer, count) \ + ({ \ + typeof(count) __count = count; \ + size_t total = 0; \ + int r = 0; \ + \ + do { \ + const ssize_t part = op(fd, (buffer) + total, (__count) - total); \ + if (part > 0) { \ + total += part; \ + } else if (part == 0 && (__count) > 0) { \ + r = -EIO; \ + break; \ + } else if (part == -1) { \ + if (errno == EINTR) \ + continue; \ + r = -errno; \ + break; \ + } \ + } while (total < (__count)); \ + \ + r; \ + })

-static int handle_get_cmd(struct mbox_request *cmd) +static int read_exact(int fd, void *buffer, size_t count) { - switch (cmd->cmd) { - case 0: - return 0; - default: - break; - } - return -ENOPROTOOPT; + return do_exact(fd, read, buffer, count); +} + +static int write_exact(int fd, const void *buffer, size_t count) +{ + return do_exact(fd, write, buffer, count); }

-static int handle_set_cmd(struct mbox_request *cmd) +static int setup_context(struct context *ctx) { - return -ENOPROTOOPT; + int r; + + r = logger_init(); + if (r < 0) + return r; + + BFLOG_DBG("log file opened and ready to use"); + + r = create_filter_table(ctx); + if (r < 0) + BFLOG_ERR("failed to created filter table: %s", STRERR(r)); + + return r; }

-static void loop(void) +static void loop(struct context *ctx) { - while (1) { - struct mbox_request req; - struct mbox_reply reply; - int n; - - n = read(0, &req, sizeof(req)); - if (n != sizeof(req)) { - fprintf(debug_f, "invalid request %d\n", n); - return; - } - - reply.status = req.is_set ? - handle_set_cmd(&req) : - handle_get_cmd(&req); - - n = write(1, &reply, sizeof(reply)); - if (n != sizeof(reply)) { - fprintf(debug_f, "reply failed %d\n", n); - return; - } + struct mbox_request req; + struct mbox_reply reply; + int r; + + for (;;) { + r = read_exact(STDIN_FILENO, &req, sizeof(req)); + if (r) + BFLOG_EMERG("cannot read request: %s", STRERR(r)); + + reply.status = handle_sockopt_request(ctx, &req); + + r = write_exact(STDOUT_FILENO, &reply, sizeof(reply)); + if (r) + BFLOG_EMERG("cannot write reply: %s", STRERR(r)); } }

int main(void) { - debug_f = fopen("/dev/kmsg", "w"); - setvbuf(debug_f, 0, _IOLBF, 0); - fprintf(debug_f, "<5>Started bpfilter\n"); - loop(); - fclose(debug_f); + struct context ctx; + int r; + + r = create_context(&ctx); + if (r) + return r; + + r = setup_context(&ctx); + if (r) { + free_context(&ctx); + return r; + } + + loop(&ctx); + + // Disregard return value, the application is closed anyway. + (void)logger_clean(); + return 0; }