This patch correctly populates the `bpf_link_info.netfilter.flags` field when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") Signed-off-by: Tyrone Wu wudevelops@gmail.com --- net/netfilter/nf_bpf_link.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c index 5257d5e7eb09..797fe8a9971e 100644 --- a/net/netfilter/nf_bpf_link.c +++ b/net/netfilter/nf_bpf_link.c @@ -150,11 +150,12 @@ static int bpf_nf_link_fill_link_info(const struct bpf_link *link, struct bpf_link_info *info) { struct bpf_nf_link *nf_link = container_of(link, struct bpf_nf_link, link); + const struct nf_defrag_hook *hook = nf_link->defrag_hook;
info->netfilter.pf = nf_link->hook_ops.pf; info->netfilter.hooknum = nf_link->hook_ops.hooknum; info->netfilter.priority = nf_link->hook_ops.priority; - info->netfilter.flags = 0; + info->netfilter.flags = hook ? BPF_F_NETFILTER_IP_DEFRAG : 0;
return 0; }
Add assertions/tests to verify `bpf_link_info` fields for netfilter link are correctly populated.
Signed-off-by: Tyrone Wu wudevelops@gmail.com --- .../bpf/prog_tests/netfilter_link_attach.c | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/netfilter_link_attach.c b/tools/testing/selftests/bpf/prog_tests/netfilter_link_attach.c index 4297a2a4cb11..5bf98ab2e17f 100644 --- a/tools/testing/selftests/bpf/prog_tests/netfilter_link_attach.c +++ b/tools/testing/selftests/bpf/prog_tests/netfilter_link_attach.c @@ -26,10 +26,43 @@ static const struct nf_link_test nf_hook_link_tests[] = {
{ .pf = NFPROTO_INET, .priority = 1, .name = "invalid-inet-not-supported", },
- { .pf = NFPROTO_IPV4, .priority = -10000, .expect_success = true, .name = "attach ipv4", }, - { .pf = NFPROTO_IPV6, .priority = 10001, .expect_success = true, .name = "attach ipv6", }, + { + .pf = NFPROTO_IPV4, + .hooknum = NF_INET_POST_ROUTING, + .priority = -10000, + .flags = 0, + .expect_success = true, + .name = "attach ipv4", + }, + { + .pf = NFPROTO_IPV6, + .hooknum = NF_INET_FORWARD, + .priority = 10001, + .flags = BPF_F_NETFILTER_IP_DEFRAG, + .expect_success = true, + .name = "attach ipv6", + }, };
+static void verify_netfilter_link_info(struct bpf_link *link, const struct nf_link_test nf_expected) +{ + struct bpf_link_info info; + __u32 len = sizeof(info); + int err, fd; + + memset(&info, 0, len); + + fd = bpf_link__fd(link); + err = bpf_link_get_info_by_fd(fd, &info, &len); + ASSERT_OK(err, "get_link_info"); + + ASSERT_EQ(info.type, BPF_LINK_TYPE_NETFILTER, "info link type"); + ASSERT_EQ(info.netfilter.pf, nf_expected.pf, "info nf protocol family"); + ASSERT_EQ(info.netfilter.hooknum, nf_expected.hooknum, "info nf hooknum"); + ASSERT_EQ(info.netfilter.priority, nf_expected.priority, "info nf priority"); + ASSERT_EQ(info.netfilter.flags, nf_expected.flags, "info nf flags"); +} + void test_netfilter_link_attach(void) { struct test_netfilter_link_attach *skel; @@ -63,6 +96,7 @@ void test_netfilter_link_attach(void)
if (!ASSERT_OK_PTR(link, "program attach successful")) continue; + verify_netfilter_link_info(link, nf_hook_link_tests[i]);
link2 = bpf_program__attach_netfilter(prog, &opts); ASSERT_ERR_PTR(link2, "attach program with same pf/hook/priority"); @@ -73,6 +107,8 @@ void test_netfilter_link_attach(void) link2 = bpf_program__attach_netfilter(prog, &opts); if (!ASSERT_OK_PTR(link2, "program reattach successful")) continue; + verify_netfilter_link_info(link2, nf_hook_link_tests[i]); + if (!ASSERT_OK(bpf_link__destroy(link2), "link destroy")) break; } else {
Tyrone Wu wudevelops@gmail.com wrote:
This patch correctly populates the `bpf_link_info.netfilter.flags` field when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
Indeed, thanks for fixing this. Patch and testcase look good, but one nit:
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
BPF_F_NETFILTER_IP_DEFRAG flag was added in 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link"), that was a bit later than the initial support.
Other than that, Acked-by: Florian Westphal fw@strlen.de
On 10/15/24 5:25 PM, Florian Westphal wrote:
Tyrone Wu wudevelops@gmail.com wrote:
This patch correctly populates the `bpf_link_info.netfilter.flags` field when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
Indeed, thanks for fixing this. Patch and testcase look good, but one nit:
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
BPF_F_NETFILTER_IP_DEFRAG flag was added in 91721c2d02d3 ("netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link"), that was a bit later than the initial support.
Other than that, Acked-by: Florian Westphal fw@strlen.de
Thanks Florian & Tyrone, fixed up Fixes tag while applying.
Hello:
This series was applied to bpf/bpf.git (master) by Daniel Borkmann daniel@iogearbox.net:
On Fri, 11 Oct 2024 19:32:51 +0000 you wrote:
This patch correctly populates the `bpf_link_info.netfilter.flags` field when user passes the `BPF_F_NETFILTER_IP_DEFRAG` flag.
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") Signed-off-by: Tyrone Wu wudevelops@gmail.com
net/netfilter/nf_bpf_link.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Here is the summary with links: - [bpf,v1,1/2] bpf: fix link info netfilter flags to populate defrag flag https://git.kernel.org/bpf/bpf/c/92f3715e1eba - [bpf,v1,2/2] selftests/bpf: add asserts for netfilter link info https://git.kernel.org/bpf/bpf/c/2aa587fd6659
You are awesome, thank you!
linux-kselftest-mirror@lists.linaro.org
-
Daniel Borkmann -
Florian Westphal -
patchwork-bot+netdevbpf@kernel.org -
Tyrone Wu