At 2023-09-04 18:48:56, "Florian Westphal" <fw@xxxxxxxxx> wrote:
>David Wang <00107082@xxxxxxx> wrote:
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>>
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>>
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>
>Thanks, I think its good to have this.
Thanks for the quick response.
>
>> diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c
>> new file mode 100644
>> index 000000000000..d315d64fda7f
>> --- /dev/null
>> +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c
>> @@ -0,0 +1,62 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +
>> +#include "vmlinux.h"
>> +#include <bpf/bpf_helpers.h>
>> +
>> +
>> +#define NF_DROP 0
>> +#define NF_ACCEPT 1
>
>If you are interested, you could send a patch for nf-next that
>makes the uapi headers expose this as enum, AFAIU that would make
>the verdict nanes available via vmlinux.h.
>
I think I can work on this.
>> + /* search p->daddr in trie */
>> + key.prefixlen = 32;
>> + key.data = p->daddr;
>> + pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key);
>> + if (pvalue) {
>> + /* cat /sys/kernel/debug/tracing/trace_pipe */
>> + bpf_printk("rule matched with %d...\n", *pvalue);
>
>If you are interested you could send a patch that adds a kfunc to
>nf_bpf_link that exposes nf_log_packet() to bpf.
>
>nf_log_packet has a terrible api, I suggest to have the kfunc take
>'struct nf_hook_state *' instead of 6+ members of that struct as
>argument.
>
Logging strategy is out of my league, but I will keep eye on this.
Glad to contribute.
David
