At 2023-09-04 18:48:56, "Florian Westphal" <fw@xxxxxxxxx> wrote:
>David Wang <00107082@xxxxxxx> wrote:
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>>
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>>
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>
>Thanks, I think its good to have this.
Thanks for the quick response! Glad to contribute!
>> +
>> +#define NF_DROP 0
>> +#define NF_ACCEPT 1
>
>If you are interested, you could send a patch for nf-next that
>makes the uapi headers expose this as enum, AFAIU that would make
>the verdict nanes available via vmlinux.h.
>
I think I can work on this.
>> + if (pvalue) {
>> + /* cat /sys/kernel/debug/tracing/trace_pipe */
>> + bpf_printk("rule matched with %d...\n", *pvalue);
>
>If you are interested you could send a patch that adds a kfunc to
>nf_bpf_link that exposes nf_log_packet() to bpf.
>
>nf_log_packet has a terrible api, I suggest to have the kfunc take
>'struct nf_hook_state *' instead of 6+ members of that struct as
>argument.
>
Package logging strategy is out of my league, for now, but I will keep eye on this.
David
