Introduce the following new kfuncs:
- bpf_{xdp,skb}_ct_alloc
- bpf_ct_insert_entry
- bpf_ct_{set,change}_timeout
- bpf_ct_{set,change}_status
The setting of timeout and status on allocated or inserted/looked up CT
is same as the ctnetlink interface, hence code is refactored and shared
with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs
that expected inserted CT, and vice versa. Please see individual patches
for details.
Changelog:
----------
v4 -> v5:
v4: https://lore.kernel.org/bpf/cover.1653600577.git.lorenzo@xxxxxxxxxx
* Drop read-only PTR_TO_BTF_ID approach, use struct nf_conn___init (Alexei)
* Drop acquire release pair code that is no longer required (Alexei)
* Disable writes into nf_conn, use dedicated helpers (Florian, Alexei)
* Refactor and share ctnetlink code for setting timeout and status
* Do strict type matching on finding __ref suffix on argument to
prevent passing nf_conn___init as nf_conn (offset = 0, match on walk)
* Remove bpf_ct_opts parameter from bpf_ct_insert_entry
* Update selftests for new additions, add more negative tests
v3 -> v4:
v3: https://lore.kernel.org/bpf/cover.1652870182.git.lorenzo@xxxxxxxxxx
* split bpf_xdp_ct_add in bpf_xdp_ct_alloc/bpf_skb_ct_alloc and
bpf_ct_insert_entry
* add verifier code to properly populate/configure ct entry
* improve selftests
v2 -> v3:
v2: https://lore.kernel.org/bpf/cover.1652372970.git.lorenzo@xxxxxxxxxx
* add bpf_xdp_ct_add and bpf_ct_refresh_timeout kfunc helpers
* remove conntrack dependency from selftests
* add support for forcing kfunc args to be referenced and related selftests
v1 -> v2:
v1: https://lore.kernel.org/bpf/1327f8f5696ff2bc60400e8f3b79047914ccc837.1651595019.git.lorenzo@xxxxxxxxxx
* add bpf_ct_refresh_timeout kfunc selftest
Kumar Kartikeya Dwivedi (5):
bpf: Add support for forcing kfunc args to be referenced
net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup
net: netfilter: Add kfuncs to set and change CT timeout
selftests/bpf: Add verifier tests for forced kfunc ref args
selftests/bpf: Add negative tests for new nf_conntrack kfuncs
Lorenzo Bianconi (3):
net: netfilter: Add kfuncs to allocate and insert CT
net: netfilter: Add kfuncs to set and change CT status
selftests/bpf: Add tests for new nf_conntrack kfuncs
include/net/netfilter/nf_conntrack_core.h | 19 +
kernel/bpf/btf.c | 48 ++-
net/bpf/test_run.c | 5 +
net/netfilter/nf_conntrack_bpf.c | 330 +++++++++++++++---
net/netfilter/nf_conntrack_core.c | 62 ++++
net/netfilter/nf_conntrack_netlink.c | 54 +--
.../testing/selftests/bpf/prog_tests/bpf_nf.c | 64 +++-
.../testing/selftests/bpf/progs/test_bpf_nf.c | 85 ++++-
.../selftests/bpf/progs/test_bpf_nf_fail.c | 134 +++++++
tools/testing/selftests/bpf/verifier/calls.c | 53 +++
10 files changed, 727 insertions(+), 127 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c
--
2.36.1
