Florian Westphal <fw@xxxxxxxxx> writes:
> This adds minimal support for BPF_PROG_TYPE_NETFILTER bpf programs
> that will be invoked via the NF_HOOK() points in the ip stack.
>
> Invocation incurs an indirect call. This is not a necessity: Its
> possible to add 'DEFINE_BPF_DISPATCHER(nf_progs)' and handle the
> program invocation with the same method already done for xdp progs.
>
> This isn't done here to keep the size of this chunk down.
>
> Verifier restricts verdicts to either DROP or ACCEPT.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> include/linux/bpf_types.h | 4 ++
> include/net/netfilter/nf_hook_bpf.h | 6 +++
> kernel/bpf/btf.c | 5 ++
> kernel/bpf/verifier.c | 3 ++
> net/netfilter/nf_bpf_link.c | 78 ++++++++++++++++++++++++++++-
> 5 files changed, 95 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
> index d4ee3ccd3753..39a999abb0ce 100644
> --- a/include/linux/bpf_types.h
> +++ b/include/linux/bpf_types.h
> @@ -79,6 +79,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm,
> #endif
> BPF_PROG_TYPE(BPF_PROG_TYPE_SYSCALL, bpf_syscall,
> void *, void *)
> +#ifdef CONFIG_NETFILTER
> +BPF_PROG_TYPE(BPF_PROG_TYPE_NETFILTER, netfilter,
> + struct bpf_nf_ctx, struct bpf_nf_ctx)
> +#endif
>
> BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)
> BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_ARRAY, percpu_array_map_ops)
> diff --git a/include/net/netfilter/nf_hook_bpf.h b/include/net/netfilter/nf_hook_bpf.h
> index 9d1b338e89d7..863cbbcc66f9 100644
> --- a/include/net/netfilter/nf_hook_bpf.h
> +++ b/include/net/netfilter/nf_hook_bpf.h
> @@ -1,2 +1,8 @@
> /* SPDX-License-Identifier: GPL-2.0 */
> +
> +struct bpf_nf_ctx {
> + const struct nf_hook_state *state;
> + struct sk_buff *skb;
> +};
> +
> int bpf_nf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index ef2d8969ed1f..ec6eb78b9aec 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -25,6 +25,9 @@
> #include <linux/bsearch.h>
> #include <linux/kobject.h>
> #include <linux/sysfs.h>
> +
> +#include <net/netfilter/nf_hook_bpf.h>
> +
> #include <net/sock.h>
> #include "../tools/lib/bpf/relo_core.h"
>
> @@ -7726,6 +7729,8 @@ static int bpf_prog_type_to_kfunc_hook(enum bpf_prog_type prog_type)
> case BPF_PROG_TYPE_LWT_XMIT:
> case BPF_PROG_TYPE_LWT_SEG6LOCAL:
> return BTF_KFUNC_HOOK_LWT;
> + case BPF_PROG_TYPE_NETFILTER:
> + return BTF_KFUNC_HOOK_SOCKET_FILTER;
The dynptr patch reuses the actual set between the different IDs, so
this should probably define a new BTF_KFUNC_HOOK_NETFILTER, with an
associated register_btf_kfunc_id_set() call?
-Toke
