Re: [PATCH bpf-next v2 12/13] bpfilter: Add filter table
From: Dmitrii Banshchikov <hidden>
Date: 2021-08-31 12:52:45
Also in:
netdev
On Mon, Aug 30, 2021 at 04:45:15PM -0700, Alexei Starovoitov wrote:
On Tue, Aug 31, 2021 at 12:54:43AM +0400, Dmitrii Banshchikov wrote:quoted
On Mon, Aug 30, 2021 at 12:45:45PM -0700, Alexei Starovoitov wrote:quoted
On Sun, Aug 29, 2021 at 10:36:07PM +0400, Dmitrii Banshchikov wrote:quoted
/* - * # Generated by iptables-save v1.8.2 on Sat May 8 05:22:41 2021 + * Generated by iptables-save v1.8.2 on Sat May 8 05:22:41 2021 * *filter...quoted
- * -A LOCAL -s 10.32.0.0/11 -j FROMDC - * -A LOCAL -s 10.144.0.0/12 -j FROMDC - * -A LOCAL -s 10.160.0.0/12 -j FROMDC - * -A LOCAL -s 10.0.0.0/12 -j FROMDC - * -A LOCAL -s 10.248.0.0/24 -j FROMDC - * -A LOCAL -s 10.232.0.0/16 -j FROMDC - * -A LOCAL -s 10.1.146.131/32 -p udp -m udp --dport 161 -j ACCEPT - * -A LOCAL -s 10.149.118.14/32 -p udp -m udp --dport 161 -j ACCEPT - * -A LOCAL -p icmp -j ACCEPT + * :INPUT ACCEPT [0:0] + * :FORWARD ACCEPT [0:0] + * :OUTPUT ACCEPT [0:0] + * -A INPUT -s 1.1.1.1/32 -d 2.2.2.2/32 -j DROP + * -A INPUT -s 2.2.0.0/16 -d 3.0.0.0/8 -j DROP + * -A INPUT -p udp -m udp --sport 100 --dport 500 -j DROP * COMMIT */Patch 10 adds this test, but then patch 12 removes most of it? Keep both?Sorry, I missed it. I decided that the large blob looks really ugly and switched to the smaller one and forgot to cleanup the patchset.quoted
Also hit this on my system with older glibc: ../net/bpfilter/codegen.c: In function ‘codegen_push_subprog’: ../net/bpfilter/codegen.c:67:4: warning: implicit declaration of function ‘reallocarray’ [-Wimplicit-function-declaration] 67 | reallocarray(codegen->subprogs, subprogs_max, sizeof(codegen->subprogs[0])); | ^~~~~~~~~~~~ ../net/bpfilter/codegen.c:66:12: warning: assignment to ‘struct codegen_subprog_desc **’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 66 | subprogs = | ^ In libbpf we have libbpf_reallocarray() for this reason. Could you provide an example of generated bpf program? And maybe add Documentation/bpf/bpfilter_design.rst ?I will add documentation in the next iteration when bpf_map_for_each() subprog will be introduced.quoted
The tests don't build for me: $ cd selftests/bpf/bpfilter; make make: *** No rule to make target '-lelf', needed by '.../selftests/bpf/bpfilter/test_match'. Stop.libelf was added because libbpf depends on it. Are you able to build libbpf?make proceeds to build libbpf just fine, but then it stops with above message. I manually removed -lelf from Makefile. Then run make to see it fail linking and then manually copy pasted gcc command to build it with additional -lelf command line. fwiw make -v GNU Make 4.2.1
Will take a look on it. Thanks.
quoted
quoted
The unit tests are great, btw. test_codegen is not end-to-end, right? Could you add a full test with iptable command line? or netns support is a prerequisite for it?Yeah, as net namespaces aren't supported using iptables binary will modify the root namespace. That is the reason why codegen tests aren't implemented in the end-to-end fashion and rules are represented by blobs.I think when ifindex is no longer hardcoded the netns support doesn't have to be gating. The generic xdp attached to veth in netns should work to do end-to-end test. bpftiler would need to do a bit of magic to figure out the right ifindex. Or we can extend kernel with ifindex-less generic XDP.
Is it ok to add an external dependency to tests? The unit test will need to execute iptables binary. -- Dmitrii Banshchikov