Re: [PATCH bpf-next v3 00/16] bpfilter

[PATCH bpf-next v3 00/16] bpfilter · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 01/16] bpfilter: add types for usermode helper · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 02/16] tools: add bpfilter usermode helper header · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 07/16] bpfilter: add support for TC bytecode generation · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 09/16] bpfilter: add support for src/dst addr and ports · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 08/16] bpfilter: add match structure · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 13/16] bpfilter: add table code generation · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 15/16] bpfilter: add filter table · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 11/16] bpfilter: add rule structure · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 03/16] bpfilter: add logging facility · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 06/16] bpfilter: add BPF bytecode generation infrastructure · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 16/16] bpfilter: handle setsockopt() calls · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 05/16] bpfilter: add runtime context · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 14/16] bpfilter: add setsockopt() support · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 04/16] bpfilter: add map container · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 12/16] bpfilter: add table structure · Quentin Deslandes <hidden> · 2022-12-24
[PATCH bpf-next v3 10/16] bpfilter: add target structure · Quentin Deslandes <hidden> · 2022-12-24
Re: [PATCH bpf-next v3 00/16] bpfilter · Alexei Starovoitov <hidden> · 2022-12-27
Re: [PATCH bpf-next v3 00/16] bpfilter · Florian Westphal <fw@strlen.de> · 2023-01-03
Re: [PATCH bpf-next v3 00/16] bpfilter · Quentin Deslandes <hidden> · 2023-01-06
Re: [PATCH bpf-next v3 00/16] bpfilter · Florian Westphal <fw@strlen.de> · 2023-01-12
Re: [PATCH bpf-next v3 00/16] bpfilter · Florian Westphal <fw@strlen.de> · 2023-01-03
Re: [PATCH bpf-next v3 00/16] bpfilter · Quentin Deslandes <hidden> · 2023-01-06
Re: [PATCH bpf-next v3 00/16] bpfilter · Florian Westphal <fw@strlen.de> · 2023-01-12
Re: [PATCH bpf-next v3 00/16] bpfilter · Quentin Deslandes <hidden> · 2023-01-25

From: Florian Westphal <fw@strlen.de>
Date: 2023-01-12 03:17:48
Also in: bpf, linux-kselftest, lkml

Quentin Deslandes [off-list ref] wrote:

Le 03/01/2023 à 12:45, Florian Westphal a écrit :

quoted

You can't make this atomic from userspace perspective, the
get/setsockopt API of iptables uses a read-modify-write model.

This refers to updating the programs from bpfilter's side. It won't
be atomic from iptables point of view, but currently bpfilter will
remove the program associated to a table, before installing the new
one. This means packets received in between those operations are
not filtered. I assume a better solution is possible.

Ah, I see, thanks.

quoted

Tentatively I'd try to extend libnftnl and generate bpf code there,
since its used by both iptables(-nft) and nftables we'd automatically
get support for both.

That's one of the option, this could also remain in the kernel
tree or in a dedicated git repository. I don't know which one would
be the best, I'm open to suggestions.

I can imagine that this will see a flurry of activity in the early
phase so I think a 'semi test repo' makes sense.

Provideded license allows this, useable bits and pieces can then
be grafted on to libnftnl (or iptables or whatever).

quoted

I was planning to look into "attach bpf progs to raw netfilter hooks"
in Q1 2023, once the initial nf-bpf-codegen is merged.

Is there any plan to support non raw hooks? That's mainly out
of curiosity, I don't even know whether that would be a good thing
or not.

Not sure what 'non raw hook' is.  Idea was to expose

1. protcocol family
2. hook number (prerouting, input etc)
3. priority

to userspace via bpf syscall/bpf link.

userspace would then provide the above info to kernel via
bpf(... BPF_LINK_CREATE )

which would then end up doing:
--------------
h.hook = nf_hook_run_bpf; // wrapper to call BPF_PROG_RUN
h.priv = prog; // the bpf program to run
h.pf = attr->netfilter.pf;
h.priority = attr->netfilter.priority;
h.hooknum = attr->netfilter.hooknum;

nf_register_net_hook(net, &h);
--------------

After that nf_hook_slow() calls the bpf program just like any
other of the netfilter hooks.

Does that make sense or did you have something else in mind?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help