| Message ID | 20230904102128.11476-1-00107082@163.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF |
| Headers | show |
| Series | samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
| bpf/vmtest-bpf-next-VM_Test-0 | success | Logs for ShellCheck |
| bpf/vmtest-bpf-next-VM_Test-5 | success | Logs for set-matrix |
| bpf/vmtest-bpf-next-VM_Test-1 | success | Logs for build for aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-3 | success | Logs for build for x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-4 | success | Logs for build for x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-2 | success | Logs for build for s390x with gcc |
| bpf/vmtest-bpf-next-VM_Test-8 | success | Logs for test_maps on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-6 | success | Logs for test_maps on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-9 | success | Logs for test_maps on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-13 | fail | Logs for test_progs on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-17 | fail | Logs for test_progs_no_alu32 on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-16 | fail | Logs for test_progs_no_alu32 on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-18 | success | Logs for test_progs_no_alu32_parallel on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-20 | success | Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-19 | success | Logs for test_progs_no_alu32_parallel on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-22 | success | Logs for test_progs_parallel on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-21 | success | Logs for test_progs_parallel on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-24 | success | Logs for test_verifier on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-23 | success | Logs for test_progs_parallel on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-25 | success | Logs for test_verifier on s390x with gcc |
| bpf/vmtest-bpf-next-VM_Test-26 | success | Logs for test_verifier on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-28 | success | Logs for veristat |
| bpf/vmtest-bpf-next-VM_Test-27 | success | Logs for test_verifier on x86_64 with llvm-16 |
| bpf/vmtest-bpf-next-VM_Test-10 | fail | Logs for test_progs on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-12 | fail | Logs for test_progs on x86_64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-14 | fail | Logs for test_progs_no_alu32 on aarch64 with gcc |
| bpf/vmtest-bpf-next-VM_Test-11 | fail | Logs for test_progs on s390x with gcc |
| bpf/vmtest-bpf-next-VM_Test-15 | fail | Logs for test_progs_no_alu32 on s390x with gcc |
| bpf/vmtest-bpf-next-PR | fail | PR summary |
| bpf/vmtest-bpf-next-VM_Test-7 | success | Logs for test_maps on s390x with gcc |
David Wang <00107082@163.com> wrote: > This sample code implements a simple ipv4 > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, > which was introduced in 6.4. > > The bpf program drops package if destination ip address > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, > > The userspace code would load the bpf program, > attach it to netfilter's FORWARD/OUTPUT hook, > and then write ip patterns into the bpf map. Thanks, I think its good to have this. > diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c > new file mode 100644 > index 000000000000..d315d64fda7f > --- /dev/null > +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c > @@ -0,0 +1,62 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +#include "vmlinux.h" > +#include <bpf/bpf_helpers.h> > + > + > +#define NF_DROP 0 > +#define NF_ACCEPT 1 If you are interested, you could send a patch for nf-next that makes the uapi headers expose this as enum, AFAIU that would make the verdict nanes available via vmlinux.h. > + /* search p->daddr in trie */ > + key.prefixlen = 32; > + key.data = p->daddr; > + pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key); > + if (pvalue) { > + /* cat /sys/kernel/debug/tracing/trace_pipe */ > + bpf_printk("rule matched with %d...\n", *pvalue); If you are interested you could send a patch that adds a kfunc to nf_bpf_link that exposes nf_log_packet() to bpf. nf_log_packet has a terrible api, I suggest to have the kfunc take 'struct nf_hook_state *' instead of 6+ members of that struct as argument. Thanks for the example.
At 2023-09-04 18:48:56, "Florian Westphal" <fw@strlen.de> wrote: >David Wang <00107082@163.com> wrote: >> This sample code implements a simple ipv4 >> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >> which was introduced in 6.4. >> >> The bpf program drops package if destination ip address >> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >> >> The userspace code would load the bpf program, >> attach it to netfilter's FORWARD/OUTPUT hook, >> and then write ip patterns into the bpf map. > >Thanks, I think its good to have this. Thanks for the quick response. > >> diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c >> new file mode 100644 >> index 000000000000..d315d64fda7f >> --- /dev/null >> +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c >> @@ -0,0 +1,62 @@ >> +// SPDX-License-Identifier: GPL-2.0 >> + >> +#include "vmlinux.h" >> +#include <bpf/bpf_helpers.h> >> + >> + >> +#define NF_DROP 0 >> +#define NF_ACCEPT 1 > >If you are interested, you could send a patch for nf-next that >makes the uapi headers expose this as enum, AFAIU that would make >the verdict nanes available via vmlinux.h. > I think I can work on this. >> + /* search p->daddr in trie */ >> + key.prefixlen = 32; >> + key.data = p->daddr; >> + pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key); >> + if (pvalue) { >> + /* cat /sys/kernel/debug/tracing/trace_pipe */ >> + bpf_printk("rule matched with %d...\n", *pvalue); > >If you are interested you could send a patch that adds a kfunc to >nf_bpf_link that exposes nf_log_packet() to bpf. > >nf_log_packet has a terrible api, I suggest to have the kfunc take >'struct nf_hook_state *' instead of 6+ members of that struct as >argument. > Logging strategy is out of my league, but I will keep eye on this. Glad to contribute. David
At 2023-09-04 18:48:56, "Florian Westphal" <fw@strlen.de> wrote: >David Wang <00107082@163.com> wrote: >> This sample code implements a simple ipv4 >> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >> which was introduced in 6.4. >> >> The bpf program drops package if destination ip address >> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >> >> The userspace code would load the bpf program, >> attach it to netfilter's FORWARD/OUTPUT hook, >> and then write ip patterns into the bpf map. > >Thanks, I think its good to have this. Thanks for the quick response! Glad to contribute! >> + >> +#define NF_DROP 0 >> +#define NF_ACCEPT 1 > >If you are interested, you could send a patch for nf-next that >makes the uapi headers expose this as enum, AFAIU that would make >the verdict nanes available via vmlinux.h. > I think I can work on this. >> + if (pvalue) { >> + /* cat /sys/kernel/debug/tracing/trace_pipe */ >> + bpf_printk("rule matched with %d...\n", *pvalue); > >If you are interested you could send a patch that adds a kfunc to >nf_bpf_link that exposes nf_log_packet() to bpf. > >nf_log_packet has a terrible api, I suggest to have the kfunc take >'struct nf_hook_state *' instead of 6+ members of that struct as >argument. > Package logging strategy is out of my league, for now, but I will keep eye on this. David
On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote: > > David Wang <00107082@163.com> wrote: > > This sample code implements a simple ipv4 > > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, > > which was introduced in 6.4. > > > > The bpf program drops package if destination ip address > > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, > > > > The userspace code would load the bpf program, > > attach it to netfilter's FORWARD/OUTPUT hook, > > and then write ip patterns into the bpf map. > > Thanks, I think its good to have this. Yes, but only in selftests/bpf. samples/bpf/ are not tested and bit rot heavily.
At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote: >On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote: >> >> David Wang <00107082@163.com> wrote: >> > This sample code implements a simple ipv4 >> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >> > which was introduced in 6.4. >> > >> > The bpf program drops package if destination ip address >> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >> > >> > The userspace code would load the bpf program, >> > attach it to netfilter's FORWARD/OUTPUT hook, >> > and then write ip patterns into the bpf map. >> >> Thanks, I think its good to have this. > >Yes, but only in selftests/bpf. >samples/bpf/ are not tested and bit rot heavily. My purpose is to demonstrate the basic usage of BPF_PROG_TYPE_NETFILTER , showing what bpf program and userspace program should do to make it work. The code is neither thorough enough to make a valid test suite, nor detailed enough to make out a tool (Could be a start for a tool) samples/bpf is a good place to start for beginners to get along with bpf quickly, those sample/bpf codes do help me a lot, but selftests/bpf is not that friendly, at least not friendly for beginners, I think. There are already test codes for BPF_PROG_TYPE_NETFILTER in selftests/bpf, actually I did refer to those code when I made this sample. Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen. Anyway, this sample code is not meant to test.
"David Wang" <00107082@163.com> writes: > At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote: >>On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote: >>> >>> David Wang <00107082@163.com> wrote: >>> > This sample code implements a simple ipv4 >>> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >>> > which was introduced in 6.4. >>> > >>> > The bpf program drops package if destination ip address >>> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >>> > >>> > The userspace code would load the bpf program, >>> > attach it to netfilter's FORWARD/OUTPUT hook, >>> > and then write ip patterns into the bpf map. >>> >>> Thanks, I think its good to have this. >> >>Yes, but only in selftests/bpf. >>samples/bpf/ are not tested and bit rot heavily. > > My purpose is to demonstrate the basic usage of BPF_PROG_TYPE_NETFILTER , showing what bpf program and userspace program should do to make it work. > The code is neither thorough enough to make a valid test suite, nor detailed enough to make out a tool (Could be a start for a tool) > > samples/bpf is a good place to start for beginners to get along with bpf quickly, those sample/bpf codes do help me a lot, > but selftests/bpf is not that friendly, at least not friendly for beginners, I think. > There are already test codes for BPF_PROG_TYPE_NETFILTER in selftests/bpf, actually I did refer to those code when I made this sample. > > Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen. > > Anyway, this sample code is not meant to test. FYI, we maintain a Github repository with BPF example programs of various types at https://github.com/xdp-project/bpf-examples Happy to include this example there as an alternative to the in-tree samples/bpf :) -Toke
David Wang <00107082@163.com> writes: > This sample code implements a simple ipv4 > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, > which was introduced in 6.4. > > The bpf program drops package if destination ip address > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, > > The userspace code would load the bpf program, > attach it to netfilter's FORWARD/OUTPUT hook, > and then write ip patterns into the bpf map. > > Signed-off-by: David Wang <00107082@163.com> > --- > samples/bpf/Makefile | 3 + > samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++ > samples/bpf/netfilter_ip4_blacklist.c | 96 +++++++++++++++++++++++ > 3 files changed, 161 insertions(+) > create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c > create mode 100644 samples/bpf/netfilter_ip4_blacklist.c According to https://docs.kernel.org/process/coding-style.html#naming you should avoid new use of blacklist. You should use somethink like denylist or blocklist instead.
At 2023-09-05 16:41:23, "Toke Høiland-Jørgensen" <toke@kernel.org> wrote: >"David Wang" <00107082@163.com> writes: > >> Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen. >> >> Anyway, this sample code is not meant to test. > >FYI, we maintain a Github repository with BPF example programs of >various types at https://github.com/xdp-project/bpf-examples > >Happy to include this example there as an alternative to the in-tree >samples/bpf :) > >-Toke Cool project~! I will submit a PR there.
At 2023-09-05 17:05:26, "Donald Hunter" <donald.hunter@gmail.com> wrote: >David Wang <00107082@163.com> writes: > >> This sample code implements a simple ipv4 >> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >> which was introduced in 6.4. >> >> The bpf program drops package if destination ip address >> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >> >> The userspace code would load the bpf program, >> attach it to netfilter's FORWARD/OUTPUT hook, >> and then write ip patterns into the bpf map. >> >> Signed-off-by: David Wang <00107082@163.com> >> --- >> samples/bpf/Makefile | 3 + >> samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++ >> samples/bpf/netfilter_ip4_blacklist.c | 96 +++++++++++++++++++++++ >> 3 files changed, 161 insertions(+) >> create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c >> create mode 100644 samples/bpf/netfilter_ip4_blacklist.c > >According to https://docs.kernel.org/process/coding-style.html#naming >you should avoid new use of blacklist. You should use somethink like >denylist or blocklist instead. Thanks for the information~! I will make the changes, and resend a patch if samples/bpf is still a good place to put the code.
At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote: >On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote: >> >> David Wang <00107082@163.com> wrote: >> > This sample code implements a simple ipv4 >> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, >> > which was introduced in 6.4. >> > >> > The bpf program drops package if destination ip address >> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, >> > >> > The userspace code would load the bpf program, >> > attach it to netfilter's FORWARD/OUTPUT hook, >> > and then write ip patterns into the bpf map. >> >> Thanks, I think its good to have this. > >Yes, but only in selftests/bpf. >samples/bpf/ are not tested and bit rot heavily. Hi Alexei, I need to know whether samples/bpf is still a good place to put code. I will put the code in another open source project for bpf samples, mentioned by Toke. But I still want to put it in samples/bpf , since the code only compile/work with new kernel. Need your feedback on this, could this code be kept in samples/bpf? :) Thanks David.
On Tue, Sep 5, 2023 at 4:11 AM David Wang <00107082@163.com> wrote: > > > > > > > > > > > > > At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote: > >On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote: > >> > >> David Wang <00107082@163.com> wrote: > >> > This sample code implements a simple ipv4 > >> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, > >> > which was introduced in 6.4. > >> > > >> > The bpf program drops package if destination ip address > >> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, > >> > > >> > The userspace code would load the bpf program, > >> > attach it to netfilter's FORWARD/OUTPUT hook, > >> > and then write ip patterns into the bpf map. > >> > >> Thanks, I think its good to have this. > > > >Yes, but only in selftests/bpf. > >samples/bpf/ are not tested and bit rot heavily. > > Hi Alexei, > > I need to know whether samples/bpf is still a good place to put code. > I will put the code in another open source project for bpf samples, mentioned by Toke. > But I still want to put it in samples/bpf , since the code only compile/work with new kernel. > > Need your feedback on this, could this code be kept in samples/bpf? :) Sorry, but we don't accept new code to samples/bpf/. Everything in there will be moved/removed. If you want to stay in the kernel selftests/bpf is the only place and it's gotta be the real test and not just a sample.
At 2023-09-05 23:49:41, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote: >On Tue, Sep 5, 2023 at 4:11 AM David Wang <00107082@163.com> wrote: >> > >> >Yes, but only in selftests/bpf. >> >samples/bpf/ are not tested and bit rot heavily. >> >> Hi Alexei, >> >> I need to know whether samples/bpf is still a good place to put code. >> I will put the code in another open source project for bpf samples, mentioned by Toke. >> But I still want to put it in samples/bpf , since the code only compile/work with new kernel. >> >> Need your feedback on this, could this code be kept in samples/bpf? :) > >Sorry, but we don't accept new code to samples/bpf/. >Everything in there will be moved/removed. >If you want to stay in the kernel selftests/bpf is the only place and >it's gotta be the real test and not just a sample. Sad to hear this.... Anyway, thank you and all others who took time reviewing this. David
diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile index 4ccf4236031c..ff027ea5ce24 100644 --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile @@ -46,6 +46,7 @@ tprogs-y += xdp_fwd tprogs-y += task_fd_query tprogs-y += ibumad tprogs-y += hbm +tprogs-y += netfilter_ip4_blacklist # Libbpf dependencies LIBBPF_SRC = $(TOOLS_PATH)/lib/bpf @@ -96,6 +97,7 @@ xdp_fwd-objs := xdp_fwd_user.o task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS) ibumad-objs := ibumad_user.o hbm-objs := hbm.o $(CGROUP_HELPERS) +netfilter_ip4_blacklist-objs := netfilter_ip4_blacklist.o xdp_router_ipv4-objs := xdp_router_ipv4_user.o $(XDP_SAMPLE) @@ -149,6 +151,7 @@ always-y += task_fd_query_kern.o always-y += ibumad_kern.o always-y += hbm_out_kern.o always-y += hbm_edt_kern.o +always-y += netfilter_ip4_blacklist.bpf.o ifeq ($(ARCH), arm) # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c new file mode 100644 index 000000000000..d315d64fda7f --- /dev/null +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c @@ -0,0 +1,62 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "vmlinux.h" +#include <bpf/bpf_helpers.h> + + +#define NF_DROP 0 +#define NF_ACCEPT 1 + +int bpf_dynptr_from_skb(struct sk_buff *skb, + __u64 flags, struct bpf_dynptr *ptr__uninit) __ksym; +void *bpf_dynptr_slice(const struct bpf_dynptr *ptr, + uint32_t offset, void *buffer, uint32_t buffer__sz) __ksym; + + +struct ipv4_lpm_key { + __u32 prefixlen; + __u32 data; +}; + +struct { + __uint(type, BPF_MAP_TYPE_LPM_TRIE); + __type(key, struct ipv4_lpm_key); + __type(value, __u32); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, 200); +} ipv4_lpm_map SEC(".maps"); + + +SEC("netfilter") +int netfilter_ip4block(struct bpf_nf_ctx *ctx) +{ + struct sk_buff *skb = ctx->skb; + struct bpf_dynptr ptr; + struct iphdr *p, iph = {}; + struct ipv4_lpm_key key; + __u32 *pvalue; + + if (skb->len <= 20 || bpf_dynptr_from_skb(skb, 0, &ptr)) + return NF_ACCEPT; + p = bpf_dynptr_slice(&ptr, 0, &iph, sizeof(iph)); + if (!p) + return NF_ACCEPT; + + /* ip4 only */ + if (p->version != 4) + return NF_ACCEPT; + + /* search p->daddr in trie */ + key.prefixlen = 32; + key.data = p->daddr; + pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key); + if (pvalue) { + /* cat /sys/kernel/debug/tracing/trace_pipe */ + bpf_printk("rule matched with %d...\n", *pvalue); + return NF_DROP; + } + return NF_ACCEPT; +} + +char _license[] SEC("license") = "GPL"; + diff --git a/samples/bpf/netfilter_ip4_blacklist.c b/samples/bpf/netfilter_ip4_blacklist.c new file mode 100644 index 000000000000..bb7b26e5e06d --- /dev/null +++ b/samples/bpf/netfilter_ip4_blacklist.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <stdio.h> +#include <unistd.h> +#include <asm/unistd.h> +#include <bpf/libbpf.h> +#include <bpf/bpf.h> +#include <linux/netfilter.h> + + +static inline int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size) +{ + return syscall(__NR_bpf, cmd, attr, size); +} +struct ipv4_lpm_key { + __u32 prefixlen; + __u32 data; +}; + +int main(int argc, char **argv) +{ + int prog_fd, map_fd; + int err; + struct bpf_object *obj; + struct bpf_program *prog; + union bpf_attr attr = { }; + + obj = bpf_object__open_file("./netfilter_ip4_blacklist.bpf.o", NULL); + if (libbpf_get_error(obj)) { + printf("fail to open bpf file\n"); + return 1; + } + prog = bpf_object__find_program_by_name(obj, "netfilter_ip4block"); + if (!prog) { + printf("fail to find bpf program\n"); + return 1; + } + bpf_program__set_type(prog, BPF_PROG_TYPE_NETFILTER); + if (bpf_object__load(obj)) { + printf("loading BPF object file failed\n"); + return 1; + } + map_fd = bpf_object__find_map_fd_by_name(obj, "ipv4_lpm_map"); + if (map_fd < 0) { + printf("Fail to locate trie ipv4_lpm_map\n"); + return 1; + } + /* attach to netfilter forward handler */ + prog_fd = bpf_program__fd(prog); + attr.link_create.prog_fd = prog_fd; + attr.link_create.attach_type = BPF_NETFILTER; + attr.link_create.netfilter.pf = NFPROTO_IPV4; + attr.link_create.netfilter.hooknum = NF_INET_FORWARD; + attr.link_create.netfilter.priority = -128; + err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr)); + if (err < 0) { + perror("Fail to link bpf program to netfilter forward hook\n"); + return 1; + } + /* attach to netfilter output handler */ + attr.link_create.netfilter.hooknum = NF_INET_LOCAL_OUT; + err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr)); + if (err < 0) { + perror("Fail to link bpf program to netfilter output hook\n"); + return 1; + } + printf("bpf program/map loaded....\n"); + /* add rules */ + { + struct ipv4_lpm_key key; + __u32 value = 0; + __u8 *p = (__u8 *) &key.data; + /* block 192.168.11.107/32 */ + key.prefixlen = 32; + /* same as key.data = 0x6B0BA8C0; on a little-endian machine */ + p[0] = 192; + p[1] = 168; + p[2] = 11; + p[3] = 107; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* block 192.168.11.107/24 */ + key.prefixlen = 24; + value++; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* block 192.168.11.107/27 */ + key.prefixlen = 27; + value++; + bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + /* remove rule */ + /* bpf_map_delete_elem(map_fd, &key); */ + printf("rules inserted, ready to work\n"); + } + while (1) + sleep(600); + return 0; +}
This sample code implements a simple ipv4 blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER, which was introduced in 6.4. The bpf program drops package if destination ip address hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE, The userspace code would load the bpf program, attach it to netfilter's FORWARD/OUTPUT hook, and then write ip patterns into the bpf map. Signed-off-by: David Wang <00107082@163.com> --- samples/bpf/Makefile | 3 + samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++ samples/bpf/netfilter_ip4_blacklist.c | 96 +++++++++++++++++++++++ 3 files changed, 161 insertions(+) create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c create mode 100644 samples/bpf/netfilter_ip4_blacklist.c