Commit 2b99ef22 authored by Florian Westphal's avatar Florian Westphal Committed by Alexei Starovoitov
Browse files

bpf: add test_run support for netfilter program type 



add glue code so a bpf program can be run using userspace-provided
netfilter state and packet/skb.

Default is to use ipv4:output hook point, but this can be overridden by
userspace.  Userspace provided netfilter state is restricted, only hook and
protocol families can be overridden and only to ipv4/ipv6.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20230421170300.24115-7-fw@strlen.de


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent d0fe92fb

include/linux/bpf.h

+3 −0
Original line number Diff line number Diff line
@@ -2264,6 +2264,9 @@ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, 
int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog,

				const union bpf_attr *kattr,

				union bpf_attr __user *uattr);

int bpf_prog_test_run_nf(struct bpf_prog *prog,

			 const union bpf_attr *kattr,

			 union bpf_attr __user *uattr);

bool btf_ctx_access(int off, int size, enum bpf_access_type type,

		    const struct bpf_prog *prog,

		    struct bpf_insn_access_aux *info);

net/bpf/test_run.c

+158 −0
Original line number Diff line number Diff line
@@ -19,7 +19,9 @@ 
#include <linux/error-injection.h>

#include <linux/smp.h>

#include <linux/sock_diag.h>

#include <linux/netfilter.h>

#include <net/xdp.h>

#include <net/netfilter/nf_bpf_link.h>



#define CREATE_TRACE_POINTS

#include <trace/events/bpf_test_run.h>
@@ -1691,6 +1693,162 @@ int bpf_prog_test_run_syscall(struct bpf_prog *prog, 
	return err;

}



static int verify_and_copy_hook_state(struct nf_hook_state *state,

				      const struct nf_hook_state *user,

				      struct net_device *dev)

{

	if (user->in || user->out)

		return -EINVAL;



	if (user->net || user->sk || user->okfn)

		return -EINVAL;



	switch (user->pf) {

	case NFPROTO_IPV4:

	case NFPROTO_IPV6:

		switch (state->hook) {

		case NF_INET_PRE_ROUTING:

			state->in = dev;

			break;

		case NF_INET_LOCAL_IN:

			state->in = dev;

			break;

		case NF_INET_FORWARD:

			state->in = dev;

			state->out = dev;

			break;

		case NF_INET_LOCAL_OUT:

			state->out = dev;

			break;

		case NF_INET_POST_ROUTING:

			state->out = dev;

			break;

		}



		break;

	default:

		return -EINVAL;

	}



	state->pf = user->pf;

	state->hook = user->hook;



	return 0;

}



static __be16 nfproto_eth(int nfproto)

{

	switch (nfproto) {

	case NFPROTO_IPV4:

		return htons(ETH_P_IP);

	case NFPROTO_IPV6:

		break;

	}



	return htons(ETH_P_IPV6);

}



int bpf_prog_test_run_nf(struct bpf_prog *prog,

			 const union bpf_attr *kattr,

			 union bpf_attr __user *uattr)

{

	struct net *net = current->nsproxy->net_ns;

	struct net_device *dev = net->loopback_dev;

	struct nf_hook_state *user_ctx, hook_state = {

		.pf = NFPROTO_IPV4,

		.hook = NF_INET_LOCAL_OUT,

	};

	u32 size = kattr->test.data_size_in;

	u32 repeat = kattr->test.repeat;

	struct bpf_nf_ctx ctx = {

		.state = &hook_state,

	};

	struct sk_buff *skb = NULL;

	u32 retval, duration;

	void *data;

	int ret;



	if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size)

		return -EINVAL;



	if (size < sizeof(struct iphdr))

		return -EINVAL;



	data = bpf_test_init(kattr, kattr->test.data_size_in, size,

			     NET_SKB_PAD + NET_IP_ALIGN,

			     SKB_DATA_ALIGN(sizeof(struct skb_shared_info)));

	if (IS_ERR(data))

		return PTR_ERR(data);



	if (!repeat)

		repeat = 1;



	user_ctx = bpf_ctx_init(kattr, sizeof(struct nf_hook_state));

	if (IS_ERR(user_ctx)) {

		kfree(data);

		return PTR_ERR(user_ctx);

	}



	if (user_ctx) {

		ret = verify_and_copy_hook_state(&hook_state, user_ctx, dev);

		if (ret)

			goto out;

	}



	skb = slab_build_skb(data);

	if (!skb) {

		ret = -ENOMEM;

		goto out;

	}



	data = NULL; /* data released via kfree_skb */



	skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);

	__skb_put(skb, size);



	ret = -EINVAL;



	if (hook_state.hook != NF_INET_LOCAL_OUT) {

		if (size < ETH_HLEN + sizeof(struct iphdr))

			goto out;



		skb->protocol = eth_type_trans(skb, dev);

		switch (skb->protocol) {

		case htons(ETH_P_IP):

			if (hook_state.pf == NFPROTO_IPV4)

				break;

			goto out;

		case htons(ETH_P_IPV6):

			if (size < ETH_HLEN + sizeof(struct ipv6hdr))

				goto out;

			if (hook_state.pf == NFPROTO_IPV6)

				break;

			goto out;

		default:

			ret = -EPROTO;

			goto out;

		}



		skb_reset_network_header(skb);

	} else {

		skb->protocol = nfproto_eth(hook_state.pf);

	}



	ctx.skb = skb;



	ret = bpf_test_run(prog, &ctx, repeat, &retval, &duration, false);

	if (ret)

		goto out;



	ret = bpf_test_finish(kattr, uattr, NULL, NULL, 0, retval, duration);



out:

	kfree(user_ctx);

	kfree_skb(skb);

	kfree(data);

	return ret;

}



static const struct btf_kfunc_id_set bpf_prog_test_kfunc_set = {

	.owner = THIS_MODULE,

	.set   = &test_sk_check_kfunc_ids,

net/netfilter/nf_bpf_link.c

+1 −0
Original line number Diff line number Diff line
@@ -166,6 +166,7 @@ int bpf_nf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog) 
}



const struct bpf_prog_ops netfilter_prog_ops = {

	.test_run = bpf_prog_test_run_nf,

};



static bool nf_ptr_to_btf_id(struct bpf_insn_access_aux *info, const char *name)