• Florian Westphal's avatar
    bpf: add bpf_link support for BPF_NETFILTER programs · 84601d6e
    Florian Westphal authored
    Add bpf_link support skeleton.  To keep this reviewable, no bpf program
    can be invoked yet, if a program is attached only a c-stub is called and
    not the actual bpf program.
    
    Defaults to 'y' if both netfilter and bpf syscall are enabled in kconfig.
    
    Uapi example usage:
    	union bpf_attr attr = { };
    
    	attr.link_create.prog_fd = progfd;
    	attr.link_create.attach_type = 0; /* unused */
    	attr.link_create.netfilter.pf = PF_INET;
    	attr.link_create.netfilter.hooknum = NF_INET_LOCAL_IN;
    	attr.link_create.netfilter.priority = -128;
    
    	err = bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
    
    ... this would attach progfd to ipv4:input hook.
    
    Such hook gets removed automatically if the calling program exits.
    
    BPF_NETFILTER program invocation is added in followup change.
    
    NF_HOOK_OP_BPF enum will eventually be read from nfnetlink_hook, it
    allows to tell userspace which program is attached at the given hook
    when user runs 'nft hook list' command rather than just the priority
    and not-very-helpful 'this hook runs a bpf prog but I can't tell which
    one'.
    
    Will also be used to disallow registration of two bpf programs with
    same priority in a followup patch.
    
    v4: arm32 cmpxchg only supports 32bit operand
        s/prio/priority/
    v3: restrict prog attachment to ip/ip6 for now, lets lift restrictions if
        more use cases pop up (arptables, ebtables, netdev ingress/egress etc).
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Link: https://lore.kernel.org/r/20230421170300.24115-2-fw@strlen.deSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    84601d6e
syscall.c 130 KB