Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752104AbdLCEW4 (ORCPT ); Sat, 2 Dec 2017 23:22:56 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:36505 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751553AbdLCEWy (ORCPT ); Sat, 2 Dec 2017 23:22:54 -0500 X-Google-Smtp-Source: AGs4zMbMt2GZBnoHvbrsZs4IVRdaX0l0VN7hRjVlT5yj0hZDG/iEWM4b4EftJ9dUJGu7dZ8JVtHTbaM7vdp7F1YX6do= MIME-Version: 1.0 In-Reply-To: <20171202220802.GR21978@ZenIV.linux.org.uk> References: <20171201013304.GM21978@ZenIV.linux.org.uk> <20171201034859.GN21978@ZenIV.linux.org.uk> <20171201045439.GO21978@ZenIV.linux.org.uk> <20171201173941.GP21978@ZenIV.linux.org.uk> <7bbe72a8-dbbe-3343-765d-cc53eb40e0cd@iogearbox.net> <20171202184850.GQ21978@ZenIV.linux.org.uk> <20171202220802.GR21978@ZenIV.linux.org.uk> From: Willem de Bruijn Date: Sat, 2 Dec 2017 23:22:13 -0500 Message-ID: Subject: Re: netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' To: Al Viro Cc: Daniel Borkmann , Kees Cook , Shmulik Ladkani , Willem de Bruijn , Pablo Neira Ayuso , Linus Torvalds , David Miller , LKML , Network Development , Christoph Hellwig , Thomas Garnier , Jann Horn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2408 Lines: 85 >> OK... See vfs.git#untested.mkobj; it really needs testing, though - mq_open(2) >> passes LTP tests, but that's not saying much, and BPF side is completely >> untested. > > ... and FWIW, completely untested patch for net/netfilter/xt_bpf.c follows: Thanks a lot for this fix. The tree including the bpf fix passes this basic xt_bpf test: mount -t bpf bpf /sys/fs/bpf ./pin /sys/fs/bpf/pass iptables -A INPUT -m bpf --object-pinned /sys/fs/bpf/five -j LOG iptables -L INPUT iptables -F INPUT where pin is as follows: diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile index adeaa1302f34..0cd2bb8d634b 100644 --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile @@ -41,6 +41,7 @@ hostprogs-y += xdp_redirect_map hostprogs-y += xdp_redirect_cpu hostprogs-y += xdp_monitor hostprogs-y += syscall_tp +hostprogs-y += pin # Libbpf dependencies LIBBPF := ../../tools/lib/bpf/bpf.o @@ -89,6 +90,7 @@ xdp_redirect_map-objs := bpf_load.o $(LIBBPF) xdp_redirect_map_user.o xdp_redirect_cpu-objs := bpf_load.o $(LIBBPF) xdp_redirect_cpu_user.o xdp_monitor-objs := bpf_load.o $(LIBBPF) xdp_monitor_user.o syscall_tp-objs := bpf_load.o $(LIBBPF) syscall_tp_user.o +pin-objs := $(LIBBPF) pin.o # Tell kbuild to always build the programs always := $(hostprogs-y) diff --git a/samples/bpf/pin.c b/samples/bpf/pin.c new file mode 100644 index 000000000000..826e86784edf --- /dev/null +++ b/samples/bpf/pin.c @@ -0,0 +1,41 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include + +#include "libbpf.h" +#include "bpf_load.h" + +static char log_buf[1 << 16]; + +int main(int argc, char **argv) +{ + struct bpf_insn prog[] = { + BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_EXIT_INSN(), + }; + int fd; + + if (argc != 2) + error(1, 0, "Usage: %s \n", argv[0]); + + fd = bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, + sizeof(prog) / sizeof(prog[0]), + "GPL", 0, log_buf, sizeof(log_buf)); + if (fd == -1) + error(1, errno, "load: %s", log_buf); + + if (bpf_obj_pin(fd, argv[1])) + error(1, errno, "pin"); + + if (close(fd)) + error(1, errno, "close"); + + return 0; +}