Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2ba09c1 authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by David S. Miller
Browse files

net: add skeleton of bpfilter kernel module 



bpfilter.ko consists of bpfilter_kern.c (normal kernel module code)
and user mode helper code that is embedded into bpfilter.ko

The steps to build bpfilter.ko are the following:
- main.c is compiled by HOSTCC into the bpfilter_umh elf executable file
- with quite a bit of objcopy and Makefile magic the bpfilter_umh elf file
  is converted into bpfilter_umh.o object file
  with _binary_net_bpfilter_bpfilter_umh_start and _end symbols
  Example:
  $ nm ./bld_x64/net/bpfilter/bpfilter_umh.o
  0000000000004cf8 T _binary_net_bpfilter_bpfilter_umh_end
  0000000000004cf8 A _binary_net_bpfilter_bpfilter_umh_size
  0000000000000000 T _binary_net_bpfilter_bpfilter_umh_start
- bpfilter_umh.o and bpfilter_kern.o are linked together into bpfilter.ko

bpfilter_kern.c is a normal kernel module code that calls
the fork_usermode_blob() helper to execute part of its own data
as a user mode process.

Notice that _binary_net_bpfilter_bpfilter_umh_start - end
is placed into .init.rodata section, so it's freed as soon as __init
function of bpfilter.ko is finished.
As part of __init the bpfilter.ko does first request/reply action
via two unix pipe provided by fork_usermode_blob() helper to
make sure that umh is healthy. If not it will kill it via pid.

Later bpfilter_process_sockopt() will be called from bpfilter hooks
in get/setsockopt() to pass iptable commands into umh via bpfilter.ko

If admin does 'rmmod bpfilter' the __exit code bpfilter.ko will
kill umh as well.

Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 449325b5

include/linux/bpfilter.h

0 → 100644
+15 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _LINUX_BPFILTER_H

#define _LINUX_BPFILTER_H



#include <uapi/linux/bpfilter.h>



struct sock;

int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char *optval,

			    unsigned int optlen);

int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char *optval,

			    int *optlen);

extern int (*bpfilter_process_sockopt)(struct sock *sk, int optname,

				       char __user *optval,

				       unsigned int optlen, bool is_set);

#endif

include/uapi/linux/bpfilter.h

0 → 100644
+21 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _UAPI_LINUX_BPFILTER_H

#define _UAPI_LINUX_BPFILTER_H



#include <linux/if.h>



enum {

	BPFILTER_IPT_SO_SET_REPLACE = 64,

	BPFILTER_IPT_SO_SET_ADD_COUNTERS = 65,

	BPFILTER_IPT_SET_MAX,

};



enum {

	BPFILTER_IPT_SO_GET_INFO = 64,

	BPFILTER_IPT_SO_GET_ENTRIES = 65,

	BPFILTER_IPT_SO_GET_REVISION_MATCH = 66,

	BPFILTER_IPT_SO_GET_REVISION_TARGET = 67,

	BPFILTER_IPT_GET_MAX,

};



#endif /* _UAPI_LINUX_BPFILTER_H */

net/Kconfig

+2 −0
Original line number Diff line number Diff line
@@ -202,6 +202,8 @@ source "net/bridge/netfilter/Kconfig" 


endif



source "net/bpfilter/Kconfig"



source "net/dccp/Kconfig"

source "net/sctp/Kconfig"

source "net/rds/Kconfig"

net/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ obj-$(CONFIG_TLS) += tls/ 
obj-$(CONFIG_XFRM)		+= xfrm/

obj-$(CONFIG_UNIX)		+= unix/

obj-$(CONFIG_NET)		+= ipv6/

obj-$(CONFIG_BPFILTER)		+= bpfilter/

obj-$(CONFIG_PACKET)		+= packet/

obj-$(CONFIG_NET_KEY)		+= key/

obj-$(CONFIG_BRIDGE)		+= bridge/

net/bpfilter/Kconfig

0 → 100644
+16 −0
Original line number Diff line number Diff line 
menuconfig BPFILTER

	bool "BPF based packet filtering framework (BPFILTER)"

	default n

	depends on NET && BPF

	help

	  This builds experimental bpfilter framework that is aiming to

	  provide netfilter compatible functionality via BPF



if BPFILTER

config BPFILTER_UMH

	tristate "bpfilter kernel module with user mode helper"

	default m

	help

	  This builds bpfilter kernel module with embedded user mode helper

endif