From: Dmitrii Banshchikov <me@ubique.spb.ru>
To: bpf@vger.kernel.org
Cc: Dmitrii Banshchikov <me@ubique.spb.ru>,
ast@kernel.org, davem@davemloft.net, daniel@iogearbox.net,
andrii@kernel.org, kafai@fb.com, songliubraving@fb.com,
yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org,
netdev@vger.kernel.org, rdna@fb.com
Subject: [PATCH bpf-next 10/11] bpfilter: Add handling of setsockopt() calls
Date: Tue, 18 May 2021 02:53:07 +0400 [thread overview]
Message-ID: <20210517225308.720677-11-me@ubique.spb.ru> (raw)
In-Reply-To: <20210517225308.720677-1-me@ubique.spb.ru>
Add support of iptables' setsockopt(2).
The parameters of a setsockopt(2) call are passed by struct mbox_request
which contains a type of the setsockopt(2) call and its memory buffer
description.
The typical way to handle hooked setsockopt(2) call is to read the
supplied memory buffer via pvm_read(), process it and write an answer to
the process memory via pvm_write().
Signed-off-by: Dmitrii Banshchikov <me@ubique.spb.ru>
---
net/bpfilter/Makefile | 3 +-
net/bpfilter/sockopt.c | 357 +++++++++++++++++++++++++++++++++++++++++
net/bpfilter/sockopt.h | 14 ++
3 files changed, 373 insertions(+), 1 deletion(-)
create mode 100644 net/bpfilter/sockopt.c
create mode 100644 net/bpfilter/sockopt.h
diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile
index e0090563f2ca..bae14fc9e396 100644
--- a/net/bpfilter/Makefile
+++ b/net/bpfilter/Makefile
@@ -4,7 +4,8 @@
#
userprogs := bpfilter_umh
-bpfilter_umh-objs := main.o bflog.o io.o map-common.o context.o match.o target.o rule.o table.o
+bpfilter_umh-objs := main.o bflog.o io.o map-common.o context.o match.o target.o rule.o table.o \
+ sockopt.o
userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi
ifeq ($(CONFIG_BPFILTER_UMH), y)
diff --git a/net/bpfilter/sockopt.c b/net/bpfilter/sockopt.c
new file mode 100644
index 000000000000..16f0ade203c0
--- /dev/null
+++ b/net/bpfilter/sockopt.c
@@ -0,0 +1,357 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2021 Telegram FZ-LLC
+ */
+
+#define _GNU_SOURCE
+
+#include "sockopt.h"
+
+#include <linux/err.h>
+#include <linux/list.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#include "bflog.h"
+#include "context.h"
+#include "io.h"
+#include "msgfmt.h"
+#include "table-map.h"
+
+static int read_ipt_get_info(const struct mbox_request *req, struct bpfilter_ipt_get_info *info)
+{
+ int err;
+
+ if (req->len != sizeof(*info))
+ return -EINVAL;
+
+ err = pvm_read(req->pid, info, (const void *)req->addr, sizeof(*info));
+ if (err)
+ return err;
+
+ info->name[sizeof(info->name) - 1] = '\0';
+
+ return 0;
+}
+
+static int sockopt_get_info(struct context *ctx, const struct mbox_request *req)
+{
+ struct bpfilter_ipt_get_info info;
+ struct table *table;
+ int err;
+
+ BFLOG_DEBUG(ctx, "handling IPT_SO_GET_INFO\n");
+
+ if (req->len != sizeof(info))
+ return -EINVAL;
+
+ err = read_ipt_get_info(req, &info);
+ if (err) {
+ BFLOG_DEBUG(ctx, "cannot read ipt_get_info: %s\n", strerror(-err));
+ return err;
+ }
+
+ table = table_map_find(&ctx->table_map, info.name);
+ if (IS_ERR(table)) {
+ BFLOG_DEBUG(ctx, "cannot find table: '%s'\n", info.name);
+ return -ENOENT;
+ }
+
+ table_get_info(table, &info);
+
+ return pvm_write(req->pid, (void *)req->addr, &info, sizeof(info));
+}
+
+static int read_ipt_get_entries(const struct mbox_request *req,
+ struct bpfilter_ipt_get_entries *entries)
+{
+ int err;
+
+ if (req->len < sizeof(*entries))
+ return -EINVAL;
+
+ err = pvm_read(req->pid, entries, (const void *)req->addr, sizeof(*entries));
+ if (err)
+ return err;
+
+ entries->name[sizeof(entries->name) - 1] = '\0';
+
+ return 0;
+}
+
+static int sockopt_get_entries(struct context *ctx, const struct mbox_request *req)
+{
+ struct bpfilter_ipt_get_entries get_entries, *entries;
+ struct table *table;
+ int err;
+
+ BFLOG_DEBUG(ctx, "handling IPT_SO_GET_ENTRIES\n");
+
+ err = read_ipt_get_entries(req, &get_entries);
+ if (err) {
+ BFLOG_DEBUG(ctx, "cannot read ipt_get_entries: %s\n", strerror(-err));
+ return err;
+ }
+
+ table = table_map_find(&ctx->table_map, get_entries.name);
+ if (IS_ERR(table)) {
+ BFLOG_DEBUG(ctx, "cannot find table: '%s'\n", get_entries.name);
+ return -ENOENT;
+ }
+
+ if (get_entries.size != table->size) {
+ BFLOG_DEBUG(ctx, "table '%s' get entries size mismatch\n", get_entries.name);
+ return -EINVAL;
+ }
+
+ entries = (struct bpfilter_ipt_get_entries *)req->addr;
+
+ err = pvm_write(req->pid, entries->name, table->name, sizeof(entries->name));
+ if (err)
+ return err;
+
+ err = pvm_write(req->pid, &entries->size, &table->size, sizeof(table->size));
+ if (err)
+ return err;
+
+ return pvm_write(req->pid, entries->entries, table->entries, table->size);
+}
+
+static int read_ipt_get_revision(const struct mbox_request *req,
+ struct bpfilter_ipt_get_revision *revision)
+{
+ int err;
+
+ if (req->len != sizeof(*revision))
+ return -EINVAL;
+
+ err = pvm_read(req->pid, revision, (const void *)req->addr, sizeof(*revision));
+ if (err)
+ return err;
+
+ revision->name[sizeof(revision->name) - 1] = '\0';
+
+ return 0;
+}
+
+static int sockopt_get_revision_match(struct context *ctx, const struct mbox_request *req)
+{
+ struct bpfilter_ipt_get_revision get_revision;
+ const struct match_ops *found;
+ int err;
+
+ BFLOG_DEBUG(ctx, "handling IPT_SO_GET_REVISION_MATCH\n");
+
+ err = read_ipt_get_revision(req, &get_revision);
+ if (err)
+ return err;
+
+ found = match_ops_map_find(&ctx->match_ops_map, get_revision.name);
+ if (IS_ERR(found)) {
+ BFLOG_DEBUG(ctx, "cannot find match: '%s'\n", get_revision.name);
+ return PTR_ERR(found);
+ }
+
+ return found->revision;
+}
+
+static struct bpfilter_ipt_replace *read_ipt_replace(const struct mbox_request *req)
+{
+ struct bpfilter_ipt_replace *replace;
+ int err;
+
+ if (req->len < sizeof(*replace))
+ return ERR_PTR(-EINVAL);
+
+ replace = malloc(req->len);
+ if (!replace)
+ return ERR_PTR(-ENOMEM);
+
+ err = pvm_read(req->pid, replace, (const void *)req->addr, sizeof(*replace));
+ if (err)
+ goto err_free;
+
+ if (replace->num_counters == 0) {
+ err = -EINVAL;
+ goto err_free;
+ }
+
+ if (replace->num_counters >= INT_MAX / sizeof(struct bpfilter_ipt_counters)) {
+ err = -ENOMEM;
+ goto err_free;
+ }
+
+ replace->name[sizeof(replace->name) - 1] = '\0';
+
+ // TODO: add more checks here
+
+ err = pvm_read(req->pid, replace->entries, (const void *)req->addr + sizeof(*replace),
+ req->len - sizeof(*replace));
+ if (err)
+ goto err_free;
+
+ return replace;
+
+err_free:
+ free(replace);
+
+ return ERR_PTR(err);
+}
+
+static int sockopt_set_replace(struct context *ctx, const struct mbox_request *req)
+{
+ struct bpfilter_ipt_replace *ipt_replace;
+ struct table *table, *new_table = NULL;
+ int err;
+
+ BFLOG_DEBUG(ctx, "handling IPT_SO_SET_REPLACE\n");
+
+ ipt_replace = read_ipt_replace(req);
+ if (IS_ERR(ipt_replace)) {
+ BFLOG_DEBUG(ctx, "cannot read ipt_replace: %s\n", strerror(-PTR_ERR(ipt_replace)));
+ return PTR_ERR(ipt_replace);
+ }
+
+ table = table_map_find(&ctx->table_map, ipt_replace->name);
+ if (IS_ERR(table)) {
+ err = PTR_ERR(table);
+ BFLOG_DEBUG(ctx, "cannot find table: '%s'\n", ipt_replace->name);
+ goto cleanup;
+ }
+
+ new_table = create_table(ctx, ipt_replace);
+ if (IS_ERR(new_table)) {
+ err = PTR_ERR(new_table);
+ BFLOG_DEBUG(ctx, "cannot read table: %s\n", strerror(-PTR_ERR(new_table)));
+ goto cleanup;
+ }
+
+ // Here be codegen
+ // ...
+ //
+
+ err = table_map_update(&ctx->table_map, new_table->name, new_table);
+ if (err) {
+ BFLOG_DEBUG(ctx, "cannot update table map: %s\n", strerror(-err));
+ goto cleanup;
+ }
+
+ list_add_tail(&new_table->list, &ctx->table_list);
+ new_table = table;
+
+cleanup:
+ if (!IS_ERR(new_table))
+ free_table(new_table);
+
+ free(ipt_replace);
+
+ return err;
+}
+
+static struct bpfilter_ipt_counters_info *read_ipt_counters_info(const struct mbox_request *req)
+{
+ struct bpfilter_ipt_counters_info *info;
+ size_t size;
+ int err;
+
+ if (req->len < sizeof(*info))
+ return ERR_PTR(-EINVAL);
+
+ info = malloc(req->len);
+ if (!info)
+ return ERR_PTR(-ENOMEM);
+
+ err = pvm_read(req->pid, info, (const void *)req->addr, sizeof(*info));
+ if (err)
+ goto err_free;
+
+ // TODO add more size checks here
+
+ size = info->num_counters * sizeof(info->counters[0]);
+ if (req->len != sizeof(*info) + size) {
+ err = -EINVAL;
+ goto err_free;
+ }
+
+ info->name[sizeof(info->name) - 1] = '\0';
+
+ err = pvm_read(req->pid, info->counters, (const void *)req->addr + sizeof(*info), size);
+ if (err)
+ goto err_free;
+
+ return info;
+
+err_free:
+ free(info);
+
+ return ERR_PTR(err);
+}
+
+static int sockopt_set_add_counters(struct context *ctx, const struct mbox_request *req)
+{
+ struct bpfilter_ipt_counters_info *info;
+ struct table *table;
+ int err = 0;
+
+ BFLOG_DEBUG(ctx, "handling IPT_SO_SET_ADD_COUNTERS\n");
+
+ info = read_ipt_counters_info(req);
+ if (IS_ERR(info)) {
+ err = PTR_ERR(info);
+ BFLOG_DEBUG(ctx, "cannot read ipt_counters_info: %s\n", strerror(-err));
+ goto err_free;
+ }
+
+ table = table_map_find(&ctx->table_map, info->name);
+ if (IS_ERR(table)) {
+ err = PTR_ERR(table);
+ BFLOG_DEBUG(ctx, "cannot find table: '%s'\n", info->name);
+ goto err_free;
+ }
+
+ // TODO handle counters
+
+err_free:
+ free(info);
+
+ return err;
+}
+
+static int handle_get_request(struct context *ctx, const struct mbox_request *req)
+{
+ switch (req->cmd) {
+ case 0:
+ return 0;
+ case BPFILTER_IPT_SO_GET_INFO:
+ return sockopt_get_info(ctx, req);
+ case BPFILTER_IPT_SO_GET_ENTRIES:
+ return sockopt_get_entries(ctx, req);
+ case BPFILTER_IPT_SO_GET_REVISION_MATCH:
+ return sockopt_get_revision_match(ctx, req);
+ }
+
+ BFLOG_NOTICE(ctx, "Unexpected SO_GET request: %d\n", req->cmd);
+
+ return -ENOPROTOOPT;
+}
+
+static int handle_set_request(struct context *ctx, const struct mbox_request *req)
+{
+ switch (req->cmd) {
+ case BPFILTER_IPT_SO_SET_REPLACE:
+ return sockopt_set_replace(ctx, req);
+ case BPFILTER_IPT_SO_SET_ADD_COUNTERS:
+ return sockopt_set_add_counters(ctx, req);
+ }
+
+ BFLOG_NOTICE(ctx, "Unexpected SO_SET request: %d\n", req->cmd);
+
+ return -ENOPROTOOPT;
+}
+
+int handle_sockopt_request(struct context *ctx, const struct mbox_request *req)
+{
+ return req->is_set ? handle_set_request(ctx, req) : handle_get_request(ctx, req);
+}
diff --git a/net/bpfilter/sockopt.h b/net/bpfilter/sockopt.h
new file mode 100644
index 000000000000..711c2f295d89
--- /dev/null
+++ b/net/bpfilter/sockopt.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (c) 2021 Telegram FZ-LLC
+ */
+
+#ifndef NET_BPFILTER_SOCKOPT_H
+#define NET_BPFILTER_SOCKOPT_H
+
+struct context;
+struct mbox_request;
+
+int handle_sockopt_request(struct context *ctx, const struct mbox_request *req);
+
+#endif // NET_BPFILTER_SOCKOPT_H
--
2.25.1
next prev parent reply other threads:[~2021-05-17 22:54 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 22:52 [PATCH bpf-next 00/11] bpfilter Dmitrii Banshchikov
2021-05-17 22:52 ` [PATCH bpf-next 01/11] bpfilter: Add types for usermode helper Dmitrii Banshchikov
2021-05-17 22:52 ` [PATCH bpf-next 02/11] bpfilter: Add logging facility Dmitrii Banshchikov
2021-05-19 17:32 ` Song Liu
2021-05-20 7:08 ` Dmitrii Banshchikov
2021-05-20 16:35 ` Song Liu
2021-05-21 6:46 ` Dmitrii Banshchikov
2021-05-17 22:53 ` [PATCH bpf-next 03/11] bpfilter: Add IO functions Dmitrii Banshchikov
2021-05-19 18:47 ` Song Liu
2021-05-17 22:53 ` [PATCH bpf-next 04/11] tools: Add bpfilter usermode helper header Dmitrii Banshchikov
2021-05-17 22:53 ` [PATCH bpf-next 05/11] bpfilter: Add map container Dmitrii Banshchikov
2021-05-17 22:53 ` [PATCH bpf-next 06/11] bpfilter: Add struct match Dmitrii Banshchikov
2021-05-20 4:26 ` Song Liu
2021-05-20 7:31 ` Dmitrii Banshchikov
2021-05-20 17:44 ` Song Liu
2021-05-17 22:53 ` [PATCH bpf-next 07/11] bpfilter: Add struct target Dmitrii Banshchikov
2021-05-20 4:36 ` Song Liu
2021-05-20 7:44 ` Dmitrii Banshchikov
2021-05-17 22:53 ` [PATCH bpf-next 08/11] bpfilter: Add struct rule Dmitrii Banshchikov
2021-05-17 22:53 ` [PATCH bpf-next 09/11] bpfilter: Add struct table Dmitrii Banshchikov
2021-05-20 18:07 ` Song Liu
2021-05-17 22:53 ` Dmitrii Banshchikov [this message]
2021-05-17 22:53 ` [PATCH bpf-next 11/11] bpfilter: Handle setsockopts Dmitrii Banshchikov
2021-05-20 4:54 ` [PATCH bpf-next 00/11] bpfilter Song Liu
2021-05-20 7:53 ` Dmitrii Banshchikov
2021-05-20 16:55 ` Alexei Starovoitov
2021-05-20 17:56 ` Song Liu
2021-05-21 6:00 ` Dmitrii Banshchikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210517225308.720677-11-me@ubique.spb.ru \
--to=me@ubique.spb.ru \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rdna@fb.com \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.