[PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Lorenzo Bianconi]

Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
destination nat addresses/ports in a new allocated ct entry not inserted
in the connection tracking table yet.
Introduce support for per-parameter trusted args.

Kumar Kartikeya Dwivedi (2):
  bpf: Add support for per-parameter trusted args
  selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation

Lorenzo Bianconi (2):
  net: netfilter: add bpf_ct_set_nat_info kfunc helper
  selftests/bpf: add tests for bpf_ct_set_nat_info kfunc

 Documentation/bpf/kfuncs.rst                  | 18 +++++++
 kernel/bpf/btf.c                              | 39 ++++++++++-----
 net/bpf/test_run.c                            |  9 +++-
 net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
 .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
 .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
 tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
 7 files changed, 156 insertions(+), 25 deletions(-)

-- 
2.37.2

[PATCH bpf-next 1/4] bpf: Add support for per-parameter trusted args

[Lorenzo Bianconi]

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>

Similar to how we detect mem, size pairs in kfunc, teach verifier to
treat __ref suffix on argument name to imply that it must be a trusted
arg when passed to kfunc, similar to the effect of KF_TRUSTED_ARGS flag
but limited to the specific parameter. This is required to ensure that
kfunc that operate on some object only work on acquired pointers and not
normal PTR_TO_BTF_ID with same type which can be obtained by pointer
walking. Release functions need not specify such suffix on release
arguments as they are already expected to receive one referenced
argument.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 Documentation/bpf/kfuncs.rst | 18 +++++++++++++++++
 kernel/bpf/btf.c             | 39 ++++++++++++++++++++++++------------
 net/bpf/test_run.c           |  9 +++++++--
 3 files changed, 51 insertions(+), 15 deletions(-)

diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
index 781731749e55..a9d77d12fd0c 100644
--- a/Documentation/bpf/kfuncs.rst
+++ b/Documentation/bpf/kfuncs.rst
@@ -72,6 +72,24 @@ argument as its size. By default, without __sz annotation, the size of the type
 of the pointer is used. Without __sz annotation, a kfunc cannot accept a void
 pointer.
 
+2.2.2 __ref Annotation
+----------------------
+
+This annotation is used to indicate that the argument is trusted, i.e. it will
+be a pointer from an acquire function (defined later), and its offset will be
+zero. This annotation has the same effect as the KF_TRUSTED_ARGS kfunc flag but
+only on the parameter it is applied to. An example is shown below::
+
+        void bpf_task_send_signal(struct task_struct *task__ref, int signal)
+        {
+        ...
+        }
+
+Here, bpf_task_send_signal will only act on trusted task_struct pointers, and
+cannot be used on pointers obtained using pointer walking. This ensures that
+caller always calls this kfunc on a task whose lifetime is guaranteed for the
+duration of the call.
+
 .. _BPF_kfunc_nodef:
 
 2.3 Using an existing kernel function
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 903719b89238..7e273f949ee8 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6140,18 +6140,13 @@ static bool __btf_type_is_scalar_struct(struct bpf_verifier_log *log,
 	return true;
 }
 
-static bool is_kfunc_arg_mem_size(const struct btf *btf,
-				  const struct btf_param *arg,
-				  const struct bpf_reg_state *reg)
+static bool btf_param_match_suffix(const struct btf *btf,
+				   const struct btf_param *arg,
+				   const char *suffix)
 {
-	int len, sfx_len = sizeof("__sz") - 1;
-	const struct btf_type *t;
+	int len, sfx_len = strlen(suffix);
 	const char *param_name;
 
-	t = btf_type_skip_modifiers(btf, arg->type, NULL);
-	if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
-		return false;
-
 	/* In the future, this can be ported to use BTF tagging */
 	param_name = btf_name_by_offset(btf, arg->name_off);
 	if (str_is_empty(param_name))
@@ -6160,10 +6155,26 @@ static bool is_kfunc_arg_mem_size(const struct btf *btf,
 	if (len < sfx_len)
 		return false;
 	param_name += len - sfx_len;
-	if (strncmp(param_name, "__sz", sfx_len))
+	return !strncmp(param_name, suffix, sfx_len);
+}
+
+static bool is_kfunc_arg_ref(const struct btf *btf,
+			     const struct btf_param *arg)
+{
+	return btf_param_match_suffix(btf, arg, "__ref");
+}
+
+static bool is_kfunc_arg_mem_size(const struct btf *btf,
+				  const struct btf_param *arg,
+				  const struct bpf_reg_state *reg)
+{
+	const struct btf_type *t;
+
+	t = btf_type_skip_modifiers(btf, arg->type, NULL);
+	if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
 		return false;
 
-	return true;
+	return btf_param_match_suffix(btf, arg, "__sz");
 }
 
 static int btf_check_func_arg_match(struct bpf_verifier_env *env,
@@ -6173,7 +6184,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 				    u32 kfunc_flags)
 {
 	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
-	bool rel = false, kptr_get = false, trusted_arg = false;
+	bool rel = false, kptr_get = false, kf_trusted_args = false;
 	bool sleepable = false;
 	struct bpf_verifier_log *log = &env->log;
 	u32 i, nargs, ref_id, ref_obj_id = 0;
@@ -6211,7 +6222,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 		/* Only kfunc can be release func */
 		rel = kfunc_flags & KF_RELEASE;
 		kptr_get = kfunc_flags & KF_KPTR_GET;
-		trusted_arg = kfunc_flags & KF_TRUSTED_ARGS;
+		kf_trusted_args = kfunc_flags & KF_TRUSTED_ARGS;
 		sleepable = kfunc_flags & KF_SLEEPABLE;
 	}
 
@@ -6222,6 +6233,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 		enum bpf_arg_type arg_type = ARG_DONTCARE;
 		u32 regno = i + 1;
 		struct bpf_reg_state *reg = &regs[regno];
+		bool trusted_arg = false;
 
 		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
 		if (btf_type_is_scalar(t)) {
@@ -6240,6 +6252,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 		/* Check if argument must be a referenced pointer, args + i has
 		 * been verified to be a pointer (after skipping modifiers).
 		 */
+		trusted_arg = kf_trusted_args || is_kfunc_arg_ref(btf, args + i);
 		if (is_kfunc && trusted_arg && !reg->ref_obj_id) {
 			bpf_log(log, "R%d must be referenced\n", regno);
 			return -EINVAL;
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 25d8ecf105aa..b735accf8750 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -691,7 +691,11 @@ noinline void bpf_kfunc_call_test_mem_len_fail2(u64 *mem, int len)
 {
 }
 
-noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p)
+noinline void bpf_kfunc_call_test_trusted(struct prog_test_ref_kfunc *p)
+{
+}
+
+noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p__ref)
 {
 }
 
@@ -722,7 +726,8 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_pass1)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail1)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail2)
-BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_call_test_trusted, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref)
 BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE)
 BTF_SET8_END(test_sk_check_kfunc_ids)
 
-- 
2.37.2

[PATCH bpf-next 2/4] selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation

[Lorenzo Bianconi]

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>

Extend the existing test for KF_TRUSTED_ARGS by also checking whether
the same happens when a __ref suffix is present in argument name of a
kfunc.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++++++-----
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c
index 3fb4f69b1962..891fcda50d9d 100644
--- a/tools/testing/selftests/bpf/verifier/calls.c
+++ b/tools/testing/selftests/bpf/verifier/calls.c
@@ -219,7 +219,7 @@
 	.errstr = "variable ptr_ access var_off=(0x0; 0x7) disallowed",
 },
 {
-	"calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",
+	"calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID (KF_TRUSTED_ARGS)",
 	.insns = {
 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
@@ -227,10 +227,30 @@
 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 	BPF_EXIT_INSN(),
-	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
-	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
-	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 16),
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_EXIT_INSN(),
+	},
+	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
+	.fixup_kfunc_btf_id = {
+		{ "bpf_kfunc_call_test_acquire", 3 },
+		{ "bpf_kfunc_call_test_trusted", 7 },
+	},
+	.result_unpriv = REJECT,
+	.result = REJECT,
+	.errstr = "R1 must be referenced",
+},
+{
+	"calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID (__ref)",
+	.insns = {
+	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
+	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+	BPF_EXIT_INSN(),
+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
 	BPF_MOV64_IMM(BPF_REG_0, 0),
 	BPF_EXIT_INSN(),
@@ -238,8 +258,7 @@
 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
 	.fixup_kfunc_btf_id = {
 		{ "bpf_kfunc_call_test_acquire", 3 },
-		{ "bpf_kfunc_call_test_ref", 8 },
-		{ "bpf_kfunc_call_test_ref", 10 },
+		{ "bpf_kfunc_call_test_ref", 7 },
 	},
 	.result_unpriv = REJECT,
 	.result = REJECT,
@@ -259,14 +278,17 @@
 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
+	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
 	BPF_MOV64_IMM(BPF_REG_0, 0),
 	BPF_EXIT_INSN(),
 	},
 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
 	.fixup_kfunc_btf_id = {
 		{ "bpf_kfunc_call_test_acquire", 3 },
-		{ "bpf_kfunc_call_test_ref", 8 },
-		{ "bpf_kfunc_call_test_release", 10 },
+		{ "bpf_kfunc_call_test_trusted", 8 },
+		{ "bpf_kfunc_call_test_ref", 10 },
+		{ "bpf_kfunc_call_test_release", 12 },
 	},
 	.result_unpriv = REJECT,
 	.result = ACCEPT,
-- 
2.37.2

[PATCH bpf-next 3/4] net: netfilter: add bpf_ct_set_nat_info kfunc helper

[Lorenzo Bianconi]

Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
destination nat addresses/ports in a new allocated ct entry not inserted
in the connection tracking table yet.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 net/netfilter/nf_conntrack_bpf.c | 49 +++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
index 1cd87b28c9b0..85b8c7ee00af 100644
--- a/net/netfilter/nf_conntrack_bpf.c
+++ b/net/netfilter/nf_conntrack_bpf.c
@@ -14,6 +14,7 @@
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_bpf.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_nat.h>
 
 /* bpf_ct_opts - Options for CT lookup helpers
  *
@@ -134,7 +135,6 @@ __bpf_nf_ct_alloc_entry(struct net *net, struct bpf_sock_tuple *bpf_tuple,
 
 	memset(&ct->proto, 0, sizeof(ct->proto));
 	__nf_ct_set_timeout(ct, timeout * HZ);
-	ct->status |= IPS_CONFIRMED;
 
 out:
 	if (opts->netns_id >= 0)
@@ -339,6 +339,7 @@ struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
 	struct nf_conn *nfct = (struct nf_conn *)nfct_i;
 	int err;
 
+	nfct->status |= IPS_CONFIRMED;
 	err = nf_conntrack_hash_check_insert(nfct);
 	if (err < 0) {
 		nf_conntrack_free(nfct);
@@ -424,6 +425,51 @@ int bpf_ct_change_status(struct nf_conn *nfct, u32 status)
 	return nf_ct_change_status_common(nfct, status);
 }
 
+/* bpf_ct_set_nat_info - Set source or destination nat address
+ *
+ * Set source or destination nat address of the newly allocated
+ * nf_conn before insertion. This must be invoked for referenced
+ * PTR_TO_BTF_ID to nf_conn___init.
+ *
+ * Parameters:
+ * @nfct	- Pointer to referenced nf_conn object, obtained using
+ *		  bpf_xdp_ct_alloc or bpf_skb_ct_alloc.
+ * @addr	- Nat source/destination address
+ * @port	- Nat source/destination port
+ * @manip	- NF_NAT_MANIP_SRC or NF_NAT_MANIP_DST
+ */
+int bpf_ct_set_nat_info(struct nf_conn___init *nfct__ref,
+			union nf_inet_addr *addr, __be16 *port,
+			enum nf_nat_manip_type manip)
+{
+#if ((IS_MODULE(CONFIG_NF_NAT) && IS_MODULE(CONFIG_NF_CONNTRACK)) || \
+     IS_BUILTIN(CONFIG_NF_NAT))
+	struct nf_conn *ct = (struct nf_conn *)nfct__ref;
+	u16 proto = nf_ct_l3num(ct);
+	struct nf_nat_range2 range;
+
+	if (proto != NFPROTO_IPV4 && proto != NFPROTO_IPV6)
+		return -EINVAL;
+
+	if (!addr)
+		return -EINVAL;
+
+	memset(&range, 0, sizeof(struct nf_nat_range2));
+	range.flags = NF_NAT_RANGE_MAP_IPS;
+	range.min_addr = *addr;
+	range.max_addr = *addr;
+	if (port) {
+		range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+		range.min_proto.all = *port;
+		range.max_proto.all = *port;
+	}
+
+	return nf_nat_setup_info(ct, &range, manip) == NF_DROP ? -ENOMEM : 0;
+#else
+	return -EOPNOTSUPP;
+#endif
+}
+
 __diag_pop()
 
 BTF_SET8_START(nf_ct_kfunc_set)
@@ -437,6 +483,7 @@ BTF_ID_FLAGS(func, bpf_ct_set_timeout, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_ct_change_timeout, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_ct_set_status, KF_TRUSTED_ARGS)
 BTF_ID_FLAGS(func, bpf_ct_change_status, KF_TRUSTED_ARGS)
+BTF_ID_FLAGS(func, bpf_ct_set_nat_info)
 BTF_SET8_END(nf_ct_kfunc_set)
 
 static const struct btf_kfunc_id_set nf_conntrack_kfunc_set = {
-- 
2.37.2

[PATCH bpf-next 4/4] selftests/bpf: add tests for bpf_ct_set_nat_info kfunc

[Lorenzo Bianconi]

Introduce self-tests for bpf_ct_set_nat_info kfunc used to set the
source or destination nat addresses/ports.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 ++
 .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 ++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
index 544bf90ac2a7..f16913f8fca2 100644
--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
+++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
@@ -115,6 +115,8 @@ static void test_bpf_nf_ct(int mode)
 	ASSERT_EQ(skel->bss->test_status, 2, "Test for ct status update ");
 	ASSERT_EQ(skel->data->test_exist_lookup, 0, "Test existing connection lookup");
 	ASSERT_EQ(skel->bss->test_exist_lookup_mark, 43, "Test existing connection lookup ctmark");
+	ASSERT_EQ(skel->data->test_snat_addr, 0, "Test for source natting");
+	ASSERT_EQ(skel->data->test_dnat_addr, 0, "Test for destination natting");
 end:
 	if (srv_client_fd != -1)
 		close(srv_client_fd);
diff --git a/tools/testing/selftests/bpf/progs/test_bpf_nf.c b/tools/testing/selftests/bpf/progs/test_bpf_nf.c
index 2722441850cc..3f441595098b 100644
--- a/tools/testing/selftests/bpf/progs/test_bpf_nf.c
+++ b/tools/testing/selftests/bpf/progs/test_bpf_nf.c
@@ -23,6 +23,8 @@ int test_insert_entry = -EAFNOSUPPORT;
 int test_succ_lookup = -ENOENT;
 u32 test_delta_timeout = 0;
 u32 test_status = 0;
+int test_snat_addr = -EINVAL;
+int test_dnat_addr = -EINVAL;
 __be32 saddr = 0;
 __be16 sport = 0;
 __be32 daddr = 0;
@@ -53,6 +55,8 @@ void bpf_ct_set_timeout(struct nf_conn *, u32) __ksym;
 int bpf_ct_change_timeout(struct nf_conn *, u32) __ksym;
 int bpf_ct_set_status(struct nf_conn *, u32) __ksym;
 int bpf_ct_change_status(struct nf_conn *, u32) __ksym;
+int bpf_ct_set_nat_info(struct nf_conn *, union nf_inet_addr *,
+			__be16 *port, enum nf_nat_manip_type) __ksym;
 
 static __always_inline void
 nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
@@ -140,10 +144,19 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
 	ct = alloc_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def,
 		      sizeof(opts_def));
 	if (ct) {
+		__be16 sport = bpf_get_prandom_u32();
+		__be16 dport = bpf_get_prandom_u32();
+		union nf_inet_addr saddr = {};
+		union nf_inet_addr daddr = {};
 		struct nf_conn *ct_ins;
 
 		bpf_ct_set_timeout(ct, 10000);
-		bpf_ct_set_status(ct, IPS_CONFIRMED);
+		/* snat */
+		saddr.ip = bpf_get_prandom_u32();
+		bpf_ct_set_nat_info(ct, &saddr, &sport, NF_NAT_MANIP_SRC);
+		/* dnat */
+		daddr.ip = bpf_get_prandom_u32();
+		bpf_ct_set_nat_info(ct, &daddr, &dport, NF_NAT_MANIP_DST);
 
 		ct_ins = bpf_ct_insert_entry(ct);
 		if (ct_ins) {
@@ -152,6 +165,17 @@ nf_ct_test(struct nf_conn *(*lookup_fn)(void *, struct bpf_sock_tuple *, u32,
 			ct_lk = lookup_fn(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4),
 					  &opts_def, sizeof(opts_def));
 			if (ct_lk) {
+				struct nf_conntrack_tuple *tuple;
+
+				/* check snat and dnat addresses */
+				tuple = &ct_lk->tuplehash[IP_CT_DIR_REPLY].tuple;
+				if (tuple->dst.u3.ip == saddr.ip &&
+				    tuple->dst.u.all == sport)
+					test_snat_addr = 0;
+				if (tuple->src.u3.ip == daddr.ip &&
+				    tuple->src.u.all == dport)
+					test_dnat_addr = 0;
+
 				/* update ct entry timeout */
 				bpf_ct_change_timeout(ct_lk, 10000);
 				test_delta_timeout = ct_lk->timeout - bpf_jiffies64();
-- 
2.37.2

Re: [PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Daniel Borkmann]

On 9/1/22 6:43 PM, Lorenzo Bianconi wrote:
> Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> destination nat addresses/ports in a new allocated ct entry not inserted
> in the connection tracking table yet.
> Introduce support for per-parameter trusted args.
> 
> Kumar Kartikeya Dwivedi (2):
>    bpf: Add support for per-parameter trusted args
>    selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation
> 
> Lorenzo Bianconi (2):
>    net: netfilter: add bpf_ct_set_nat_info kfunc helper
>    selftests/bpf: add tests for bpf_ct_set_nat_info kfunc
> 
>   Documentation/bpf/kfuncs.rst                  | 18 +++++++
>   kernel/bpf/btf.c                              | 39 ++++++++++-----
>   net/bpf/test_run.c                            |  9 +++-
>   net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
>   .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
>   .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
>   tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
>   7 files changed, 156 insertions(+), 25 deletions(-)
> 

Looks like this fails BPF CI, ptal:

https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true

[...]
   All error logs:
   test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
   test_bpf_nf_ct:PASS:iptables 0 nsec
   test_bpf_nf_ct:PASS:start_server 0 nsec
   connect_to_server:PASS:socket 0 nsec
   connect_to_server:PASS:connect_fd_to_fd 0 nsec
   test_bpf_nf_ct:PASS:connect_to_server 0 nsec
   test_bpf_nf_ct:PASS:accept 0 nsec
   test_bpf_nf_ct:PASS:sockaddr len 0 nsec
   test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
   test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
   test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
   test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
   test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
   test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
   test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
   test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
   test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
   test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
   test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
   test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
   test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
   test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
   test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
   #16/1    bpf_nf/xdp-ct:FAIL
   test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
   test_bpf_nf_ct:PASS:iptables 0 nsec
   test_bpf_nf_ct:PASS:start_server 0 nsec
   connect_to_server:PASS:socket 0 nsec
   connect_to_server:PASS:connect_fd_to_fd 0 nsec
   test_bpf_nf_ct:PASS:connect_to_server 0 nsec
   test_bpf_nf_ct:PASS:accept 0 nsec
   test_bpf_nf_ct:PASS:sockaddr len 0 nsec
   test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
   test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
   test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
   test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
   test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
   test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
   test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
   test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
   test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
   test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
   test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
   test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
   test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
   test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
   test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
   test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
   #16/2    bpf_nf/tc-bpf-ct:FAIL
   #16      bpf_nf:FAIL
[...]

Re: [PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Lorenzo Bianconi]

[-- Attachment #1: Type: text/plain, Size: 5051 bytes --]

On Sep 02, Daniel Borkmann wrote:
> On 9/1/22 6:43 PM, Lorenzo Bianconi wrote:
> > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> > destination nat addresses/ports in a new allocated ct entry not inserted
> > in the connection tracking table yet.
> > Introduce support for per-parameter trusted args.
> > 
> > Kumar Kartikeya Dwivedi (2):
> >    bpf: Add support for per-parameter trusted args
> >    selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation
> > 
> > Lorenzo Bianconi (2):
> >    net: netfilter: add bpf_ct_set_nat_info kfunc helper
> >    selftests/bpf: add tests for bpf_ct_set_nat_info kfunc
> > 
> >   Documentation/bpf/kfuncs.rst                  | 18 +++++++
> >   kernel/bpf/btf.c                              | 39 ++++++++++-----
> >   net/bpf/test_run.c                            |  9 +++-
> >   net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
> >   .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
> >   .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
> >   tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
> >   7 files changed, 156 insertions(+), 25 deletions(-)
> > 
> 
> Looks like this fails BPF CI, ptal:
> 
> https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true

Hi Daniel,

it seems CONFIG_NF_NAT is not set in the kernel config file.
Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config?

Regards,
Lorenzo

> 
> [...]
>   All error logs:
>   test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
>   test_bpf_nf_ct:PASS:iptables 0 nsec
>   test_bpf_nf_ct:PASS:start_server 0 nsec
>   connect_to_server:PASS:socket 0 nsec
>   connect_to_server:PASS:connect_fd_to_fd 0 nsec
>   test_bpf_nf_ct:PASS:connect_to_server 0 nsec
>   test_bpf_nf_ct:PASS:accept 0 nsec
>   test_bpf_nf_ct:PASS:sockaddr len 0 nsec
>   test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
>   test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
>   test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
>   test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
>   test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
>   test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
>   test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
>   test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
>   test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
>   test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
>   test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
>   test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
>   #16/1    bpf_nf/xdp-ct:FAIL
>   test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
>   test_bpf_nf_ct:PASS:iptables 0 nsec
>   test_bpf_nf_ct:PASS:start_server 0 nsec
>   connect_to_server:PASS:socket 0 nsec
>   connect_to_server:PASS:connect_fd_to_fd 0 nsec
>   test_bpf_nf_ct:PASS:connect_to_server 0 nsec
>   test_bpf_nf_ct:PASS:accept 0 nsec
>   test_bpf_nf_ct:PASS:sockaddr len 0 nsec
>   test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
>   test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
>   test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
>   test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
>   test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
>   test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
>   test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
>   test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
>   test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
>   test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
>   test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
>   test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
>   test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
>   test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
>   #16/2    bpf_nf/tc-bpf-ct:FAIL
>   #16      bpf_nf:FAIL
> [...]
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Daniel Borkmann]

On 9/2/22 4:35 PM, Lorenzo Bianconi wrote:
> On Sep 02, Daniel Borkmann wrote:
>> On 9/1/22 6:43 PM, Lorenzo Bianconi wrote:
>>> Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
>>> destination nat addresses/ports in a new allocated ct entry not inserted
>>> in the connection tracking table yet.
>>> Introduce support for per-parameter trusted args.
>>>
>>> Kumar Kartikeya Dwivedi (2):
>>>     bpf: Add support for per-parameter trusted args
>>>     selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation
>>>
>>> Lorenzo Bianconi (2):
>>>     net: netfilter: add bpf_ct_set_nat_info kfunc helper
>>>     selftests/bpf: add tests for bpf_ct_set_nat_info kfunc
>>>
>>>    Documentation/bpf/kfuncs.rst                  | 18 +++++++
>>>    kernel/bpf/btf.c                              | 39 ++++++++++-----
>>>    net/bpf/test_run.c                            |  9 +++-
>>>    net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
>>>    .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
>>>    .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
>>>    tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
>>>    7 files changed, 156 insertions(+), 25 deletions(-)
>>>
>>
>> Looks like this fails BPF CI, ptal:
>>
>> https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true
> 
> Hi Daniel,
> 
> it seems CONFIG_NF_NAT is not set in the kernel config file.
> Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config?

This would have to be set there and added to the patches, yes. @Andrii/DanielM, is
this enough or are other steps needed on top of that?

>> [...]
>>    All error logs:
>>    test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
>>    test_bpf_nf_ct:PASS:iptables 0 nsec
>>    test_bpf_nf_ct:PASS:start_server 0 nsec
>>    connect_to_server:PASS:socket 0 nsec
>>    connect_to_server:PASS:connect_fd_to_fd 0 nsec
>>    test_bpf_nf_ct:PASS:connect_to_server 0 nsec
>>    test_bpf_nf_ct:PASS:accept 0 nsec
>>    test_bpf_nf_ct:PASS:sockaddr len 0 nsec
>>    test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
>>    test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
>>    test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
>>    test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
>>    test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
>>    test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
>>    test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
>>    test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
>>    test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
>>    test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
>>    test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
>>    test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
>>    #16/1    bpf_nf/xdp-ct:FAIL
>>    test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec
>>    test_bpf_nf_ct:PASS:iptables 0 nsec
>>    test_bpf_nf_ct:PASS:start_server 0 nsec
>>    connect_to_server:PASS:socket 0 nsec
>>    connect_to_server:PASS:connect_fd_to_fd 0 nsec
>>    test_bpf_nf_ct:PASS:connect_to_server 0 nsec
>>    test_bpf_nf_ct:PASS:accept 0 nsec
>>    test_bpf_nf_ct:PASS:sockaddr len 0 nsec
>>    test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec
>>    test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec
>>    test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec
>>    test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec
>>    test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec
>>    test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec
>>    test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec
>>    test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec
>>    test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec
>>    test_bpf_nf_ct:PASS:Test for ct status update  0 nsec
>>    test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec
>>    test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec
>>    test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0
>>    test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0
>>    #16/2    bpf_nf/tc-bpf-ct:FAIL
>>    #16      bpf_nf:FAIL
>> [...]
>>

Re: [PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Daniel Müller]

On Fri, Sep 02, 2022 at 04:41:28PM +0200, Daniel Borkmann wrote:
> On 9/2/22 4:35 PM, Lorenzo Bianconi wrote:
> > On Sep 02, Daniel Borkmann wrote:
> > > On 9/1/22 6:43 PM, Lorenzo Bianconi wrote:
> > > > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> > > > destination nat addresses/ports in a new allocated ct entry not inserted
> > > > in the connection tracking table yet.
> > > > Introduce support for per-parameter trusted args.
> > > > 
> > > > Kumar Kartikeya Dwivedi (2):
> > > >     bpf: Add support for per-parameter trusted args
> > > >     selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation
> > > > 
> > > > Lorenzo Bianconi (2):
> > > >     net: netfilter: add bpf_ct_set_nat_info kfunc helper
> > > >     selftests/bpf: add tests for bpf_ct_set_nat_info kfunc
> > > > 
> > > >    Documentation/bpf/kfuncs.rst                  | 18 +++++++
> > > >    kernel/bpf/btf.c                              | 39 ++++++++++-----
> > > >    net/bpf/test_run.c                            |  9 +++-
> > > >    net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
> > > >    .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
> > > >    .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
> > > >    tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
> > > >    7 files changed, 156 insertions(+), 25 deletions(-)
> > > > 
> > > 
> > > Looks like this fails BPF CI, ptal:
> > > 
> > > https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true
> > 
> > Hi Daniel,
> > 
> > it seems CONFIG_NF_NAT is not set in the kernel config file.
> > Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config?
> 
> This would have to be set there and added to the patches, yes. @Andrii/DanielM, is
> this enough or are other steps needed on top of that?

Yes, I think it should be set at said location. Nothing else should be
needed in addition that I can think of.

Thanks,
Daniel

[...]

Re: [PATCH bpf-next 0/4] Introduce bpf_ct_set_nat_info kfunc helper

[Lorenzo Bianconi]

[-- Attachment #1: Type: text/plain, Size: 2232 bytes --]

> On Fri, Sep 02, 2022 at 04:41:28PM +0200, Daniel Borkmann wrote:
> > On 9/2/22 4:35 PM, Lorenzo Bianconi wrote:
> > > On Sep 02, Daniel Borkmann wrote:
> > > > On 9/1/22 6:43 PM, Lorenzo Bianconi wrote:
> > > > > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> > > > > destination nat addresses/ports in a new allocated ct entry not inserted
> > > > > in the connection tracking table yet.
> > > > > Introduce support for per-parameter trusted args.
> > > > > 
> > > > > Kumar Kartikeya Dwivedi (2):
> > > > >     bpf: Add support for per-parameter trusted args
> > > > >     selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation
> > > > > 
> > > > > Lorenzo Bianconi (2):
> > > > >     net: netfilter: add bpf_ct_set_nat_info kfunc helper
> > > > >     selftests/bpf: add tests for bpf_ct_set_nat_info kfunc
> > > > > 
> > > > >    Documentation/bpf/kfuncs.rst                  | 18 +++++++
> > > > >    kernel/bpf/btf.c                              | 39 ++++++++++-----
> > > > >    net/bpf/test_run.c                            |  9 +++-
> > > > >    net/netfilter/nf_conntrack_bpf.c              | 49 ++++++++++++++++++-
> > > > >    .../testing/selftests/bpf/prog_tests/bpf_nf.c |  2 +
> > > > >    .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++-
> > > > >    tools/testing/selftests/bpf/verifier/calls.c  | 38 +++++++++++---
> > > > >    7 files changed, 156 insertions(+), 25 deletions(-)
> > > > > 
> > > > 
> > > > Looks like this fails BPF CI, ptal:
> > > > 
> > > > https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true
> > > 
> > > Hi Daniel,
> > > 
> > > it seems CONFIG_NF_NAT is not set in the kernel config file.
> > > Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config?
> > 
> > This would have to be set there and added to the patches, yes. @Andrii/DanielM, is
> > this enough or are other steps needed on top of that?
> 
> Yes, I think it should be set at said location. Nothing else should be
> needed in addition that I can think of.

ack, I will wait a bit for some more feedbacks and then I will post v2.

Regards,
Lorenzo

> 
> Thanks,
> Daniel
> 
> [...]
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]