[PATCH bpf-next v3 08/16] bpfilter: add match structure

[Quentin Deslandes <qde@naccy.de>]

struct match_ops defines a polymorphic interface for matches. A match
consists of pointers to struct match_ops and struct xt_entry_match which
contains a payload for the match's type.

The match interface supports the following operations:
- check: validate a rule's match.
- gen_inline: generate eBPF bytecode for the match.

All match_ops structures are kept in a map by their name.

Co-developed-by: Dmitrii Banshchikov <me@ubique.spb.ru>
Signed-off-by: Dmitrii Banshchikov <me@ubique.spb.ru>
Signed-off-by: Quentin Deslandes <qde@naccy.de>
---
 net/bpfilter/Makefile                         |  1 +
 net/bpfilter/context.c                        | 43 ++++++++++++
 net/bpfilter/context.h                        |  3 +
 net/bpfilter/match.c                          | 55 +++++++++++++++
 net/bpfilter/match.h                          | 35 ++++++++++
 .../testing/selftests/bpf/bpfilter/.gitignore |  1 +
 tools/testing/selftests/bpf/bpfilter/Makefile |  7 ++
 .../selftests/bpf/bpfilter/bpfilter_util.h    | 22 ++++++
 .../selftests/bpf/bpfilter/test_match.c       | 69 +++++++++++++++++++
 9 files changed, 236 insertions(+)
 create mode 100644 net/bpfilter/match.c
 create mode 100644 net/bpfilter/match.h
 create mode 100644 tools/testing/selftests/bpf/bpfilter/bpfilter_util.h
 create mode 100644 tools/testing/selftests/bpf/bpfilter/test_match.c

diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile
index ac039f1fac34..2f8d867a6038 100644
--- a/net/bpfilter/Makefile
+++ b/net/bpfilter/Makefile
@@ -13,6 +13,7 @@ $(LIBBPF_A):
 userprogs := bpfilter_umh
 bpfilter_umh-objs := main.o logger.o map-common.o
 bpfilter_umh-objs += context.o codegen.o
+bpfilter_umh-objs += match.o
 bpfilter_umh-userldlibs := $(LIBBPF_A) -lelf -lz
 userccflags += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi
 
diff --git a/net/bpfilter/context.c b/net/bpfilter/context.c
index fdfd5fe78424..b5e172412fab 100644
--- a/net/bpfilter/context.c
+++ b/net/bpfilter/context.c
@@ -8,11 +8,54 @@
 
 #include "context.h"
 
+#include <linux/kernel.h>
+
+#include <string.h>
+
+#include "logger.h"
+#include "map-common.h"
+#include "match.h"
+
+static const struct match_ops *match_ops[] = { };
+
+static int init_match_ops_map(struct context *ctx)
+{
+	int r;
+
+	r = create_map(&ctx->match_ops_map, ARRAY_SIZE(match_ops));
+	if (r) {
+		BFLOG_ERR("failed to create matches map: %s", STRERR(r));
+		return r;
+	}
+
+	for (int i = 0; i < ARRAY_SIZE(match_ops); ++i) {
+		const struct match_ops *m = match_ops[i];
+
+		r = map_upsert(&ctx->match_ops_map, m->name, (void *)m);
+		if (r) {
+			BFLOG_ERR("failed to upsert in matches map: %s",
+				  STRERR(r));
+			return r;
+		}
+	}
+
+	return 0;
+}
+
 int create_context(struct context *ctx)
 {
+	int r;
+
+	r = init_match_ops_map(ctx);
+	if (r) {
+		BFLOG_ERR("failed to initialize matches map: %s", STRERR(r));
+		return r;
+	}
+
 	return 0;
 }
 
 void free_context(struct context *ctx)
 {
+	free_map(&ctx->match_ops_map);
 }
diff --git a/net/bpfilter/context.h b/net/bpfilter/context.h
index df41b9707a81..e36aa8ebf57e 100644
--- a/net/bpfilter/context.h
+++ b/net/bpfilter/context.h
@@ -7,7 +7,10 @@
 #ifndef NET_BPFILTER_CONTEXT_H
 #define NET_BPFILTER_CONTEXT_H
 
+#include <search.h>
+
 struct context {
+	struct hsearch_data match_ops_map;
 };
 
 int create_context(struct context *ctx);
diff --git a/net/bpfilter/match.c b/net/bpfilter/match.c
new file mode 100644
index 000000000000..fdb0926442a8
--- /dev/null
+++ b/net/bpfilter/match.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2021 Telegram FZ-LLC
+ * Copyright (c) 2022 Meta Platforms, Inc. and affiliates.
+ */
+
+#define _GNU_SOURCE
+
+#include "match.h"
+
+#include <linux/err.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include "context.h"
+#include "logger.h"
+#include "map-common.h"
+
+int init_match(struct context *ctx, const struct bpfilter_ipt_match *ipt_match,
+	       struct match *match)
+{
+	const size_t maxlen = sizeof(ipt_match->u.user.name);
+	const struct match_ops *found;
+	int r;
+
+	if (strnlen(ipt_match->u.user.name, maxlen) == maxlen) {
+		BFLOG_ERR("failed to init match: name too long");
+		return -EINVAL;
+	}
+
+	found = map_find(&ctx->match_ops_map, ipt_match->u.user.name);
+	if (IS_ERR(found)) {
+		BFLOG_ERR("failed to find match by name: '%s'",
+			  ipt_match->u.user.name);
+		return PTR_ERR(found);
+	}
+
+	if (found->size + sizeof(*ipt_match) != ipt_match->u.match_size ||
+	    found->revision != ipt_match->u.user.revision) {
+		BFLOG_ERR("invalid match: '%s'", ipt_match->u.user.name);
+		return -EINVAL;
+	}
+
+	r = found->check(ctx, ipt_match);
+	if (r) {
+		BFLOG_ERR("match check failed: %s", STRERR(r));
+		return r;
+	}
+
+	match->match_ops = found;
+	match->ipt_match = ipt_match;
+
+	return 0;
+}
diff --git a/net/bpfilter/match.h b/net/bpfilter/match.h
new file mode 100644
index 000000000000..c6541e6a6567
--- /dev/null
+++ b/net/bpfilter/match.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (c) 2021 Telegram FZ-LLC
+ * Copyright (c) 2022 Meta Platforms, Inc. and affiliates.
+ */
+
+#ifndef NET_BPFILTER_MATCH_H
+#define NET_BPFILTER_MATCH_H
+
+#include "../../include/uapi/linux/bpfilter.h"
+
+#include <stdint.h>
+
+struct bpfilter_ipt_match;
+struct codegen;
+struct context;
+struct match;
+
+struct match_ops {
+	char name[BPFILTER_EXTENSION_MAXNAMELEN];
+	uint8_t revision;
+	uint16_t size;
+	int (*check)(struct context *ctx, const struct bpfilter_ipt_match *ipt_match);
+	int (*gen_inline)(struct codegen *ctx, const struct match *match);
+};
+
+struct match {
+	const struct match_ops *match_ops;
+	const struct bpfilter_ipt_match *ipt_match;
+};
+
+int init_match(struct context *ctx, const struct bpfilter_ipt_match *ipt_match,
+	       struct match *match);
+
+#endif // NET_BPFILTER_MATCH_H
diff --git a/tools/testing/selftests/bpf/bpfilter/.gitignore b/tools/testing/selftests/bpf/bpfilter/.gitignore
index 39ec0c09dff4..9ac1b3caf246 100644
--- a/tools/testing/selftests/bpf/bpfilter/.gitignore
+++ b/tools/testing/selftests/bpf/bpfilter/.gitignore
@@ -1,3 +1,4 @@
 # SPDX-License-Identifier: GPL-2.0-only
 tools/**
 test_map
+test_match
diff --git a/tools/testing/selftests/bpf/bpfilter/Makefile b/tools/testing/selftests/bpf/bpfilter/Makefile
index e3b8bf76a10c..10642c1d6a87 100644
--- a/tools/testing/selftests/bpf/bpfilter/Makefile
+++ b/tools/testing/selftests/bpf/bpfilter/Makefile
@@ -11,6 +11,7 @@ BPFDIR := $(LIBDIR)/bpf
 CFLAGS += -Wall -g -pthread -I$(TOOLSINCDIR) -I$(APIDIR) -I$(BPFILTERSRCDIR)
 
 TEST_GEN_PROGS += test_map
+TEST_GEN_PROGS += test_match
 
 KSFT_KHDR_INSTALL := 1
 
@@ -34,5 +35,11 @@ $(BPFOBJ): $(wildcard $(BPFDIR)/*.[ch] $(BPFDIR)/Makefile)			\
 
 BPFILTER_MAP_SRCS := $(BPFILTERSRCDIR)/map-common.c
 BPFILTER_CODEGEN_SRCS := $(BPFILTERSRCDIR)/codegen.c $(BPFOBJ) -lelf -lz
+BPFILTER_MATCH_SRCS := $(BPFILTERSRCDIR)/match.c
+
+BPFILTER_COMMON_SRCS := $(BPFILTER_MAP_SRCS)
+BPFILTER_COMMON_SRCS += $(BPFILTERSRCDIR)/context.c $(BPFILTERSRCDIR)/logger.c
+BPFILTER_COMMON_SRCS += $(BPFILTER_MATCH_SRCS)
 
 $(OUTPUT)/test_map: test_map.c $(BPFILTER_MAP_SRCS)
+$(OUTPUT)/test_match: test_match.c $(BPFILTER_COMMON_SRCS)
diff --git a/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h
new file mode 100644
index 000000000000..705fd1777a67
--- /dev/null
+++ b/tools/testing/selftests/bpf/bpfilter/bpfilter_util.h
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#ifndef BPFILTER_UTIL_H
+#define BPFILTER_UTIL_H
+
+#include <linux/netfilter/x_tables.h>
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+
+static inline void init_entry_match(struct xt_entry_match *match,
+				    uint16_t size, uint8_t revision,
+				    const char *name)
+{
+	memset(match, 0, sizeof(*match));
+	sprintf(match->u.user.name, "%s", name);
+	match->u.user.match_size = size;
+	match->u.user.revision = revision;
+}
+
+#endif // BPFILTER_UTIL_H
diff --git a/tools/testing/selftests/bpf/bpfilter/test_match.c b/tools/testing/selftests/bpf/bpfilter/test_match.c
new file mode 100644
index 000000000000..4a0dc1b14e4d
--- /dev/null
+++ b/tools/testing/selftests/bpf/bpfilter/test_match.c
@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#define _GNU_SOURCE
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+
+#include "../../kselftest_harness.h"
+
+#include "context.h"
+#include "logger.h"
+#include "match.h"
+
+#include "bpfilter_util.h"
+
+/**
+ * struct udp_match - Dummy test structure.
+ *
+ * This structure provides enough space to allow for name too long, so it
+ * doesn't overwrite anything.
+ */
+struct udp_match {
+	struct xt_entry_match ipt_match;
+	char placeholder[32];
+};
+
+FIXTURE(test_match_init)
+{
+	struct context ctx;
+	struct udp_match udp_match;
+	struct match match;
+};
+
+FIXTURE_SETUP(test_match_init)
+{
+	logger_set_file(stderr);
+	ASSERT_EQ(0, create_context(&self->ctx));
+};
+
+FIXTURE_TEARDOWN(test_match_init)
+{
+	free_context(&self->ctx);
+}
+
+TEST_F(test_match_init, name_too_long)
+{
+	init_entry_match(&self->udp_match.ipt_match, sizeof(self->udp_match), 0,
+			 "this match name is supposed to be way too long...");
+
+	ASSERT_EQ(init_match(&self->ctx,
+			     (const struct bpfilter_ipt_match *)&self->udp_match
+				     .ipt_match,
+			     &self->match),
+		  -EINVAL);
+}
+
+TEST_F(test_match_init, not_found)
+{
+	init_entry_match(&self->udp_match.ipt_match, sizeof(self->udp_match), 0,
+			 "doesn't exist");
+
+	ASSERT_EQ(init_match(&self->ctx,
+			     (const struct bpfilter_ipt_match *)&self->udp_match
+				     .ipt_match,
+			     &self->match),
+		  -ENOENT);
+}
+
+TEST_HARNESS_MAIN
-- 
2.38.1