From: Florian Westphal <fw@strlen.de>
To: Quentin Monnet <quentin@isovalent.com>
Cc: Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
bpf@vger.kernel.org, dxu@dxuuu.xyz, qde@naccy.de
Subject: Re: [PATCH bpf-next v2 5/6] tools: bpftool: print netfilter link info
Date: Fri, 14 Apr 2023 12:41:21 +0200 [thread overview]
Message-ID: <20230414104121.GB5889@breakpoint.cc> (raw)
In-Reply-To: <CACdoK4LRjNsDY6m2fvUGY_C9gMvUdX9QpEetr9RtGuR8xb8pmg@mail.gmail.com>
Quentin Monnet <quentin@isovalent.com> wrote:
> On Thu, 13 Apr 2023 at 14:36, Florian Westphal <fw@strlen.de> wrote:
> >
> > Dump protocol family, hook and priority value:
> > $ bpftool link
> > 2: type 10 prog 20
>
> Could you please update link_type_name in libbpf (libbpf.c) so that we
> display "netfilter" here instead of "type 10"?
Done.
> > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> > index 3823100b7934..c93febc4c75f 100644
> > --- a/tools/include/uapi/linux/bpf.h
> > +++ b/tools/include/uapi/linux/bpf.h
> > @@ -986,6 +986,7 @@ enum bpf_prog_type {
> > BPF_PROG_TYPE_LSM,
> > BPF_PROG_TYPE_SK_LOOKUP,
> > BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */
> > + BPF_PROG_TYPE_NETFILTER,
>
> If netfilter programs could be loaded with bpftool, we'd need to
> update bpftool's docs. But I don't think this is the case, right?
bpftool prog load nftest.o /sys/fs/bpf/nftest
will work, but the program isn't attached anywhere.
> don't currently have a way to pass the pf, hooknum, priority and flags
> necessary to load the program with "bpftool prog load" so it would
> fail?
I don't know how to make it work to actually attach it, because
the hook is unregistered when the link fd is closed.
So either bpftool would have to fork and auto-daemon (maybe
unexpected...) or wait/block until CTRL-C.
This also needs new libbpf api AFAICS because existing bpf_link
are specific to the program type, so I'd have to add something like:
struct bpf_link *
bpf_program__attach_netfilter(const struct bpf_program *prog,
const struct bpf_netfilter_opts *opts)
Advice welcome.
> Have you considered listing netfilter programs in the output of
> "bpftool net" as well? Given that they're related to networking, it
> would maybe make sense to have them listed alongside XDP, TC, and flow
> dissector programs?
I could print the same output that 'bpf link' already shows.
Not sure on the real distinction between those two here.
When should I use 'bpftool link' and when 'bpftool net', and what info
and features should either of these provide for netfilter programs?
next prev parent reply other threads:[~2023-04-14 10:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-13 13:32 [PATCH bpf-next v2 0/6] bpf: add netfilter program type Florian Westphal
2023-04-13 13:32 ` [PATCH bpf-next v2 1/6] bpf: add bpf_link support for BPF_NETFILTER programs Florian Westphal
2023-04-13 13:32 ` [PATCH bpf-next v2 2/6] bpf: minimal support for programs hooked into netfilter framework Florian Westphal
2023-04-13 13:32 ` [PATCH bpf-next v2 3/6] netfilter: nfnetlink hook: dump bpf prog id Florian Westphal
2023-04-13 13:32 ` [PATCH bpf-next v2 4/6] netfilter: disallow bpf hook attachment at same priority Florian Westphal
2023-04-13 13:32 ` [PATCH bpf-next v2 5/6] tools: bpftool: print netfilter link info Florian Westphal
2023-04-13 21:14 ` Quentin Monnet
2023-04-14 10:41 ` Florian Westphal [this message]
2023-04-14 13:20 ` Quentin Monnet
2023-04-14 14:49 ` Florian Westphal
2023-04-14 14:54 ` Quentin Monnet
2023-04-13 13:32 ` [PATCH bpf-next v2 6/6] bpf: add test_run support for netfilter program type Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230414104121.GB5889@breakpoint.cc \
--to=fw@strlen.de \
--cc=bpf@vger.kernel.org \
--cc=dxu@dxuuu.xyz \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=qde@naccy.de \
--cc=quentin@isovalent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.