[PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang <00107082@163.com>]

This sample code implements a simple ipv4
blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
which was introduced in 6.4.

The bpf program drops package if destination ip address
hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,

The userspace code would load the bpf program,
attach it to netfilter's FORWARD/OUTPUT hook,
and then write ip patterns into the bpf map.

Signed-off-by: David Wang <00107082@163.com>
---
 samples/bpf/Makefile                      |  3 +
 samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++
 samples/bpf/netfilter_ip4_blacklist.c     | 96 +++++++++++++++++++++++
 3 files changed, 161 insertions(+)
 create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c
 create mode 100644 samples/bpf/netfilter_ip4_blacklist.c

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index 4ccf4236031c..ff027ea5ce24 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -46,6 +46,7 @@ tprogs-y += xdp_fwd
 tprogs-y += task_fd_query
 tprogs-y += ibumad
 tprogs-y += hbm
+tprogs-y += netfilter_ip4_blacklist
 
 # Libbpf dependencies
 LIBBPF_SRC = $(TOOLS_PATH)/lib/bpf
@@ -96,6 +97,7 @@ xdp_fwd-objs := xdp_fwd_user.o
 task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS)
 ibumad-objs := ibumad_user.o
 hbm-objs := hbm.o $(CGROUP_HELPERS)
+netfilter_ip4_blacklist-objs := netfilter_ip4_blacklist.o
 
 xdp_router_ipv4-objs := xdp_router_ipv4_user.o $(XDP_SAMPLE)
 
@@ -149,6 +151,7 @@ always-y += task_fd_query_kern.o
 always-y += ibumad_kern.o
 always-y += hbm_out_kern.o
 always-y += hbm_edt_kern.o
+always-y += netfilter_ip4_blacklist.bpf.o
 
 ifeq ($(ARCH), arm)
 # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux
diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c
new file mode 100644
index 000000000000..d315d64fda7f
--- /dev/null
+++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+
+
+#define NF_DROP 0
+#define NF_ACCEPT 1
+
+int bpf_dynptr_from_skb(struct sk_buff *skb,
+		__u64 flags, struct bpf_dynptr *ptr__uninit) __ksym;
+void *bpf_dynptr_slice(const struct bpf_dynptr *ptr,
+		uint32_t offset, void *buffer, uint32_t buffer__sz) __ksym;
+
+
+struct ipv4_lpm_key {
+	__u32 prefixlen;
+	__u32 data;
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_LPM_TRIE);
+	__type(key, struct ipv4_lpm_key);
+	__type(value, __u32);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+	__uint(max_entries, 200);
+} ipv4_lpm_map SEC(".maps");
+
+
+SEC("netfilter")
+int netfilter_ip4block(struct bpf_nf_ctx *ctx)
+{
+	struct sk_buff *skb = ctx->skb;
+	struct bpf_dynptr ptr;
+	struct iphdr *p, iph = {};
+	struct ipv4_lpm_key key;
+	__u32 *pvalue;
+
+	if (skb->len <= 20 || bpf_dynptr_from_skb(skb, 0, &ptr))
+		return NF_ACCEPT;
+	p = bpf_dynptr_slice(&ptr, 0, &iph, sizeof(iph));
+	if (!p)
+		return NF_ACCEPT;
+
+	/* ip4 only */
+	if (p->version != 4)
+		return NF_ACCEPT;
+
+	/* search p->daddr in trie */
+	key.prefixlen = 32;
+	key.data = p->daddr;
+	pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key);
+	if (pvalue) {
+		/* cat /sys/kernel/debug/tracing/trace_pipe */
+		bpf_printk("rule matched with %d...\n", *pvalue);
+		return NF_DROP;
+	}
+	return NF_ACCEPT;
+}
+
+char _license[] SEC("license") = "GPL";
+
diff --git a/samples/bpf/netfilter_ip4_blacklist.c b/samples/bpf/netfilter_ip4_blacklist.c
new file mode 100644
index 000000000000..bb7b26e5e06d
--- /dev/null
+++ b/samples/bpf/netfilter_ip4_blacklist.c
@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <stdio.h>
+#include <unistd.h>
+#include <asm/unistd.h>
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+#include <linux/netfilter.h>
+
+
+static inline int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size)
+{
+	return syscall(__NR_bpf, cmd, attr, size);
+}
+struct ipv4_lpm_key {
+	__u32 prefixlen;
+	__u32 data;
+};
+
+int main(int argc, char **argv)
+{
+	int prog_fd, map_fd;
+	int err;
+	struct bpf_object *obj;
+	struct bpf_program *prog;
+	union bpf_attr attr = { };
+
+	obj = bpf_object__open_file("./netfilter_ip4_blacklist.bpf.o", NULL);
+	if (libbpf_get_error(obj)) {
+		printf("fail to open bpf file\n");
+		return 1;
+	}
+	prog = bpf_object__find_program_by_name(obj, "netfilter_ip4block");
+	if (!prog) {
+		printf("fail to find bpf program\n");
+		return 1;
+	}
+	bpf_program__set_type(prog, BPF_PROG_TYPE_NETFILTER);
+	if (bpf_object__load(obj)) {
+		printf("loading BPF object file failed\n");
+		return 1;
+	}
+	map_fd = bpf_object__find_map_fd_by_name(obj, "ipv4_lpm_map");
+	if (map_fd < 0) {
+		printf("Fail to locate trie ipv4_lpm_map\n");
+		return 1;
+	}
+	/* attach to netfilter forward handler */
+	prog_fd = bpf_program__fd(prog);
+	attr.link_create.prog_fd = prog_fd;
+	attr.link_create.attach_type = BPF_NETFILTER;
+	attr.link_create.netfilter.pf = NFPROTO_IPV4;
+	attr.link_create.netfilter.hooknum = NF_INET_FORWARD;
+	attr.link_create.netfilter.priority = -128;
+	err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
+	if (err < 0) {
+		perror("Fail to link bpf program to netfilter forward hook\n");
+		return 1;
+	}
+	/* attach to netfilter output handler */
+	attr.link_create.netfilter.hooknum = NF_INET_LOCAL_OUT;
+	err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
+	if (err < 0) {
+		perror("Fail to link bpf program to netfilter output hook\n");
+		return 1;
+	}
+	printf("bpf program/map loaded....\n");
+	/* add rules */
+	{
+		struct ipv4_lpm_key key;
+		__u32 value = 0;
+		__u8 *p = (__u8 *) &key.data;
+		/* block 192.168.11.107/32 */
+		key.prefixlen = 32;
+		/* same as key.data = 0x6B0BA8C0; on a little-endian machine */
+		p[0] = 192;
+		p[1] = 168;
+		p[2] = 11;
+		p[3] = 107;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* block 192.168.11.107/24 */
+		key.prefixlen = 24;
+		value++;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* block 192.168.11.107/27 */
+		key.prefixlen = 27;
+		value++;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* remove rule */
+		/* bpf_map_delete_elem(map_fd, &key); */
+		printf("rules inserted, ready to work\n");
+	}
+	while (1)
+		sleep(600);
+	return 0;
+}
-- 
2.20.1