[PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

This sample code implements a simple ipv4
blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
which was introduced in 6.4.

The bpf program drops package if destination ip address
hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,

The userspace code would load the bpf program,
attach it to netfilter's FORWARD/OUTPUT hook,
and then write ip patterns into the bpf map.

Signed-off-by: David Wang <00107082@163.com>
---
 samples/bpf/Makefile                      |  3 +
 samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++
 samples/bpf/netfilter_ip4_blacklist.c     | 96 +++++++++++++++++++++++
 3 files changed, 161 insertions(+)
 create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c
 create mode 100644 samples/bpf/netfilter_ip4_blacklist.c

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index 4ccf4236031c..ff027ea5ce24 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -46,6 +46,7 @@ tprogs-y += xdp_fwd
 tprogs-y += task_fd_query
 tprogs-y += ibumad
 tprogs-y += hbm
+tprogs-y += netfilter_ip4_blacklist
 
 # Libbpf dependencies
 LIBBPF_SRC = $(TOOLS_PATH)/lib/bpf
@@ -96,6 +97,7 @@ xdp_fwd-objs := xdp_fwd_user.o
 task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS)
 ibumad-objs := ibumad_user.o
 hbm-objs := hbm.o $(CGROUP_HELPERS)
+netfilter_ip4_blacklist-objs := netfilter_ip4_blacklist.o
 
 xdp_router_ipv4-objs := xdp_router_ipv4_user.o $(XDP_SAMPLE)
 
@@ -149,6 +151,7 @@ always-y += task_fd_query_kern.o
 always-y += ibumad_kern.o
 always-y += hbm_out_kern.o
 always-y += hbm_edt_kern.o
+always-y += netfilter_ip4_blacklist.bpf.o
 
 ifeq ($(ARCH), arm)
 # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux
diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c
new file mode 100644
index 000000000000..d315d64fda7f
--- /dev/null
+++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+
+
+#define NF_DROP 0
+#define NF_ACCEPT 1
+
+int bpf_dynptr_from_skb(struct sk_buff *skb,
+		__u64 flags, struct bpf_dynptr *ptr__uninit) __ksym;
+void *bpf_dynptr_slice(const struct bpf_dynptr *ptr,
+		uint32_t offset, void *buffer, uint32_t buffer__sz) __ksym;
+
+
+struct ipv4_lpm_key {
+	__u32 prefixlen;
+	__u32 data;
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_LPM_TRIE);
+	__type(key, struct ipv4_lpm_key);
+	__type(value, __u32);
+	__uint(map_flags, BPF_F_NO_PREALLOC);
+	__uint(max_entries, 200);
+} ipv4_lpm_map SEC(".maps");
+
+
+SEC("netfilter")
+int netfilter_ip4block(struct bpf_nf_ctx *ctx)
+{
+	struct sk_buff *skb = ctx->skb;
+	struct bpf_dynptr ptr;
+	struct iphdr *p, iph = {};
+	struct ipv4_lpm_key key;
+	__u32 *pvalue;
+
+	if (skb->len <= 20 || bpf_dynptr_from_skb(skb, 0, &ptr))
+		return NF_ACCEPT;
+	p = bpf_dynptr_slice(&ptr, 0, &iph, sizeof(iph));
+	if (!p)
+		return NF_ACCEPT;
+
+	/* ip4 only */
+	if (p->version != 4)
+		return NF_ACCEPT;
+
+	/* search p->daddr in trie */
+	key.prefixlen = 32;
+	key.data = p->daddr;
+	pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key);
+	if (pvalue) {
+		/* cat /sys/kernel/debug/tracing/trace_pipe */
+		bpf_printk("rule matched with %d...\n", *pvalue);
+		return NF_DROP;
+	}
+	return NF_ACCEPT;
+}
+
+char _license[] SEC("license") = "GPL";
+
diff --git a/samples/bpf/netfilter_ip4_blacklist.c b/samples/bpf/netfilter_ip4_blacklist.c
new file mode 100644
index 000000000000..bb7b26e5e06d
--- /dev/null
+++ b/samples/bpf/netfilter_ip4_blacklist.c
@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <stdio.h>
+#include <unistd.h>
+#include <asm/unistd.h>
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+#include <linux/netfilter.h>
+
+
+static inline int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size)
+{
+	return syscall(__NR_bpf, cmd, attr, size);
+}
+struct ipv4_lpm_key {
+	__u32 prefixlen;
+	__u32 data;
+};
+
+int main(int argc, char **argv)
+{
+	int prog_fd, map_fd;
+	int err;
+	struct bpf_object *obj;
+	struct bpf_program *prog;
+	union bpf_attr attr = { };
+
+	obj = bpf_object__open_file("./netfilter_ip4_blacklist.bpf.o", NULL);
+	if (libbpf_get_error(obj)) {
+		printf("fail to open bpf file\n");
+		return 1;
+	}
+	prog = bpf_object__find_program_by_name(obj, "netfilter_ip4block");
+	if (!prog) {
+		printf("fail to find bpf program\n");
+		return 1;
+	}
+	bpf_program__set_type(prog, BPF_PROG_TYPE_NETFILTER);
+	if (bpf_object__load(obj)) {
+		printf("loading BPF object file failed\n");
+		return 1;
+	}
+	map_fd = bpf_object__find_map_fd_by_name(obj, "ipv4_lpm_map");
+	if (map_fd < 0) {
+		printf("Fail to locate trie ipv4_lpm_map\n");
+		return 1;
+	}
+	/* attach to netfilter forward handler */
+	prog_fd = bpf_program__fd(prog);
+	attr.link_create.prog_fd = prog_fd;
+	attr.link_create.attach_type = BPF_NETFILTER;
+	attr.link_create.netfilter.pf = NFPROTO_IPV4;
+	attr.link_create.netfilter.hooknum = NF_INET_FORWARD;
+	attr.link_create.netfilter.priority = -128;
+	err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
+	if (err < 0) {
+		perror("Fail to link bpf program to netfilter forward hook\n");
+		return 1;
+	}
+	/* attach to netfilter output handler */
+	attr.link_create.netfilter.hooknum = NF_INET_LOCAL_OUT;
+	err = sys_bpf(BPF_LINK_CREATE, &attr, sizeof(attr));
+	if (err < 0) {
+		perror("Fail to link bpf program to netfilter output hook\n");
+		return 1;
+	}
+	printf("bpf program/map loaded....\n");
+	/* add rules */
+	{
+		struct ipv4_lpm_key key;
+		__u32 value = 0;
+		__u8 *p = (__u8 *) &key.data;
+		/* block 192.168.11.107/32 */
+		key.prefixlen = 32;
+		/* same as key.data = 0x6B0BA8C0; on a little-endian machine */
+		p[0] = 192;
+		p[1] = 168;
+		p[2] = 11;
+		p[3] = 107;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* block 192.168.11.107/24 */
+		key.prefixlen = 24;
+		value++;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* block 192.168.11.107/27 */
+		key.prefixlen = 27;
+		value++;
+		bpf_map_update_elem(map_fd, &key, &value, BPF_ANY);
+		/* remove rule */
+		/* bpf_map_delete_elem(map_fd, &key); */
+		printf("rules inserted, ready to work\n");
+	}
+	while (1)
+		sleep(600);
+	return 0;
+}
-- 
2.20.1

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[Florian Westphal]

David Wang <00107082@163.com> wrote:
> This sample code implements a simple ipv4
> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
> which was introduced in 6.4.
> 
> The bpf program drops package if destination ip address
> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
> 
> The userspace code would load the bpf program,
> attach it to netfilter's FORWARD/OUTPUT hook,
> and then write ip patterns into the bpf map.

Thanks, I think its good to have this.

> diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c
> new file mode 100644
> index 000000000000..d315d64fda7f
> --- /dev/null
> +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c
> @@ -0,0 +1,62 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include "vmlinux.h"
> +#include <bpf/bpf_helpers.h>
> +
> +
> +#define NF_DROP 0
> +#define NF_ACCEPT 1

If you are interested, you could send a patch for nf-next that
makes the uapi headers expose this as enum, AFAIU that would make
the verdict nanes available via vmlinux.h.

> +	/* search p->daddr in trie */
> +	key.prefixlen = 32;
> +	key.data = p->daddr;
> +	pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key);
> +	if (pvalue) {
> +		/* cat /sys/kernel/debug/tracing/trace_pipe */
> +		bpf_printk("rule matched with %d...\n", *pvalue);

If you are interested you could send a patch that adds a kfunc to
nf_bpf_link that exposes nf_log_packet() to bpf.

nf_log_packet has a terrible api, I suggest to have the kfunc take
'struct nf_hook_state *' instead of 6+ members of that struct as
argument.

Thanks for the example.

Re:Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-04 18:48:56, "Florian Westphal" <fw@strlen.de> wrote:
>David Wang <00107082@163.com> wrote:
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>> 
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>> 
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>
>Thanks, I think its good to have this.

Thanks for the quick response.
>
>> diff --git a/samples/bpf/netfilter_ip4_blacklist.bpf.c b/samples/bpf/netfilter_ip4_blacklist.bpf.c
>> new file mode 100644
>> index 000000000000..d315d64fda7f
>> --- /dev/null
>> +++ b/samples/bpf/netfilter_ip4_blacklist.bpf.c
>> @@ -0,0 +1,62 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +
>> +#include "vmlinux.h"
>> +#include <bpf/bpf_helpers.h>
>> +
>> +
>> +#define NF_DROP 0
>> +#define NF_ACCEPT 1
>
>If you are interested, you could send a patch for nf-next that
>makes the uapi headers expose this as enum, AFAIU that would make
>the verdict nanes available via vmlinux.h.
>
I think I can work on this.



>> +	/* search p->daddr in trie */
>> +	key.prefixlen = 32;
>> +	key.data = p->daddr;
>> +	pvalue = bpf_map_lookup_elem(&ipv4_lpm_map, &key);
>> +	if (pvalue) {
>> +		/* cat /sys/kernel/debug/tracing/trace_pipe */
>> +		bpf_printk("rule matched with %d...\n", *pvalue);
>
>If you are interested you could send a patch that adds a kfunc to
>nf_bpf_link that exposes nf_log_packet() to bpf.
>
>nf_log_packet has a terrible api, I suggest to have the kfunc take
>'struct nf_hook_state *' instead of 6+ members of that struct as
>argument.
>
Logging strategy is out of my league, but I will keep eye on this.

Glad to contribute.


David

(no subject)

[David Wang]

At 2023-09-04 18:48:56, "Florian Westphal" <fw@strlen.de> wrote:
>David Wang <00107082@163.com> wrote:
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>> 
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>> 
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>
>Thanks, I think its good to have this.

Thanks for the quick response! Glad to contribute!

>> +
>> +#define NF_DROP 0
>> +#define NF_ACCEPT 1
>
>If you are interested, you could send a patch for nf-next that
>makes the uapi headers expose this as enum, AFAIU that would make
>the verdict nanes available via vmlinux.h.
>

I think I can work on this.


>> +	if (pvalue) {
>> +		/* cat /sys/kernel/debug/tracing/trace_pipe */
>> +		bpf_printk("rule matched with %d...\n", *pvalue);
>
>If you are interested you could send a patch that adds a kfunc to
>nf_bpf_link that exposes nf_log_packet() to bpf.
>
>nf_log_packet has a terrible api, I suggest to have the kfunc take
>'struct nf_hook_state *' instead of 6+ members of that struct as
>argument.
>

Package logging strategy is out of my league, for now, but I will keep eye on this.


David

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[Alexei Starovoitov]

On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote:
>
> David Wang <00107082@163.com> wrote:
> > This sample code implements a simple ipv4
> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
> > which was introduced in 6.4.
> >
> > The bpf program drops package if destination ip address
> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
> >
> > The userspace code would load the bpf program,
> > attach it to netfilter's FORWARD/OUTPUT hook,
> > and then write ip patterns into the bpf map.
>
> Thanks, I think its good to have this.

Yes, but only in selftests/bpf.
samples/bpf/ are not tested and bit rot heavily.

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
>On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote:
>>
>> David Wang <00107082@163.com> wrote:
>> > This sample code implements a simple ipv4
>> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> > which was introduced in 6.4.
>> >
>> > The bpf program drops package if destination ip address
>> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>> >
>> > The userspace code would load the bpf program,
>> > attach it to netfilter's FORWARD/OUTPUT hook,
>> > and then write ip patterns into the bpf map.
>>
>> Thanks, I think its good to have this.
>
>Yes, but only in selftests/bpf.
>samples/bpf/ are not tested and bit rot heavily.

My purpose is to demonstrate the basic usage of BPF_PROG_TYPE_NETFILTER ,  showing what bpf program and userspace program should do to make it work.
The code is neither  thorough  enough to make a valid test suite,  nor  detailed enough to make out a tool (Could be a start for a tool)

samples/bpf is a good  place to start for  beginners to get along  with bpf quickly,   those  sample/bpf codes do help me a lot,
  but selftests/bpf is not that  friendly, at least not friendly for beginners, I think.   
There are already test codes for   BPF_PROG_TYPE_NETFILTER in selftests/bpf,  actually I did refer to those code  when I made this sample.

Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen.

Anyway, this sample code is not meant to test. 

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[Toke Høiland-Jørgensen]

"David Wang" <00107082@163.com> writes:

> At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
>>On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote:
>>>
>>> David Wang <00107082@163.com> wrote:
>>> > This sample code implements a simple ipv4
>>> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>>> > which was introduced in 6.4.
>>> >
>>> > The bpf program drops package if destination ip address
>>> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>>> >
>>> > The userspace code would load the bpf program,
>>> > attach it to netfilter's FORWARD/OUTPUT hook,
>>> > and then write ip patterns into the bpf map.
>>>
>>> Thanks, I think its good to have this.
>>
>>Yes, but only in selftests/bpf.
>>samples/bpf/ are not tested and bit rot heavily.
>
> My purpose is to demonstrate the basic usage of BPF_PROG_TYPE_NETFILTER ,  showing what bpf program and userspace program should do to make it work.
> The code is neither  thorough  enough to make a valid test suite,  nor  detailed enough to make out a tool (Could be a start for a tool)
>
> samples/bpf is a good  place to start for  beginners to get along  with bpf quickly,   those  sample/bpf codes do help me a lot,
>   but selftests/bpf is not that  friendly, at least not friendly for beginners, I think.   
> There are already test codes for   BPF_PROG_TYPE_NETFILTER in selftests/bpf,  actually I did refer to those code  when I made this sample.
>
> Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen.
>
> Anyway, this sample code is not meant to test. 

FYI, we maintain a Github repository with BPF example programs of
various types at https://github.com/xdp-project/bpf-examples

Happy to include this example there as an alternative to the in-tree
samples/bpf :)

-Toke

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[Donald Hunter]

David Wang <00107082@163.com> writes:

> This sample code implements a simple ipv4
> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
> which was introduced in 6.4.
>
> The bpf program drops package if destination ip address
> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>
> The userspace code would load the bpf program,
> attach it to netfilter's FORWARD/OUTPUT hook,
> and then write ip patterns into the bpf map.
>
> Signed-off-by: David Wang <00107082@163.com>
> ---
>  samples/bpf/Makefile                      |  3 +
>  samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++
>  samples/bpf/netfilter_ip4_blacklist.c     | 96 +++++++++++++++++++++++
>  3 files changed, 161 insertions(+)
>  create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c
>  create mode 100644 samples/bpf/netfilter_ip4_blacklist.c

According to https://docs.kernel.org/process/coding-style.html#naming
you should avoid new use of blacklist. You should use somethink like
denylist or blocklist instead.

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-05 16:41:23, "Toke Høiland-Jørgensen" <toke@kernel.org> wrote:
>"David Wang" <00107082@163.com> writes:
>

>> Get a feeling samples/bpf would be deprecated sooner or later, hope that would not happen.
>>
>> Anyway, this sample code is not meant to test. 
>
>FYI, we maintain a Github repository with BPF example programs of
>various types at https://github.com/xdp-project/bpf-examples
>
>Happy to include this example there as an alternative to the in-tree
>samples/bpf :)
>
>-Toke

Cool project~!  I will submit a PR there.

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-05 17:05:26, "Donald Hunter" <donald.hunter@gmail.com> wrote:
>David Wang <00107082@163.com> writes:
>
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>>
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>>
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>>
>> Signed-off-by: David Wang <00107082@163.com>
>> ---
>>  samples/bpf/Makefile                      |  3 +
>>  samples/bpf/netfilter_ip4_blacklist.bpf.c | 62 +++++++++++++++
>>  samples/bpf/netfilter_ip4_blacklist.c     | 96 +++++++++++++++++++++++
>>  3 files changed, 161 insertions(+)
>>  create mode 100644 samples/bpf/netfilter_ip4_blacklist.bpf.c
>>  create mode 100644 samples/bpf/netfilter_ip4_blacklist.c
>
>According to https://docs.kernel.org/process/coding-style.html#naming
>you should avoid new use of blacklist. You should use somethink like
>denylist or blocklist instead.

Thanks for the information~! 
I will make the changes, and resend a patch if samples/bpf is still a good place to put the code.

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
>On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote:
>>
>> David Wang <00107082@163.com> wrote:
>> > This sample code implements a simple ipv4
>> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> > which was introduced in 6.4.
>> >
>> > The bpf program drops package if destination ip address
>> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>> >
>> > The userspace code would load the bpf program,
>> > attach it to netfilter's FORWARD/OUTPUT hook,
>> > and then write ip patterns into the bpf map.
>>
>> Thanks, I think its good to have this.
>
>Yes, but only in selftests/bpf.
>samples/bpf/ are not tested and bit rot heavily.

Hi Alexei, 

I need to know whether samples/bpf is still a good place to put code. 
I will put the code in another open source project  for bpf samples,  mentioned by Toke.
But I still want to put it in samples/bpf , since the code only compile/work with new kernel.

Need your feedback on this,  could this code be kept in samples/bpf? :)

Thanks
David.

Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[Alexei Starovoitov]

On Tue, Sep 5, 2023 at 4:11 AM David Wang <00107082@163.com> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
> At 2023-09-05 05:01:14, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
> >On Mon, Sep 4, 2023 at 3:49 AM Florian Westphal <fw@strlen.de> wrote:
> >>
> >> David Wang <00107082@163.com> wrote:
> >> > This sample code implements a simple ipv4
> >> > blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
> >> > which was introduced in 6.4.
> >> >
> >> > The bpf program drops package if destination ip address
> >> > hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
> >> >
> >> > The userspace code would load the bpf program,
> >> > attach it to netfilter's FORWARD/OUTPUT hook,
> >> > and then write ip patterns into the bpf map.
> >>
> >> Thanks, I think its good to have this.
> >
> >Yes, but only in selftests/bpf.
> >samples/bpf/ are not tested and bit rot heavily.
>
> Hi Alexei,
>
> I need to know whether samples/bpf is still a good place to put code.
> I will put the code in another open source project  for bpf samples,  mentioned by Toke.
> But I still want to put it in samples/bpf , since the code only compile/work with new kernel.
>
> Need your feedback on this,  could this code be kept in samples/bpf? :)

Sorry, but we don't accept new code to samples/bpf/.
Everything in there  will be moved/removed.
If you want to stay in the kernel selftests/bpf is the only place and
it's gotta be the real test and not just a sample.

Re:Re: [PATCH] samples/bpf: Add sample usage for BPF_PROG_TYPE_NETFILTER

[David Wang]

At 2023-09-05 23:49:41, "Alexei Starovoitov" <alexei.starovoitov@gmail.com> wrote:
>On Tue, Sep 5, 2023 at 4:11 AM David Wang <00107082@163.com> wrote:

>> >
>> >Yes, but only in selftests/bpf.
>> >samples/bpf/ are not tested and bit rot heavily.
>>
>> Hi Alexei,
>>
>> I need to know whether samples/bpf is still a good place to put code.
>> I will put the code in another open source project  for bpf samples,  mentioned by Toke.
>> But I still want to put it in samples/bpf , since the code only compile/work with new kernel.
>>
>> Need your feedback on this,  could this code be kept in samples/bpf? :)
>
>Sorry, but we don't accept new code to samples/bpf/.
>Everything in there  will be moved/removed.
>If you want to stay in the kernel selftests/bpf is the only place and
>it's gotta be the real test and not just a sample.


Sad to hear this.... 
Anyway, thank you and all others who took time reviewing this.

David