Contributing

If you want to start contributing to bpfilter, the best way to get to know the codebase would be to start with one of the @todo available in the code. Most of those tasks are small, self-contained, work trivial enough that they do not deserve their GitHub issue.

Once you know your way around the structure of the project, feel free to continue with the @todo, or jump on a bigger issue in the GitHub issues tracker.

You are welcome to reach out to qde@naccy.de if you need help, or have any question!

To do

  • Remove the RPM x86_64 macro workaround from the Fedora bpfilter.spec.

  • Gate the documentation generate in Fedora’s bpfilter.spec with a bcond.

  • Add support for CMake 4.0 and ninja.

  • Handle extra characters in the lexer (currently, any non-matched token will be printed to stdout).

  • Add support for missing matcher operators (e.g. meta.l4_proto not).

  • Add a Fedora 43 build in the CI.

From the code

page Todo List

Global _bf_ipt_set_counters_handler  (const struct xt_counters_info *counters, size_t len)

Actually update the counters.

Global _bf_matcher_generate_meta_iface  (struct bf_program *program, const struct bf_matcher *matcher)

Add support for input and output interface filtering based on the program’s hook.

Global _bf_save  (const char *path)

Front packing should be name-based to avoid relying on the enumeration order.

Global bf_chain_add_rule  (struct bf_chain *chain, struct bf_rule *rule)

Rules without any matcher should be rejected.

Struct bf_front_ops

Front should not implement a callback if it’s not needed. E.g. BF_FRONT_CLI defines empty pack and unpack callbacks.

Struct bf_hookopts

Create dedicated function to set the various options, otherwise one could set an option but not update used_opts.

Global bf_hookopts_new_from_pack  (struct bf_hookopts **hookopts, bf_rpack_node_t node)

Validate the hook options once restored.

Struct bf_matcher

bf_matcher’s payload should be a union of all the possible payload types.

Struct bf_matcher_ip4_addr

Change bf_matcher_type bitmasks to 64 bits.

Global bf_ns_init  (struct bf_ns *ns, pid_t pid)

What if /proc is not readable?

Global bf_options::transient

Validate the daemon’s behaviour when switch to and from --transient.

Global bf_program_generate  (struct bf_program *program)

Allow chains to have no counters at all.

Global bf_request::data  []

Return a user-readable error message if the request fails.

Global bf_swich_generate  (struct bf_swich *swich)

If no default case is defined, the switch should jump after the last case.

Global closep  (int *fd)

Ensure file descriptors are always initialized to -1, and closed using closep.

File list.h

bf_list_add_XXX functions should probably steal the pointer of the data they receive, to be more consistent with other functions, and avoid TAKE_PTR() after bf_list_add_tail().

File matcher.h

The matcher type/op/payload size combination should be validated.

Use a union value instead of an opaque value for matcher payload. All supported payloads have a fixed, well-known size. We should leverage the type system to avoid writing/reading raw bytes.

File pack.h

bf_wpack_kv_TYPE functions should only write into objects.

bf_wpack_TYPE functions should only write into arrays.

Create dedicated functions to pack and unpack a size_t and ssize_t.

Functions that write to the pack object should be more verbose: even if they don’t return an error code, they should log a warning when a packing operation fails.