core

Namespaces

bpfilter supports the following namespaces:

  • Network: for interfaces index to attach XDP and TC programs to, and interface indexes to filter on.

  • Mount: for CGroup path to attach cgroup_skb programs to.

For each supported namespace, the bf_ns structure stores the namespace’s ID (the namespace file inode number), and a file descriptor to the namespace.

When a request is received, bpfilter will create a new bf_ns object to refer to the client’s namespaces. Before calling bf_flavor_ops.attach_prog, bpfilter will jump to the request’s namespace, attach the program, then jump back to the original namespace.

struct bf_ns_info
#include <core/ns.h>
struct bf_ns
#include <core/ns.h>

Contains information about namespaces relevant to bpfilter.

Defines

_clean_bf_ns_

Call bf_ns_clean on an auto stored bf_ns when it goes out of scope to avoid resources leakage.

bf_ns_default()

Initialize a new bf_ns to default values.

Ensure an auto stored bf_ns are initialized to sane defaults, so bf_ns_clean() can be called safely.

Returns:

An initialized bf_ns object.

bf_ns_move(ns)

Move a bf_ns object.

Move the bf_ns object from ns and return it. Once moved, ns will be reset to default values (see bf_ns_default()) on which bf_ns_clean() can safely be called. The caller is responsible for cleaning up the bf_ns object returned.

Parameters:
  • ns – Variable to move the bf_ns object out of.

Returns:

A bf_ns object.

Functions

int bf_ns_init(struct bf_ns *ns, pid_t pid)

Initialize an allocated bf_ns object.

The procfs entry of pid will be used to open a reference to its network and mount namespaces and store it in ns.

Parameters:
  • ns – Object to initialize. On failure, this parameter is unchanged. Can’t be NULL.

  • pid – PID of the process to open the namespaces of.

Returns:

0 on success, or a negative errno value on failure.

void bf_ns_clean(struct bf_ns *ns)

Clean a bf_ns object.

Parameters:
  • ns – Object to clean. Can’t be NULL.

int bf_ns_set(const struct bf_ns *ns, const struct bf_ns *oldns)

Move the current process to different namespaces.

This function will change the current namespace to the one defined in ns. It is critical for this function to succeed; otherwise the process will be in an unstable state: partially in a new namespace, partially in its original namespace.

Parameters:
  • ns – Namespaces to move to. Can’t be NULL.

  • oldns – Namespaces to move out of. This information is needed as setns() will fail if we try to move to a namespace we are already in. It is not possible for setns() to look up the current namespace itself, as we must assume a new /proc has been mounted too, hiding the information about the current process. Hence, the only reliable solution is to collect this information before calling setns().

Returns:

0 on success, or a negative errno value on failure.

Rule

Defines

_free_bf_rule_
bf_rule_list()

Convenience macro to initialize a list of bf_rule .

Returns:

An initialized bf_list that can contain bf_rule objects.

Functions

const char *bf_pkthdr_to_str(enum bf_pkthdr hdr)

Return the string representation of a bf_pkthdr enumeration value. *.

Parameters:
Returns:

A pointer to the C-string representation of hdr.

int bf_pkthdr_from_str(const char *str, enum bf_pkthdr *hdr)

Return the bf_pkthdr enumeration value corresponding to a string.

Parameters:
  • str – String to get the corresponding bf_pkthdr enumeration value for.

  • hdr – On success, contains the bf_pkthdr enumeration value corresponding to str.

Pre:

  • str is a non-NULL pointer to a C-string.

  • hdr != NULL

Post:

  • On failure, hdr is unchanged.

Returns:

0 on success, or a negative error value on failure.

int bf_rule_new(struct bf_rule **rule)

Allocated and initialise a new rule.

On failure, rule is left unchanged.

Parameters:
  • rule – On success, points to the allocated rule. Must be non NULL.

Returns:

0 on success, or negative errno value on error.

void bf_rule_free(struct bf_rule **rule)

Free a rule.

Free rule and set it to NULL. If rule is NULL, nothing is done.

Parameters:
  • rule – Rule to free. Must be non-NULL.

int bf_rule_marsh(const struct bf_rule *rule, struct bf_marsh **marsh)

Marsh a rule.

Parameters:
  • rule – Rule to marsh. Can’t be NULL.

  • marsh – Output marshalled rule. Allocated by the function, owned by the caller once the function returns. Can’t be NULL.

Returns:

0 on success, negative errno value on error.

int bf_rule_unmarsh(const struct bf_marsh *marsh, struct bf_rule **rule)

Unmarsh a rule.

Parameters:
  • marsh – Marshalled rule. Must be non NULL.

  • rule – Unmarshalled rule. Allocated by the function, owned by the caller on success.

Returns:

0 on success, negative errno value on error.

void bf_rule_dump(const struct bf_rule *rule, prefix_t *prefix)

Dump a rule.

Parameters:
  • rule – Rule to dump. Must not be NULL.

  • prefix – Prefix for each printed line.

int bf_rule_add_matcher(struct bf_rule *rule, enum bf_matcher_type type, enum bf_matcher_op op, const void *payload, size_t payload_len)

Create a new matcher and add it to the rule.

Parameters:
  • rule – Rule to add the matcher to. Can’t be NULL.

  • type – Matcher type.

  • op – Comparison operator.

  • payload – Payload of the matcher, its content and size depends on type . Can be NULL but only if payload_len is 0, in which case there is no payload.

  • payload_len – Length of the payload.

Returns:

0 on success, or negative errno value on failure.

struct bf_rule
#include <core/rule.h>

Represents a rule to match against packets.

Public Members

uint32_t index

Rule’s index. Identifies the rule’s within other rules from the same front.

bf_list matchers
uint8_t log
bool counters
enum bf_verdict verdict