core¶
Namespaces¶
bpfilter
supports the following namespaces:
Network: for interfaces index to attach XDP and TC programs to, and interface indexes to filter on.
Mount: for CGroup path to attach
cgroup_skb
programs to.
For each supported namespace, the bf_ns
structure stores the namespace’s ID (the namespace file inode number), and a file descriptor to the namespace.
When a request is received, bpfilter
will create a new bf_ns
object to refer to the client’s namespaces. Before calling bf_flavor_ops.attach_prog
, bpfilter
will jump to the request’s namespace, attach the program, then jump back to the original namespace.
-
struct bf_ns_info¶
- #include <core/ns.h>
-
struct bf_ns¶
- #include <core/ns.h>
Contains information about namespaces relevant to bpfilter.
Defines
-
_clean_bf_ns_¶
Call
bf_ns_clean
on anauto
storedbf_ns
when it goes out of scope to avoid resources leakage.
-
bf_ns_default()¶
Initialize a new
bf_ns
to default values.Ensure an
auto
storedbf_ns
are initialized to sane defaults, sobf_ns_clean()
can be called safely.- Returns:
An initialized
bf_ns
object.
-
bf_ns_move(ns)¶
Move a
bf_ns
object.Move the
bf_ns
object fromns
and return it. Once moved,ns
will be reset to default values (seebf_ns_default()
) on whichbf_ns_clean()
can safely be called. The caller is responsible for cleaning up thebf_ns
object returned.
Functions
-
int bf_ns_init(struct bf_ns *ns, pid_t pid)¶
Initialize an allocated
bf_ns
object.The
procfs
entry ofpid
will be used to open a reference to its network and mount namespaces and store it inns
.- Parameters:
ns – Object to initialize. On failure, this parameter is unchanged. Can’t be NULL.
pid – PID of the process to open the namespaces of.
- Returns:
0 on success, or a negative errno value on failure.
-
void bf_ns_clean(struct bf_ns *ns)¶
Clean a
bf_ns
object.- Parameters:
ns – Object to clean. Can’t be NULL.
-
int bf_ns_set(const struct bf_ns *ns, const struct bf_ns *oldns)¶
Move the current process to different namespaces.
This function will change the current namespace to the one defined in
ns
. It is critical for this function to succeed; otherwise the process will be in an unstable state: partially in a new namespace, partially in its original namespace.- Parameters:
ns – Namespaces to move to. Can’t be NULL.
oldns – Namespaces to move out of. This information is needed as
setns()
will fail if we try to move to a namespace we are already in. It is not possible forsetns()
to look up the current namespace itself, as we must assume a new/proc
has been mounted too, hiding the information about the current process. Hence, the only reliable solution is to collect this information before callingsetns()
.
- Returns:
0 on success, or a negative errno value on failure.
Rule¶
Defines
-
_free_bf_rule_¶
Functions
-
const char *bf_pkthdr_to_str(enum bf_pkthdr hdr)¶
Return the string representation of a
bf_pkthdr
enumeration value. *.- Parameters:
hdr –
bf_pkthdr
enumeration value.
- Returns:
A pointer to the C-string representation of
hdr
.
-
int bf_pkthdr_from_str(const char *str, enum bf_pkthdr *hdr)¶
Return the
bf_pkthdr
enumeration value corresponding to a string.- Parameters:
- Pre:
str
is a non-NULL pointer to a C-string.hdr != NULL
- Post:
On failure,
hdr
is unchanged.
- Returns:
0 on success, or a negative error value on failure.
-
int bf_rule_new(struct bf_rule **rule)¶
Allocated and initialise a new rule.
On failure,
rule
is left unchanged.- Parameters:
rule – On success, points to the allocated rule. Must be non NULL.
- Returns:
0 on success, or negative errno value on error.
-
void bf_rule_free(struct bf_rule **rule)¶
Free a rule.
Free
rule
and set it to NULL. Ifrule
is NULL, nothing is done.- Parameters:
rule – Rule to free. Must be non-NULL.
-
int bf_rule_marsh(const struct bf_rule *rule, struct bf_marsh **marsh)¶
Marsh a rule.
- Parameters:
rule – Rule to marsh. Can’t be NULL.
marsh – Output marshalled rule. Allocated by the function, owned by the caller once the function returns. Can’t be NULL.
- Returns:
0 on success, negative errno value on error.
-
int bf_rule_unmarsh(const struct bf_marsh *marsh, struct bf_rule **rule)¶
Unmarsh a rule.
- Parameters:
marsh – Marshalled rule. Must be non NULL.
rule – Unmarshalled rule. Allocated by the function, owned by the caller on success.
- Returns:
0 on success, negative errno value on error.
-
void bf_rule_dump(const struct bf_rule *rule, prefix_t *prefix)¶
Dump a rule.
- Parameters:
rule – Rule to dump. Must not be NULL.
prefix – Prefix for each printed line.
-
int bf_rule_add_matcher(struct bf_rule *rule, enum bf_matcher_type type, enum bf_matcher_op op, const void *payload, size_t payload_len)¶
Create a new matcher and add it to the rule.
- Parameters:
rule – Rule to add the matcher to. Can’t be NULL.
type – Matcher type.
op – Comparison operator.
payload – Payload of the matcher, its content and size depends on
type
. Can be NULL but only ifpayload_len
is 0, in which case there is no payload.payload_len – Length of the payload.
- Returns:
0 on success, or negative errno value on failure.
-
struct bf_rule¶
- #include <core/rule.h>
Represents a rule to match against packets.