daemon: cgen: add cgroup_sock_addr flavor codegen

yaakov-stein · yaakov-stein · commit 2019d9146f40 · 2026-03-06T07:39:56.000-08:00
Implement bf_flavor_ops for BF_FLAVOR_CGROUP_SOCK_ADDR so chains
with a default policy can be loaded and attached to a cgroup.
diff --git a/src/bpfilter/CMakeLists.txt b/src/bpfilter/CMakeLists.txt
@@ -14,6 +14,7 @@ add_executable(bpfilter
     ${CMAKE_CURRENT_SOURCE_DIR}/opts.h                   ${CMAKE_CURRENT_SOURCE_DIR}/opts.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h        ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c
+    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_sock_addr.h  ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_sock_addr.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h             ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c
diff --git a/src/bpfilter/cgen/cgroup_sock_addr.c b/src/bpfilter/cgen/cgroup_sock_addr.c
@@ -0,0 +1,102 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
+ */
+
+#include "cgen/cgroup_sock_addr.h"
+
+#include <linux/bpf_common.h>
+#include <linux/if_ether.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <stddef.h>
+#include <sys/socket.h>
+
+#include <bpfilter/flavor.h>
+#include <bpfilter/verdict.h>
+
+#include "cgen/program.h"
+#include "cgen/swich.h"
+#include "filter.h"
+#include "linux/bpf.h"
+
+// Forward definition to avoid headers clusterfuck.
+uint16_t htons(uint16_t hostshort);
+
+static int _bf_cgroup_sock_addr_gen_inline_prologue(struct bf_program *program)
+{
+    int r;
+
+    assert(program);
+
+    // The counters stub reads pkt_size unconditionally; zero it out.
+    EMIT(program, BPF_ST_MEM(BPF_DW, BPF_REG_10, BF_PROG_CTX_OFF(pkt_size), 0));
+
+    /* Convert bpf_sock_addr.family to L3 protocol ID in R7, using the same
+     * bf_swich pattern as cgroup_skb. */
+    EMIT(program, BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                              offsetof(struct bpf_sock_addr, family)));
+
+    {
+        _clean_bf_swich_ struct bf_swich swich =
+            bf_swich_get(program, BPF_REG_2);
+
+        EMIT_SWICH_OPTION(&swich, AF_INET,
+                          BPF_MOV64_IMM(BPF_REG_7, htons(ETH_P_IP)));
+        EMIT_SWICH_OPTION(&swich, AF_INET6,
+                          BPF_MOV64_IMM(BPF_REG_7, htons(ETH_P_IPV6)));
+        EMIT_SWICH_DEFAULT(&swich, BPF_MOV64_IMM(BPF_REG_7, 0));
+
+        r = bf_swich_generate(&swich);
+        if (r)
+            return r;
+    }
+
+    EMIT(program, BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
+                              offsetof(struct bpf_sock_addr, protocol)));
+
+    return 0;
+}
+
+static int _bf_cgroup_sock_addr_gen_inline_epilogue(struct bf_program *program)
+{
+    (void)program;
+
+    return 0;
+}
+
+static int
+_bf_cgroup_sock_addr_gen_inline_matcher(struct bf_program *program,
+                                        const struct bf_matcher *matcher)
+{
+    (void)program;
+    (void)matcher;
+
+    return -ENOTSUP;
+}
+
+/**
+ * Convert a standard verdict into a return value.
+ *
+ * @param verdict Verdict to convert. Must be valid.
+ * @return Cgroup return code corresponding to the verdict, as an integer.
+ */
+static int _bf_cgroup_sock_addr_get_verdict(enum bf_verdict verdict)
+{
+    switch (verdict) {
+    case BF_VERDICT_ACCEPT:
+        return 1;
+    case BF_VERDICT_DROP:
+        return 0;
+    default:
+        return -ENOTSUP;
+    }
+}
+
+const struct bf_flavor_ops bf_flavor_ops_cgroup_sock_addr = {
+    .gen_inline_prologue = _bf_cgroup_sock_addr_gen_inline_prologue,
+    .gen_inline_epilogue = _bf_cgroup_sock_addr_gen_inline_epilogue,
+    .get_verdict = _bf_cgroup_sock_addr_get_verdict,
+    .gen_inline_matcher = _bf_cgroup_sock_addr_gen_inline_matcher,
+};
diff --git a/src/bpfilter/cgen/cgroup_sock_addr.h b/src/bpfilter/cgen/cgroup_sock_addr.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
+ */
+
+#pragma once
+
+#include <bpfilter/flavor.h>
+
+extern const struct bf_flavor_ops bf_flavor_ops_cgroup_sock_addr;
diff --git a/src/bpfilter/cgen/prog/link.c b/src/bpfilter/cgen/prog/link.c
@@ -73,6 +73,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
         fd = r;
         break;
     case BF_FLAVOR_CGROUP_SKB:
+    case BF_FLAVOR_CGROUP_SOCK_ADDR:
         cgroup_fd = open(_hookopts->cgpath, O_DIRECTORY | O_RDONLY);
         if (cgroup_fd < 0) {
             return bf_err_r(errno, "failed to open cgroup '%s'",
@@ -81,7 +82,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         r = bf_bpf_link_create(prog_fd, cgroup_fd, hook, 0, 0, 0);
         if (r < 0)
-            return bf_err_r(r, "failed to create cgroup_skb BPF link");
+            return bf_err_r(r, "failed to create cgroup BPF link");
 
         fd = r;
         break;
@@ -291,6 +292,7 @@ int bf_link_update(struct bf_link *link, int prog_fd)
     case BF_FLAVOR_XDP:
     case BF_FLAVOR_TC:
     case BF_FLAVOR_CGROUP_SKB:
+    case BF_FLAVOR_CGROUP_SOCK_ADDR:
         r = bf_bpf_link_update(link->fd, prog_fd);
         break;
     case BF_FLAVOR_NF:
diff --git a/src/bpfilter/cgen/program.c b/src/bpfilter/cgen/program.c
@@ -37,6 +37,7 @@
 #include <bpfilter/verdict.h>
 
 #include "cgen/cgroup_skb.h"
+#include "cgen/cgroup_sock_addr.h"
 #include "cgen/dump.h"
 #include "cgen/fixup.h"
 #include "cgen/handle.h"
@@ -83,7 +84,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor)
         [BF_FLAVOR_NF] = &bf_flavor_ops_nf,
         [BF_FLAVOR_XDP] = &bf_flavor_ops_xdp,
         [BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb,
-        [BF_FLAVOR_CGROUP_SOCK_ADDR] = NULL,
+        [BF_FLAVOR_CGROUP_SOCK_ADDR] = &bf_flavor_ops_cgroup_sock_addr,
     };
 
     static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX);
diff --git a/src/bpfilter/cgen/runtime.h b/src/bpfilter/cgen/runtime.h
@@ -75,7 +75,8 @@ struct bf_runtime
      * - `BF_FLAVOR_XDP`: `struct xdp_md *`
      * - `BF_FLAVOR_TC`: `struct struct __sk_buff *`
      * - `BF_FLAVOR_CGROUP_SKB`: `struct __sk_buff *`
-     * - `BF_FLAVOR_NF`: `struct bpf_nf_ctx *` */
+     * - `BF_FLAVOR_NF`: `struct bpf_nf_ctx *`
+     * - `BF_FLAVOR_CGROUP_SOCK_ADDR`: `struct bpf_sock_addr *` */
     void *arg;
 
     /** BPF dynamic pointer to access the packet data. Dynamic pointers are
@@ -85,7 +86,7 @@ struct bf_runtime
     /** Ring buffer map containing the logged packets. */
     void *log_map;
 
-    /** Total size of the packet. */
+    /** Total size of the packet, or 0 for non-packet flavors. */
     __u64 pkt_size;
 
     /** IPv6 extension header mask */
diff --git a/src/libbpfilter/include/bpfilter/flavor.h b/src/libbpfilter/include/bpfilter/flavor.h
@@ -67,7 +67,7 @@ enum bf_flavor
      * cgroup_sock_addr BPF programs, attached to a cgroup to intercept
      * socket operations (connect, bind, sendmsg, recvmsg):
      * - Input: `struct bpf_sock_addr`
-     * - Headers available: from L3
+     * - No packet data; L3/L4 protocol from socket metadata
      * - Return code: 0 to drop, 1 to accept
      */
     BF_FLAVOR_CGROUP_SOCK_ADDR,
