daemon: cgen: add cgroup_sock_addr flavor codegen

Implement bf_flavor_ops for BF_FLAVOR_CGROUP_SOCK_ADDR so chains
with a default policy can be loaded and attached to a cgroup.

Author: yaakov-stein

src/bpfilter/CMakeLists.txt

@@ -17,6 +17,7 @@ add_executable(bpfilter
     ${CMAKE_CURRENT_SOURCE_DIR}/opts.h                   ${CMAKE_CURRENT_SOURCE_DIR}/opts.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h        ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c
+    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_sock_addr.h  ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_sock_addr.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h             ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c

src/bpfilter/cgen/cgroup_sock_addr.c

@@ -0,0 +1,103 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
+ */
+
+#include "cgen/cgroup_sock_addr.h"
+
+#include <linux/bpf_common.h>
+#include <linux/if_ether.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <stddef.h>
+#include <sys/socket.h>
+
+#include <bpfilter/flavor.h>
+#include <bpfilter/verdict.h>
+
+#include "cgen/program.h"
+#include "cgen/swich.h"
+#include "filter.h"
+#include "linux/bpf.h"
+
+// Forward definition to avoid headers clusterfuck.
+uint16_t htons(uint16_t hostshort);
+
+static int _bf_cgroup_sock_addr_gen_inline_prologue(struct bf_program *program)
+{
+    int r;
+
+    assert(program);
+
+    // No packet data and no interface for sock_addr programs
+    EMIT(program, BPF_ST_MEM(BPF_DW, BPF_REG_10, BF_PROG_CTX_OFF(pkt_size), 0));
+    EMIT(program, BPF_ST_MEM(BPF_W, BPF_REG_10, BF_PROG_CTX_OFF(ifindex), 0));
+
+    /* Convert bpf_sock_addr.family to L3 protocol ID in R7, using the same
+     * bf_swich pattern as cgroup_skb. */
+    EMIT(program, BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                              offsetof(struct bpf_sock_addr, family)));
+
+    {
+        _clean_bf_swich_ struct bf_swich swich =
+            bf_swich_get(program, BPF_REG_2);
+
+        EMIT_SWICH_OPTION(&swich, AF_INET,
+                          BPF_MOV64_IMM(BPF_REG_7, htons(ETH_P_IP)));
+        EMIT_SWICH_OPTION(&swich, AF_INET6,
+                          BPF_MOV64_IMM(BPF_REG_7, htons(ETH_P_IPV6)));
+        EMIT_SWICH_DEFAULT(&swich, BPF_MOV64_IMM(BPF_REG_7, 0));
+
+        r = bf_swich_generate(&swich);
+        if (r)
+            return r;
+    }
+
+    EMIT(program, BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
+                              offsetof(struct bpf_sock_addr, protocol)));
+
+    return 0;
+}
+
+static int _bf_cgroup_sock_addr_gen_inline_epilogue(struct bf_program *program)
+{
+    (void)program;
+
+    return 0;
+}
+
+static int
+_bf_cgroup_sock_addr_gen_inline_matcher(struct bf_program *program,
+                                        const struct bf_matcher *matcher)
+{
+    (void)program;
+    (void)matcher;
+
+    return -ENOTSUP;
+}
+
+/**
+ * Convert a standard verdict into a return value.
+ *
+ * @param verdict Verdict to convert. Must be valid.
+ * @return Cgroup return code corresponding to the verdict, as an integer.
+ */
+static int _bf_cgroup_sock_addr_get_verdict(enum bf_verdict verdict)
+{
+    switch (verdict) {
+    case BF_VERDICT_ACCEPT:
+        return 1;
+    case BF_VERDICT_DROP:
+        return 0;
+    default:
+        return -ENOTSUP;
+    }
+}
+
+const struct bf_flavor_ops bf_flavor_ops_cgroup_sock_addr = {
+    .gen_inline_prologue = _bf_cgroup_sock_addr_gen_inline_prologue,
+    .gen_inline_epilogue = _bf_cgroup_sock_addr_gen_inline_epilogue,
+    .get_verdict = _bf_cgroup_sock_addr_get_verdict,
+    .gen_inline_matcher = _bf_cgroup_sock_addr_gen_inline_matcher,
+};

src/bpfilter/cgen/cgroup_sock_addr.h

@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
+ */
+
+#pragma once
+
+#include <bpfilter/flavor.h>
+
+extern const struct bf_flavor_ops bf_flavor_ops_cgroup_sock_addr;

src/bpfilter/cgen/prog/link.c

@@ -73,6 +73,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
         fd = r;
         break;
     case BF_FLAVOR_CGROUP_SKB:
+    case BF_FLAVOR_CGROUP_SOCK_ADDR:
         cgroup_fd = open(_hookopts->cgpath, O_DIRECTORY | O_RDONLY);
         if (cgroup_fd < 0) {
             return bf_err_r(errno, "failed to open cgroup '%s'",
@@ -81,7 +82,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         r = bf_bpf_link_create(prog_fd, cgroup_fd, hook, 0, 0, 0);
         if (r < 0)
-            return bf_err_r(r, "failed to create cgroup_skb BPF link");
+            return bf_err_r(r, "failed to create cgroup BPF link");
 
         fd = r;
         break;
@@ -291,6 +292,7 @@ int bf_link_update(struct bf_link *link, int prog_fd)
     case BF_FLAVOR_XDP:
     case BF_FLAVOR_TC:
     case BF_FLAVOR_CGROUP_SKB:
+    case BF_FLAVOR_CGROUP_SOCK_ADDR:
         r = bf_bpf_link_update(link->fd, prog_fd);
         break;
     case BF_FLAVOR_NF:

src/bpfilter/cgen/program.c

@@ -37,6 +37,7 @@
 #include <bpfilter/verdict.h>
 
 #include "cgen/cgroup_skb.h"
+#include "cgen/cgroup_sock_addr.h"
 #include "cgen/dump.h"
 #include "cgen/fixup.h"
 #include "cgen/handle.h"
@@ -83,7 +84,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor)
         [BF_FLAVOR_NF] = &bf_flavor_ops_nf,
         [BF_FLAVOR_XDP] = &bf_flavor_ops_xdp,
         [BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb,
-        [BF_FLAVOR_CGROUP_SOCK_ADDR] = NULL,
+        [BF_FLAVOR_CGROUP_SOCK_ADDR] = &bf_flavor_ops_cgroup_sock_addr,
     };
 
     static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX);