| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2886aafa-871f-4bc2-9d7b-3dc69f3a5424@kernel.org>
Date: Sat, 10 Jan 2026 02:48:36 +0000
From: Quentin Monnet <qmo@...nel.org>
To: gyutae.opensource@...ercorp.com, bpf@...r.kernel.org,
Daniel Borkmann <daniel@...earbox.net>
Cc: linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
<martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>, Gyutae Bae <gyutae.bae@...ercorp.com>,
Siwan Kim <siwan.kim@...ercorp.com>, Daniel Xu <dxu@...uu.xyz>,
Jiayuan Chen <jiayuan.chen@...ux.dev>, Tao Chen <chen.dylane@...ux.dev>,
Kumar Kartikeya Dwivedi <memxor@...il.com>
Subject: Re: [PATCH v3] bpftool: Add 'prepend' option for tcx attach to insert
at chain start
On 07/01/2026 02:29, gyutae.opensource@...ercorp.com wrote:
> From: Gyutae Bae <gyutae.bae@...ercorp.com>
>
> Add support for the 'prepend' option when attaching tcx_ingress and
> tcx_egress programs. This option allows inserting a BPF program at
> the beginning of the TCX chain instead of appending it at the end.
>
> The implementation uses BPF_F_BEFORE flag which automatically inserts
> the program at the beginning of the chain when no relative reference
> is specified.
>
> This change includes:
> - Modify do_attach_tcx() to support prepend insertion using BPF_F_BEFORE
> - Update documentation to describe the new 'prepend' option
> - Add bash completion support for the 'prepend' option on tcx attach types
> - Add example usage in the documentation
>
> The 'prepend' option is only valid for tcx_ingress and tcx_egress attach
> types. For XDP attach types, the existing 'overwrite' option remains
> available.
>
> Example usage:
> # bpftool net attach tcx_ingress name tc_prog dev lo prepend
>
> This feature is useful when the order of program execution in the TCX
> chain matters and users need to ensure certain programs run first.
>
> Co-developed-by: Siwan Kim <siwan.kim@...ercorp.com>
> Signed-off-by: Siwan Kim <siwan.kim@...ercorp.com>
> Signed-off-by: Gyutae Bae <gyutae.bae@...ercorp.com>
> ---
> Hi Daniel.
>
> Thank you for the detailed feedback. Thanks to your explanation,
> I now understand that BPF_F_BEFORE and BPF_F_AFTER work as standalone flags.
> This has made the implementation much simpler and cleaner.
>
> Thanks,
> Gyutae.
>
> Changes in v3:
> - Simplified implementation by using BPF_F_BEFORE alone (Daniel)
> - Removed get_first_tcx_prog_id() helper function (Daniel)
>
> Changes in v2:
> - Renamed 'head' to 'prepend' for consistency with 'overwrite' (Quentin)
> - Moved relative_id variable to relevant scope inside if block (Quentin)
> - Changed condition style from '== 0' to '!' (Quentin)
> - Updated documentation to clarify 'overwrite' is XDP-only (Quentin)
> - Removed outdated "only XDP-related modes are supported" note (Quentin)
> - Removed extra help text from do_help() for consistency (Quentin)
>
> .../bpf/bpftool/Documentation/bpftool-net.rst | 30 ++++++++++++++-----
> tools/bpf/bpftool/bash-completion/bpftool | 9 +++++-
> tools/bpf/bpftool/net.c | 23 +++++++++++---
> 3 files changed, 50 insertions(+), 12 deletions(-)
>
[...]
> diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
> index cfc6f944f7c3..1a2ba3312a82 100644
> --- a/tools/bpf/bpftool/net.c
> +++ b/tools/bpf/bpftool/net.c
> @@ -666,10 +666,16 @@ static int get_tcx_type(enum net_attach_type attach_type)
> }
> }
>
> -static int do_attach_tcx(int progfd, enum net_attach_type attach_type, int ifindex)
> +static int do_attach_tcx(int progfd, enum net_attach_type attach_type, int ifindex, bool prepend)
> {
> int type = get_tcx_type(attach_type);
>
> + if (prepend) {
> + LIBBPF_OPTS(bpf_prog_attach_opts, opts,
> + .flags = BPF_F_BEFORE
> + );
> + return bpf_prog_attach_opts(progfd, ifindex, type, &opts);
> + }
> return bpf_prog_attach(progfd, ifindex, type, 0);
> }
>
> @@ -685,6 +691,7 @@ static int do_attach(int argc, char **argv)
> enum net_attach_type attach_type;
> int progfd, ifindex, err = 0;
> bool overwrite = false;
> + bool prepend = false;
>
> /* parse attach args */
> if (!REQ_ARGS(5))
> @@ -710,8 +717,16 @@ static int do_attach(int argc, char **argv)
> if (argc) {
> if (is_prefix(*argv, "overwrite")) {
> overwrite = true;
Just one minor thing, can we error out here if the attach type is tcx
please? Like you do for "prepend" below, when it's not tcx. So that we
don't let users believe they're overwriting their program.
> + } else if (is_prefix(*argv, "prepend")) {
> + if (attach_type != NET_ATTACH_TYPE_TCX_INGRESS &&
> + attach_type != NET_ATTACH_TYPE_TCX_EGRESS) {
> + p_err("'prepend' is only supported for tcx_ingress/tcx_egress");
> + err = -EINVAL;
> + goto cleanup;
> + }
> + prepend = true;
> } else {
> - p_err("expected 'overwrite', got: '%s'?", *argv);
> + p_err("expected 'overwrite' or 'prepend', got: '%s'?", *argv);
> err = -EINVAL;
> goto cleanup;
> }
Looks good otherwise, thank you! Pending that change:
Reviewed-by: Quentin Monnet <qmo@...nel.org>
Powered by blists - more mailing lists