| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b325e432-7652-96d3-055a-0107a88ea1fa@isovalent.com>
Date: Tue, 18 Apr 2023 15:20:26 +0100
From: Quentin Monnet <quentin@...valent.com>
To: Florian Westphal <fw@...len.de>, bpf@...r.kernel.org
Cc: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
dxu@...uu.xyz, qde@...cy.de
Subject: Re: [PATCH bpf-next v3 5/6] tools: bpftool: print netfilter link info
2023-04-18 15:10 UTC+0200 ~ Florian Westphal <fw@...len.de>
> Dump protocol family, hook and priority value:
> $ bpftool link
> 2: netfilter prog 14
> ip input prio -128
> pids install(3264)
> 5: netfilter prog 14
> ip6 forward prio 21
> pids a.out(3387)
> 9: netfilter prog 14
> ip prerouting prio 123
> pids a.out(5700)
> 10: netfilter prog 14
> ip input prio 21
> pids test2(5701)
>
> v2: Quentin Monnet suggested to also add 'bpftool net' support:
>
> $ bpftool net
> xdp:
>
> tc:
>
> flow_dissector:
>
> netfilter:
>
> ip prerouting prio 21 prog_id 14
> ip input prio -128 prog_id 14
> ip input prio 21 prog_id 14
> ip forward prio 21 prog_id 14
> ip output prio 21 prog_id 14
> ip postrouting prio 21 prog_id 14
>
> 'bpftool net' only dumps netfilter link type. netfilter links are sorted by
> protocol family, hook and priority.
>
> Suggested-by: Quentin Monnet <quentin@...valent.com>
> Link: https://lore.kernel.org/bpf/eeeaac99-9053-90c2-aa33-cc1ecb1ae9ca@isovalent.com/
> Signed-off-by: Florian Westphal <fw@...len.de>
> ---
> tools/bpf/bpftool/link.c | 83 ++++++++++++++++++++++++++
> tools/bpf/bpftool/main.h | 3 +
> tools/bpf/bpftool/net.c | 105 +++++++++++++++++++++++++++++++++
> tools/include/uapi/linux/bpf.h | 15 +++++
> tools/lib/bpf/libbpf.c | 2 +
> 5 files changed, 208 insertions(+)
>
> diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
> index c40e44c938ae..61710cc63ef7 100644
> --- a/tools/bpf/bpftool/net.c
> +++ b/tools/bpf/bpftool/net.c
> @@ -647,6 +647,107 @@ static int do_detach(int argc, char **argv)
> +static void show_link_netfilter(void)
> +{
> + unsigned int nf_link_len = 0, nf_link_count = 0;
> + struct bpf_link_info *nf_link_info = NULL;
> + __u32 id = 0;
> +
> + while (true) {
> + struct bpf_link_info info;
> + int fd, err;
> + __u32 len;
> +
> + err = bpf_link_get_next_id(id, &id);
> + if (err) {
> + if (errno == ENOENT)
> + break;
> + p_err("can't get next link: %s (id %d)", strerror(errno), id);
> + break;
> + }
> +
> + fd = bpf_link_get_fd_by_id(id);
> + if (fd < 0) {
> + p_err("can't get link by id (%u): %s", id, strerror(errno));
> + continue;
> + }
> +
> + memset(&info, 0, sizeof(info));
> + len = sizeof(info);
> +
> + err = bpf_link_get_info_by_fd(fd, &info, &len);
> +
> + close(fd);
> +
> + if (err) {
> + p_err("can't get link info for fd %d: %s", fd, strerror(errno));
> + continue;
> + }
> +
> + if (info.type != BPF_LINK_TYPE_NETFILTER)
> + continue;
> +
> + if (nf_link_count >= nf_link_len) {
> + struct bpf_link_info *expand;
> +
> + if (nf_link_count > (INT_MAX / sizeof(info))) {
> + fprintf(stderr, "link count %d\n", nf_link_count);
The only nit I have is that we could use p_err() here, and have a more
descriptive message (letting user know that we've reached a limit).
Looks all good otherwise. Thanks!
Reviewed-by: Quentin Monnet <quentin@...valent.com>
Powered by blists - more mailing lists