lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Apr 2023 15:20:26 +0100
From:   Quentin Monnet <quentin@...valent.com>
To:     Florian Westphal <fw@...len.de>, bpf@...r.kernel.org
Cc:     netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
        dxu@...uu.xyz, qde@...cy.de
Subject: Re: [PATCH bpf-next v3 5/6] tools: bpftool: print netfilter link info

2023-04-18 15:10 UTC+0200 ~ Florian Westphal <fw@...len.de>
> Dump protocol family, hook and priority value:
> $ bpftool link
> 2: netfilter  prog 14
>         ip input prio -128
>         pids install(3264)
> 5: netfilter  prog 14
>         ip6 forward prio 21
>         pids a.out(3387)
> 9: netfilter  prog 14
>         ip prerouting prio 123
>         pids a.out(5700)
> 10: netfilter  prog 14
>         ip input prio 21
>         pids test2(5701)
> 
> v2: Quentin Monnet suggested to also add 'bpftool net' support:
> 
> $ bpftool net
> xdp:
> 
> tc:
> 
> flow_dissector:
> 
> netfilter:
> 
>         ip prerouting prio 21 prog_id 14
>         ip input prio -128 prog_id 14
>         ip input prio 21 prog_id 14
>         ip forward prio 21 prog_id 14
>         ip output prio 21 prog_id 14
>         ip postrouting prio 21 prog_id 14
> 
> 'bpftool net' only dumps netfilter link type.  netfilter links are sorted by
> protocol family, hook and priority.
> 
> Suggested-by: Quentin Monnet <quentin@...valent.com>
> Link: https://lore.kernel.org/bpf/eeeaac99-9053-90c2-aa33-cc1ecb1ae9ca@isovalent.com/
> Signed-off-by: Florian Westphal <fw@...len.de>
> ---
>  tools/bpf/bpftool/link.c       |  83 ++++++++++++++++++++++++++
>  tools/bpf/bpftool/main.h       |   3 +
>  tools/bpf/bpftool/net.c        | 105 +++++++++++++++++++++++++++++++++
>  tools/include/uapi/linux/bpf.h |  15 +++++
>  tools/lib/bpf/libbpf.c         |   2 +
>  5 files changed, 208 insertions(+)
> 

> diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
> index c40e44c938ae..61710cc63ef7 100644
> --- a/tools/bpf/bpftool/net.c
> +++ b/tools/bpf/bpftool/net.c
> @@ -647,6 +647,107 @@ static int do_detach(int argc, char **argv)

> +static void show_link_netfilter(void)
> +{
> +	unsigned int nf_link_len = 0, nf_link_count = 0;
> +	struct bpf_link_info *nf_link_info = NULL;
> +	__u32 id = 0;
> +
> +	while (true) {
> +		struct bpf_link_info info;
> +		int fd, err;
> +		__u32 len;
> +
> +		err = bpf_link_get_next_id(id, &id);
> +		if (err) {
> +			if (errno == ENOENT)
> +				break;
> +			p_err("can't get next link: %s (id %d)", strerror(errno), id);
> +			break;
> +		}
> +
> +		fd = bpf_link_get_fd_by_id(id);
> +		if (fd < 0) {
> +			p_err("can't get link by id (%u): %s", id, strerror(errno));
> +			continue;
> +		}
> +
> +		memset(&info, 0, sizeof(info));
> +		len = sizeof(info);
> +
> +		err = bpf_link_get_info_by_fd(fd, &info, &len);
> +
> +		close(fd);
> +
> +		if (err) {
> +			p_err("can't get link info for fd %d: %s", fd, strerror(errno));
> +			continue;
> +		}
> +
> +		if (info.type != BPF_LINK_TYPE_NETFILTER)
> +			continue;
> +
> +		if (nf_link_count >= nf_link_len) {
> +			struct bpf_link_info *expand;
> +
> +			if (nf_link_count > (INT_MAX / sizeof(info))) {
> +				fprintf(stderr, "link count %d\n", nf_link_count);

The only nit I have is that we could use p_err() here, and have a more
descriptive message (letting user know that we've reached a limit).

Looks all good otherwise. Thanks!

Reviewed-by: Quentin Monnet <quentin@...valent.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ