linux/net/bpfilter/main.c
Alexei Starovoitov d2ba09c17a net: add skeleton of bpfilter kernel module
bpfilter.ko consists of bpfilter_kern.c (normal kernel module code)
and user mode helper code that is embedded into bpfilter.ko

The steps to build bpfilter.ko are the following:
- main.c is compiled by HOSTCC into the bpfilter_umh elf executable file
- with quite a bit of objcopy and Makefile magic the bpfilter_umh elf file
  is converted into bpfilter_umh.o object file
  with _binary_net_bpfilter_bpfilter_umh_start and _end symbols
  Example:
  $ nm ./bld_x64/net/bpfilter/bpfilter_umh.o
  0000000000004cf8 T _binary_net_bpfilter_bpfilter_umh_end
  0000000000004cf8 A _binary_net_bpfilter_bpfilter_umh_size
  0000000000000000 T _binary_net_bpfilter_bpfilter_umh_start
- bpfilter_umh.o and bpfilter_kern.o are linked together into bpfilter.ko

bpfilter_kern.c is a normal kernel module code that calls
the fork_usermode_blob() helper to execute part of its own data
as a user mode process.

Notice that _binary_net_bpfilter_bpfilter_umh_start - end
is placed into .init.rodata section, so it's freed as soon as __init
function of bpfilter.ko is finished.
As part of __init the bpfilter.ko does first request/reply action
via two unix pipe provided by fork_usermode_blob() helper to
make sure that umh is healthy. If not it will kill it via pid.

Later bpfilter_process_sockopt() will be called from bpfilter hooks
in get/setsockopt() to pass iptable commands into umh via bpfilter.ko

If admin does 'rmmod bpfilter' the __exit code bpfilter.ko will
kill umh as well.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-23 13:23:40 -04:00

64 lines
1.1 KiB
C

// SPDX-License-Identifier: GPL-2.0
#define _GNU_SOURCE
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <unistd.h>
#include "include/uapi/linux/bpf.h"
#include <asm/unistd.h>
#include "msgfmt.h"
int debug_fd;
static int handle_get_cmd(struct mbox_request *cmd)
{
switch (cmd->cmd) {
case 0:
return 0;
default:
break;
}
return -ENOPROTOOPT;
}
static int handle_set_cmd(struct mbox_request *cmd)
{
return -ENOPROTOOPT;
}
static void loop(void)
{
while (1) {
struct mbox_request req;
struct mbox_reply reply;
int n;
n = read(0, &req, sizeof(req));
if (n != sizeof(req)) {
dprintf(debug_fd, "invalid request %d\n", n);
return;
}
reply.status = req.is_set ?
handle_set_cmd(&req) :
handle_get_cmd(&req);
n = write(1, &reply, sizeof(reply));
if (n != sizeof(reply)) {
dprintf(debug_fd, "reply failed %d\n", n);
return;
}
}
}
int main(void)
{
debug_fd = open("/dev/console", 00000002 | 00000100);
dprintf(debug_fd, "Started bpfilter\n");
loop();
close(debug_fd);
return 0;
}