forked from Minki/linux
d2ba09c17a
bpfilter.ko consists of bpfilter_kern.c (normal kernel module code) and user mode helper code that is embedded into bpfilter.ko The steps to build bpfilter.ko are the following: - main.c is compiled by HOSTCC into the bpfilter_umh elf executable file - with quite a bit of objcopy and Makefile magic the bpfilter_umh elf file is converted into bpfilter_umh.o object file with _binary_net_bpfilter_bpfilter_umh_start and _end symbols Example: $ nm ./bld_x64/net/bpfilter/bpfilter_umh.o 0000000000004cf8 T _binary_net_bpfilter_bpfilter_umh_end 0000000000004cf8 A _binary_net_bpfilter_bpfilter_umh_size 0000000000000000 T _binary_net_bpfilter_bpfilter_umh_start - bpfilter_umh.o and bpfilter_kern.o are linked together into bpfilter.ko bpfilter_kern.c is a normal kernel module code that calls the fork_usermode_blob() helper to execute part of its own data as a user mode process. Notice that _binary_net_bpfilter_bpfilter_umh_start - end is placed into .init.rodata section, so it's freed as soon as __init function of bpfilter.ko is finished. As part of __init the bpfilter.ko does first request/reply action via two unix pipe provided by fork_usermode_blob() helper to make sure that umh is healthy. If not it will kill it via pid. Later bpfilter_process_sockopt() will be called from bpfilter hooks in get/setsockopt() to pass iptable commands into umh via bpfilter.ko If admin does 'rmmod bpfilter' the __exit code bpfilter.ko will kill umh as well. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
64 lines
1.1 KiB
C
64 lines
1.1 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#define _GNU_SOURCE
|
|
#include <sys/uio.h>
|
|
#include <errno.h>
|
|
#include <stdio.h>
|
|
#include <sys/socket.h>
|
|
#include <fcntl.h>
|
|
#include <unistd.h>
|
|
#include "include/uapi/linux/bpf.h"
|
|
#include <asm/unistd.h>
|
|
#include "msgfmt.h"
|
|
|
|
int debug_fd;
|
|
|
|
static int handle_get_cmd(struct mbox_request *cmd)
|
|
{
|
|
switch (cmd->cmd) {
|
|
case 0:
|
|
return 0;
|
|
default:
|
|
break;
|
|
}
|
|
return -ENOPROTOOPT;
|
|
}
|
|
|
|
static int handle_set_cmd(struct mbox_request *cmd)
|
|
{
|
|
return -ENOPROTOOPT;
|
|
}
|
|
|
|
static void loop(void)
|
|
{
|
|
while (1) {
|
|
struct mbox_request req;
|
|
struct mbox_reply reply;
|
|
int n;
|
|
|
|
n = read(0, &req, sizeof(req));
|
|
if (n != sizeof(req)) {
|
|
dprintf(debug_fd, "invalid request %d\n", n);
|
|
return;
|
|
}
|
|
|
|
reply.status = req.is_set ?
|
|
handle_set_cmd(&req) :
|
|
handle_get_cmd(&req);
|
|
|
|
n = write(1, &reply, sizeof(reply));
|
|
if (n != sizeof(reply)) {
|
|
dprintf(debug_fd, "reply failed %d\n", n);
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
debug_fd = open("/dev/console", 00000002 | 00000100);
|
|
dprintf(debug_fd, "Started bpfilter\n");
|
|
loop();
|
|
close(debug_fd);
|
|
return 0;
|
|
}
|