[1/2] Add flavor-specific log codegen callback

doc/Doxyfile.in

@@ -57,7 +57,8 @@ GENERATE_PERLMOD        = NO
 #---------------------------------------------------------------------------
 INCLUDE_PATH            = "@CMAKE_SOURCE_DIR@/src" "@CMAKE_SOURCE_DIR@/tests"
 MACRO_EXPANSION         = YES
-PREDEFINED              = bf_aligned(x)=
+PREDEFINED              = bf_aligned(x)= \
+                          DOXYGEN
 
 #---------------------------------------------------------------------------
 # Configuration options related to diagram generator tools

src/bfcli/print.c

@@ -373,17 +373,17 @@ static void _bf_chain_log_header(const struct bf_log *log)
         bf_logger_get_color(BF_COLOR_LIGHT_CYAN, BF_STYLE_NORMAL), time_str,
         time.tv_nsec / BF_TIME_US,
         bf_logger_get_color(BF_COLOR_RESET, BF_STYLE_RESET), log->rule_id,
-        bf_logger_get_color(BF_COLOR_DEFAULT, BF_STYLE_BOLD), log->pkt_size,
+        bf_logger_get_color(BF_COLOR_DEFAULT, BF_STYLE_BOLD), log->pkt.pkt_size,
         bf_logger_get_color(BF_COLOR_RESET, BF_STYLE_RESET),
         bf_verdict_to_str((enum bf_verdict)log->verdict));
 }
 
 static void _bf_chain_log_l2(const struct bf_log *log)
 {
-    struct ethhdr *ethhdr = (void *)log->l2hdr;
+    struct ethhdr *ethhdr = (void *)log->pkt.l2hdr;
     const char *ethertype;
 
-    if (!(log->headers & (1 << BF_PKTHDR_LINK))) {
+    if (!(log->pkt.headers & (1 << BF_PKTHDR_LINK))) {
         (void)fprintf(stdout, "  Ethernet  : <unknown header>\n");
         return;
     }
@@ -418,14 +418,14 @@ static void _bf_chain_log_l3(const struct bf_log *log)
     char dst_addr[INET6_ADDRSTRLEN];
     const char *protocol;
 
-    if (!(log->headers & (1 << BF_PKTHDR_INTERNET))) {
+    if (!(log->pkt.headers & (1 << BF_PKTHDR_INTERNET))) {
         (void)fprintf(stdout, "  Internet  : <unknown header>\n");
         return;
     }
 
     switch (log->l3_proto) {
     case ETH_P_IP:
-        iphdr = (struct iphdr *)&log->l3hdr[0];
+        iphdr = (struct iphdr *)&log->pkt.l3hdr[0];
 
         inet_ntop(AF_INET, &iphdr->saddr, src_addr, sizeof(src_addr));
         inet_ntop(AF_INET, &iphdr->daddr, dst_addr, sizeof(dst_addr));
@@ -451,7 +451,7 @@ static void _bf_chain_log_l3(const struct bf_log *log)
         break;
 
     case ETH_P_IPV6:
-        ipv6hdr = (struct ipv6hdr *)log->l3hdr;
+        ipv6hdr = (struct ipv6hdr *)log->pkt.l3hdr;
 
         inet_ntop(AF_INET6, &ipv6hdr->saddr, src_addr, sizeof(src_addr));
         inet_ntop(AF_INET6, &ipv6hdr->daddr, dst_addr, sizeof(dst_addr));
@@ -490,14 +490,14 @@ static void _bf_chain_log_l4(const struct bf_log *log)
     struct udphdr *udphdr;
     const char *tcp_flags_str;
 
-    if (!(log->headers & (1 << BF_PKTHDR_TRANSPORT))) {
+    if (!(log->pkt.headers & (1 << BF_PKTHDR_TRANSPORT))) {
         (void)fprintf(stdout, "  Transport : <unknown header>\n");
         return;
     }
 
     switch (log->l4_proto) {
     case IPPROTO_TCP:
-        tcphdr = (struct tcphdr *)log->l4hdr;
+        tcphdr = (struct tcphdr *)log->pkt.l4hdr;
         tcp_flags_str = _bf_tcp_flags_to_str(tcphdr);
 
         (void)fprintf(stdout, "  TCP       : %s%-5u%s → %s%-5u%s",
@@ -522,7 +522,7 @@ static void _bf_chain_log_l4(const struct bf_log *log)
         break;
 
     case IPPROTO_UDP:
-        udphdr = (struct udphdr *)log->l4hdr;
+        udphdr = (struct udphdr *)log->pkt.l4hdr;
 
         (void)fprintf(stdout, "  UDP       : %s%-5u%s → %s%-5u%s [len=%u]\n",
                       bf_logger_get_color(BF_COLOR_LIGHT_YELLOW, BF_STYLE_BOLD),
@@ -535,7 +535,7 @@ static void _bf_chain_log_l4(const struct bf_log *log)
         break;
 
     case IPPROTO_ICMP:
-        icmphdr = (struct icmphdr *)log->l4hdr;
+        icmphdr = (struct icmphdr *)log->pkt.l4hdr;
 
         (void)fprintf(stdout, "  ICMP      : type=%-3u code=%-3u",
                       icmphdr->type, icmphdr->code);
@@ -550,7 +550,7 @@ static void _bf_chain_log_l4(const struct bf_log *log)
         break;
 
     case IPPROTO_ICMPV6:
-        icmp6hdr = (struct icmp6hdr *)log->l4hdr;
+        icmp6hdr = (struct icmp6hdr *)log->pkt.l4hdr;
 
         (void)fprintf(stdout, "  ICMPv6    : type=%-3u code=%-3u",
                       icmp6hdr->icmp6_type, icmp6hdr->icmp6_code);
@@ -573,12 +573,15 @@ static void _bf_chain_log_l4(const struct bf_log *log)
 
 void bfc_print_log(const struct bf_log *log)
 {
+    if (log->log_type != BF_LOG_TYPE_PACKET)
+        return;
+
     _bf_chain_log_header(log);
 
-    if (log->req_headers & (1 << BF_PKTHDR_LINK))
+    if (log->pkt.req_headers & (1 << BF_PKTHDR_LINK))
         _bf_chain_log_l2(log);
-    if (log->req_headers & (1 << BF_PKTHDR_INTERNET))
+    if (log->pkt.req_headers & (1 << BF_PKTHDR_INTERNET))
         _bf_chain_log_l3(log);
-    if (log->req_headers & (1 << BF_PKTHDR_TRANSPORT))
+    if (log->pkt.req_headers & (1 << BF_PKTHDR_TRANSPORT))
         _bf_chain_log_l4(log);
 }

src/libbpfilter/CMakeLists.txt

@@ -64,9 +64,9 @@ set(libbpfilter_srcs
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.h               ${CMAKE_CURRENT_SOURCE_DIR}/cgen/jmp.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/cmp.h       ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/cmp.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.h      ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/meta.c
-    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/packet.h    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/packet.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.h       ${CMAKE_CURRENT_SOURCE_DIR}/cgen/matcher/set.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.h                ${CMAKE_CURRENT_SOURCE_DIR}/cgen/nf.c
+    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/packet.h            ${CMAKE_CURRENT_SOURCE_DIR}/cgen/packet.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/printer.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/program.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.h         ${CMAKE_CURRENT_SOURCE_DIR}/cgen/prog/link.c
@@ -109,7 +109,7 @@ bf_target_add_elfstubs(libbpfilter
         "parse_ipv6_eh"
         "parse_ipv6_nh"
         "update_counters"
-        "log"
+        "pkt_log"
         "flow_hash"
 )
 

src/libbpfilter/bpf/log.bpf.c → src/libbpfilter/bpf/pkt_log.bpf.c

@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
  */
 
 #include <linux/bpf.h>
@@ -11,8 +11,8 @@
 
 #include "cgen/runtime.h"
 
-__u8 bf_log(struct bf_runtime *ctx, __u32 rule_id, __u8 headers, __u32 verdict,
-            __u32 l3_l4_proto)
+__u8 bf_pkt_log(struct bf_runtime *ctx, __u32 rule_id, __u8 headers,
+                __u32 verdict, __u32 l3_l4_proto)
 {
     struct bf_log *log;
     __u16 l3_proto = (__u16)(l3_l4_proto >> 16);
@@ -28,28 +28,29 @@ __u8 bf_log(struct bf_runtime *ctx, __u32 rule_id, __u8 headers, __u32 verdict,
     log->ts = bpf_ktime_get_ns();
     log->rule_id = rule_id;
     log->verdict = verdict;
-    log->pkt_size = ctx->pkt_size;
-    log->req_headers = headers;
-    log->headers = 0;
     log->l3_proto = bpf_ntohs(l3_proto);
     log->l4_proto = l4_proto;
+    log->log_type = BF_LOG_TYPE_PACKET;
+    log->pkt.pkt_size = ctx->pkt_size;
+    log->pkt.req_headers = headers;
+    log->pkt.headers = 0;
 
     if (headers & (1 << BF_PKTHDR_LINK) && ctx->l2_hdr &&
         ctx->l2_size <= BF_L2_SLICE_LEN) {
-        bpf_probe_read_kernel(log->l2hdr, ctx->l2_size, ctx->l2_hdr);
-        log->headers |= (1 << BF_PKTHDR_LINK);
+        bpf_probe_read_kernel(log->pkt.l2hdr, ctx->l2_size, ctx->l2_hdr);
+        log->pkt.headers |= (1 << BF_PKTHDR_LINK);
     }
 
     if (headers & (1 << BF_PKTHDR_INTERNET) && ctx->l3_hdr &&
         ctx->l3_size <= BF_L3_SLICE_LEN) {
-        bpf_probe_read_kernel(log->l3hdr, ctx->l3_size, ctx->l3_hdr);
-        log->headers |= (1 << BF_PKTHDR_INTERNET);
+        bpf_probe_read_kernel(log->pkt.l3hdr, ctx->l3_size, ctx->l3_hdr);
+        log->pkt.headers |= (1 << BF_PKTHDR_INTERNET);
     }
 
     if (headers & (1 << BF_PKTHDR_TRANSPORT) && ctx->l4_hdr &&
         ctx->l4_size <= BF_L4_SLICE_LEN) {
-        bpf_probe_read_kernel(log->l4hdr, ctx->l4_size, ctx->l4_hdr);
-        log->headers |= (1 << BF_PKTHDR_TRANSPORT);
+        bpf_probe_read_kernel(log->pkt.l4hdr, ctx->l4_size, ctx->l4_hdr);
+        log->pkt.headers |= (1 << BF_PKTHDR_TRANSPORT);
     }
 
     bpf_ringbuf_submit(log, 0);

src/libbpfilter/cgen/cgroup_skb.c

@@ -20,7 +20,7 @@
 
 #include "cgen/cgen.h"
 #include "cgen/matcher/cmp.h"
-#include "cgen/matcher/packet.h"
+#include "cgen/packet.h"
 #include "cgen/program.h"
 #include "cgen/stub.h"
 #include "cgen/swich.h"
@@ -133,7 +133,7 @@ static int _bf_cgroup_skb_gen_inline_matcher(struct bf_program *program,
         return bf_cmp_value(program, bf_matcher_get_op(matcher),
                             bf_matcher_payload(matcher), 4, BPF_REG_1);
     default:
-        return bf_matcher_generate_packet(program, matcher);
+        return bf_packet_gen_inline_matcher(program, matcher);
     }
 }
 
@@ -161,4 +161,5 @@ const struct bf_flavor_ops bf_flavor_ops_cgroup_skb = {
     .gen_inline_set_mark = _bf_cgroup_skb_gen_inline_set_mark,
     .get_verdict = _bf_cgroup_skb_get_verdict,
     .gen_inline_matcher = _bf_cgroup_skb_gen_inline_matcher,
+    .gen_inline_log = bf_packet_gen_inline_log,
 };

src/libbpfilter/cgen/cgroup_sock_addr.c

@@ -273,9 +273,20 @@ static int _bf_cgroup_sock_addr_get_verdict(enum bf_verdict verdict)
     }
 }
 
+static int _bf_cgroup_sock_addr_gen_inline_log(struct bf_program *program,
+                                               const struct bf_rule *rule)
+{
+    (void)program;
+    (void)rule;
+
+    return bf_err_r(-ENOTSUP,
+                    "logging is not yet supported for cgroup_sock_addr");
+}
+
 const struct bf_flavor_ops bf_flavor_ops_cgroup_sock_addr = {
     .gen_inline_prologue = _bf_cgroup_sock_addr_gen_inline_prologue,
     .gen_inline_epilogue = _bf_cgroup_sock_addr_gen_inline_epilogue,
     .get_verdict = _bf_cgroup_sock_addr_get_verdict,
     .gen_inline_matcher = _bf_cgroup_sock_addr_gen_inline_matcher,
+    .gen_inline_log = _bf_cgroup_sock_addr_gen_inline_log,
 };

src/libbpfilter/cgen/nf.c

@@ -24,7 +24,7 @@
 
 #include "cgen/jmp.h"
 #include "cgen/matcher/cmp.h"
-#include "cgen/matcher/packet.h"
+#include "cgen/packet.h"
 #include "cgen/program.h"
 #include "cgen/stub.h"
 #include "cgen/swich.h"
@@ -149,7 +149,7 @@ static int _bf_nf_gen_inline_matcher(struct bf_program *program,
         return bf_cmp_value(program, bf_matcher_get_op(matcher),
                             bf_matcher_payload(matcher), 4, BPF_REG_1);
     default:
-        return bf_matcher_generate_packet(program, matcher);
+        return bf_packet_gen_inline_matcher(program, matcher);
     }
 }
 
@@ -176,4 +176,5 @@ const struct bf_flavor_ops bf_flavor_ops_nf = {
     .gen_inline_epilogue = _bf_nf_gen_inline_epilogue,
     .get_verdict = _bf_nf_get_verdict,
     .gen_inline_matcher = _bf_nf_gen_inline_matcher,
+    .gen_inline_log = bf_packet_gen_inline_log,
 };

src/libbpfilter/cgen/matcher/packet.c → src/libbpfilter/cgen/packet.c

@@ -3,7 +3,7 @@
  * Copyright (c) Meta Platforms, Inc. and affiliates.
  */
 
-#include "cgen/matcher/packet.h"
+#include "cgen/packet.h"
 
 #include <linux/bpf.h>
 #include <linux/bpf_common.h>
@@ -14,14 +14,17 @@
 #include <errno.h>
 #include <stdint.h>
 
+#include <bpfilter/elfstub.h>
 #include <bpfilter/helper.h>
 #include <bpfilter/logger.h>
 #include <bpfilter/matcher.h>
+#include <bpfilter/rule.h>
 
 #include "cgen/matcher/cmp.h"
 #include "cgen/matcher/meta.h"
 #include "cgen/matcher/set.h"
 #include "cgen/program.h"
+#include "cgen/runtime.h"
 #include "cgen/stub.h"
 #include "filter.h"
 
@@ -296,8 +299,8 @@ static int _bf_matcher_pkt_generate_ip6_dscp(struct bf_program *program,
     return 0;
 }
 
-int bf_matcher_generate_packet(struct bf_program *program,
-                               const struct bf_matcher *matcher)
+int bf_packet_gen_inline_matcher(struct bf_program *program,
+                                 const struct bf_matcher *matcher)
 {
     const struct bf_matcher_meta *meta;
 
@@ -355,3 +358,25 @@ int bf_matcher_generate_packet(struct bf_program *program,
                         bf_matcher_get_type(matcher));
     }
 }
+
+int bf_packet_gen_inline_log(struct bf_program *program,
+                             const struct bf_rule *rule)
+{
+    assert(program);
+    assert(rule);
+
+    EMIT(program, BPF_MOV64_REG(BPF_REG_1, BPF_REG_10));
+    EMIT(program, BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, BF_PROG_CTX_OFF(arg)));
+    EMIT(program, BPF_MOV64_IMM(BPF_REG_2, rule->index));
+    EMIT(program, BPF_MOV64_IMM(BPF_REG_3, rule->log));
+    EMIT(program, BPF_MOV64_IMM(BPF_REG_4, rule->verdict));
+
+    // Pack l3_proto and l4_proto
+    EMIT(program, BPF_MOV64_REG(BPF_REG_5, BPF_REG_7));
+    EMIT(program, BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 16));
+    EMIT(program, BPF_ALU64_REG(BPF_OR, BPF_REG_5, BPF_REG_8));
+
+    EMIT_FIXUP_ELFSTUB(program, BF_ELFSTUB_PKT_LOG);
+
+    return 0;
+}

src/libbpfilter/cgen/matcher/packet.h → src/libbpfilter/cgen/packet.h

@@ -7,6 +7,7 @@
 
 struct bf_matcher;
 struct bf_program;
+struct bf_rule;
 
 /**
  * @brief Generate bytecode for a packet-based matcher.
@@ -23,5 +24,18 @@ struct bf_program;
  * @param matcher Matcher to generate code for. Can't be NULL.
  * @return 0 on success, negative errno on error.
  */
-int bf_matcher_generate_packet(struct bf_program *program,
-                               const struct bf_matcher *matcher);
+int bf_packet_gen_inline_matcher(struct bf_program *program,
+                                 const struct bf_matcher *matcher);
+
+/**
+ * @brief Generate bytecode for packet-based rule logging.
+ *
+ * Sets up registers and calls the packet log ELF stub. Shared by all
+ * packet-based flavors (TC, NF, XDP, cgroup_skb).
+ *
+ * @param program Program being generated. Can't be NULL.
+ * @param rule Rule whose log action to generate. Can't be NULL.
+ * @return 0 on success, negative errno on error.
+ */
+int bf_packet_gen_inline_log(struct bf_program *program,
+                             const struct bf_rule *rule);

src/libbpfilter/cgen/program.c

@@ -298,6 +298,7 @@ static int _bf_program_generate_rule(struct bf_program *program,
     assert(program);
     assert(rule);
     assert(program->runtime.ops->gen_inline_matcher);
+    assert(program->runtime.ops->gen_inline_log);
 
     if (rule->disabled)
         return 0;
@@ -352,18 +353,9 @@ static int _bf_program_generate_rule(struct bf_program *program,
     }
 
     if (rule->log) {
-        EMIT(program, BPF_MOV64_REG(BPF_REG_1, BPF_REG_10));
-        EMIT(program, BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, BF_PROG_CTX_OFF(arg)));
-        EMIT(program, BPF_MOV64_IMM(BPF_REG_2, rule->index));
-        EMIT(program, BPF_MOV64_IMM(BPF_REG_3, rule->log));
-        EMIT(program, BPF_MOV64_IMM(BPF_REG_4, rule->verdict));
-
-        // Pack l3_proto and l4_proto
-        EMIT(program, BPF_MOV64_REG(BPF_REG_5, BPF_REG_7));
-        EMIT(program, BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 16));
-        EMIT(program, BPF_ALU64_REG(BPF_OR, BPF_REG_5, BPF_REG_8));
-
-        EMIT_FIXUP_ELFSTUB(program, BF_ELFSTUB_LOG);
+        r = program->runtime.ops->gen_inline_log(program, rule);
+        if (r)
+            return r;
     }
 
     if (rule->counters) {