link: add netfilter support

Signed-off-by: Mehrdad Arshad Rad <arshad.rad@gmail.com>

internal/cmd/gentypes/main.go

@@ -430,6 +430,17 @@ import (
 				rename("cnt", "count"),
 			},
 		},
+		{
+			"LinkCreateNetfilter", retFd, "link_create", "BPF_LINK_CREATE",
+			[]patch{
+				chooseNth(4, 5),
+				replace(enumTypes["AttachType"], "attach_type"),
+				modify(func(m *btf.Member) error {
+					return rename("flags", "netfilter_flags")(m.Type.(*btf.Struct))
+				}, "netfilter"),
+				flattenAnon,
+			},
+		},
 		{
 			"LinkCreateTracing", retFd, "link_create", "BPF_LINK_CREATE",
 			[]patch{
@@ -548,6 +559,7 @@ import (
 		{"TcxLinkInfo", "tcx", []patch{
 			replace(enumTypes["AttachType"], "attach_type"),
 		}},
+		{"NetfilterLinkInfo", "netfilter", nil},
 	}
 
 	sort.Slice(linkInfoExtraTypes, func(i, j int) bool {

link/link.go

@@ -100,6 +100,8 @@ func wrapRawLink(raw *RawLink) (_ Link, err error) {
 		return nil, fmt.Errorf("recovering perf event fd: %w", ErrNotSupported)
 	case TCXType:
 		return &tcxLink{*raw}, nil
+	case NetfilterType:
+		return &netfilterLink{*raw}, nil
 	default:
 		return raw, nil
 	}
@@ -135,6 +137,7 @@ type CgroupInfo sys.CgroupLinkInfo
 type NetNsInfo sys.NetNsLinkInfo
 type XDPInfo sys.XDPLinkInfo
 type TCXInfo sys.TcxLinkInfo
+type NetfilterInfo sys.NetfilterLinkInfo
 
 // Tracing returns tracing type-specific link info.
 //
@@ -176,6 +179,14 @@ func (r Info) TCX() *TCXInfo {
 	return e
 }
 
+// Netfilter returns netfilter type-specific link info.
+//
+// Returns nil if the type-specific link info isn't available.
+func (r Info) Netfilter() *NetfilterInfo {
+	e, _ := r.extra.(*NetfilterInfo)
+	return e
+}
+
 // RawLink is the low-level API to bpf_link.
 //
 // You should consider using the higher level interfaces in this
@@ -328,6 +339,8 @@ func (l *RawLink) Info() (*Info, error) {
 		// Extra metadata not supported.
 	case TCXType:
 		extra = &TCXInfo{}
+	case NetfilterType:
+		extra = &NetfilterInfo{}
 	default:
 		return nil, fmt.Errorf("unknown link info type: %d", info.Type)
 	}

link/link_test.go

@@ -209,6 +209,11 @@ func testLink(t *testing.T, link Link, prog *ebpf.Program) {
 			if tcx.Ifindex == 0 {
 				t.Fatalf("Failed to get link TCX extra info")
 			}
+		case sys.BPF_LINK_TYPE_NETFILTER:
+			nf := info.Netfilter()
+			if nf.Priority == 0 {
+				t.Fatalf("Failed to get link Netfilter extra info")
+			}
 		}
 	})
 

link/netfilter.go

@@ -0,0 +1,70 @@
+package link
+
+import (
+	"fmt"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/internal/sys"
+)
+
+const NFIPDefrag NetfilterAttachFlags = 0 // Enable IP packet defragmentation
+
+type NetfilterAttachFlags uint32
+
+type NetfilterOptions struct {
+	// Program must be a netfilter BPF program.
+	Program *ebpf.Program
+	// The protocol family.
+	ProtocolFamily uint32
+	// The number of the hook you are interested in.
+	HookNumber uint32
+	// Priority within hook
+	Priority int32
+	// Extra link flags
+	Flags uint32
+	// Netfilter flags
+	NetfilterFlags NetfilterAttachFlags
+}
+
+type netfilterLink struct {
+	RawLink
+}
+
+// AttachNetfilter links a netfilter BPF program to a netfilter hook.
+func AttachNetfilter(opts NetfilterOptions) (Link, error) {
+	if opts.Program == nil {
+		return nil, fmt.Errorf("netfilter program is nil")
+	}
+
+	if t := opts.Program.Type(); t != ebpf.Netfilter {
+		return nil, fmt.Errorf("invalid program type %s, expected netfilter", t)
+	}
+
+	progFd := opts.Program.FD()
+	if progFd < 0 {
+		return nil, fmt.Errorf("invalid program: %s", sys.ErrClosedFd)
+	}
+
+	attr := sys.LinkCreateNetfilterAttr{
+		ProgFd:         uint32(opts.Program.FD()),
+		AttachType:     sys.BPF_NETFILTER,
+		Flags:          opts.Flags,
+		Pf:             uint32(opts.ProtocolFamily),
+		Hooknum:        uint32(opts.HookNumber),
+		Priority:       opts.Priority,
+		NetfilterFlags: uint32(opts.NetfilterFlags),
+	}
+
+	fd, err := sys.LinkCreateNetfilter(&attr)
+	if err != nil {
+		return nil, fmt.Errorf("attach netfilter link: %w", err)
+	}
+
+	return &netfilterLink{RawLink{fd, ""}}, nil
+}
+
+func (*netfilterLink) Update(new *ebpf.Program) error {
+	return fmt.Errorf("netfilter update: %w", ErrNotSupported)
+}
+
+var _ Link = (*netfilterLink)(nil)

link/netfilter_test.go

@@ -0,0 +1,27 @@
+package link
+
+import (
+	"testing"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/internal/testutils"
+	"golang.org/x/sys/unix"
+)
+
+func TestAttachNetfilter(t *testing.T) {
+	testutils.SkipOnOldKernel(t, "6.4", "BPF_LINK_TYPE_NETFILTER")
+
+	prog := mustLoadProgram(t, ebpf.Netfilter, ebpf.AttachNetfilter, "")
+
+	l, err := AttachNetfilter(NetfilterOptions{
+		Program:        prog,
+		ProtocolFamily: unix.NFPROTO_IPV4,
+		HookNumber:     unix.NF_INET_LOCAL_OUT,
+		Priority:       -128,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testLink(t, l, prog)
+}

link/syscalls.go

@@ -25,6 +25,7 @@ const (
 	PerfEventType     = sys.BPF_LINK_TYPE_PERF_EVENT
 	KprobeMultiType   = sys.BPF_LINK_TYPE_KPROBE_MULTI
 	TCXType           = sys.BPF_LINK_TYPE_TCX
+	NetfilterType     = sys.BPF_LINK_TYPE_NETFILTER
 )
 
 var haveProgAttach = internal.NewFeatureTest("BPF_PROG_ATTACH", "4.10", func() error {