Skip to content

Introduce bfcli: a generic command line interface to communicate with the daemon #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Aug 20, 2024

Conversation

qdeslandes
Copy link
Contributor

bpfilter is configurable through nftables and iptables. However, both command line tools only support a limited subset of feature of bpfilter. For example, it's not possible to choose the exact hook the BPF programs will be attached to with nftables. This lead to a situation where none of the front-ends allow for TC programs creation, meaning the TC generation logic has evolved over time but couldn't be properly tested.

To resolve this issue and have a solution to more thoroughly test bpfilter's features, a new command line interface has been added. Its purpose is to allow any combination of feature to be tested with bpfilter.

The new command line interface (bfcli) uses Flex and Bison to parse a simple grammar (see tests/rules.bpfilter).

Introduce bf_hook_from_str() to convert the string representation of a
hook into the hook value.
Introduce bf_matcher_type_from_str() to convert the string
representation of a matcher type into a matcher type value.
Introduce bf_verdict_type_from_str() to convert the string
representation of a verdict into a verdict value.
Add boilerplate for bfcli generic command line interface to communicate
with the daemon. bfcli is expected to parse chains and rules, so a
(simple) grammar is defined with Bison. Flex and Bison have been added
to the build process.
bf_chain is aimed to represent a chain: a set of rules and a default
verdict, attached to a specific hook. It's not tied to a front-end, not
is it to the BPF bytecode. This is the missing piece to decouple the
intent of the rules defined in src/core, and the actual bytecode
generation in src/generator.
Complete the Bison parser by allowing the parser's results to be used in
the main function.

The parser will generate a list of bf_chain objects and fill it with
chains, rules, and matchers from the rules file.
Move the definition of struct bf_chain from chain.c to chain.h, making
it publicly available.
cli front-end will translate the serialized rules received from bfcli
into bpfilter's internal format. This change contains the boilerplate to
define the new cli front-end.
Add support for create a new chain or updating an existing chain in cli
front-end.
bfcli is in a strange state were is needs internal structures defined by
the daemon, but also requires access to the API provided by libbpfilter
in order to communicate with the daemon.

For now, it's fine to actually update the target to provide the required
include directories, whether they're coming from the daemon or
libbpfilter.

Eventually, this situation will have to be improved.
@qdeslandes qdeslandes merged commit 0c36c29 into facebook:main Aug 20, 2024
13 checks passed
@qdeslandes qdeslandes deleted the cli branch August 20, 2024 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants