[2/3] Add `CGROUP_SOCK_ADDR` initial chain support by yaakov-stein · Pull Request #459 · facebook/bpfilter

yaakov-stein · 2026-03-06T01:22:49Z

Stacked PRs:

Adds initial cgroup_sock_addr support as described in #355.

Summary

Add BF_FLAVOR_CGROUP_SOCK_ADDR with CONNECT4/CONNECT6 hooks
Implement flavor codegen: prologue maps bpf_sock_addr.family to R7 and loads bpf_sock_addr.protocol into R8
All matchers return -ENOTSUP - matcher support is in [3/3] Add CGROUP_SOCK_ADDR matcher support #465
Reuse the cgroup link attach/update path from cgroup_skb

Notes:

BF_MATCHER_SET now goes through unsupported_hooks like all other matchers (support will be added later)
Logging is rejected at validation time since there is no packet data to log (will be added later on)
pkt_size is zeroed in the prologue so the counters stub runs cleanly (size is a no-op for CGROUP_SOCK_ADDR

Test plan

Manual testing - load and test chains with default ACCEPT/DROP verdict

src/bpfilter/cgen/cgroup_sock_addr.c

src/libbpfilter/include/bpfilter/flavor.h

src/bpfilter/cgen/cgroup_sock_addr.c

src/bpfilter/cgen/matcher/meta.h

github-actions · 2026-03-06T01:38:32Z

Claude: review of facebook/bpfilter #459 (d894cd1)

Suggestions

gen_inline_matcher should use assert(program) and assert(matcher) — src/bpfilter/cgen/cgroup_sock_addr.c:75 — Asserts added. The (void)program cast remains intentionally per author — needed to suppress -Wunused-parameter in release builds where assert() is a no-op.
~~Missing runtime context initialization in cgroup_sock_addr prologue~~ — Fixed: pkt_size is now zeroed with a clear comment; l3_offset and ifindex are not used by this flavor.
~~Intermediate NULL flavor_ops breaks bisectability~~ (dismissed) — Author noted commits are structured for reviewability and the issue is resolved by the next commit.
~~bf_flavor_ops struct layout changed in public header~~ (dismissed) — Author noted this is beyond scope of this PR.
~~Commit 2 subject omits lib component~~ — Fixed after rebase: commit 2 now only touches daemon files.
Commit 1 subject omits cli and tests components — Commit 1 modifies src/bfcli/lexer.l (cli) and tests/unit/libbpfilter/hook.c (tests). Subject says lib,daemon: but should include those components.
Logging rejection doesn't gate on !rule->disabled — Follows pre-existing pattern for mark checks, so this is a judgment call.
~~Commit 1 missing commit body~~ — Fixed after rebase: commit 1 now has a descriptive body.
~~cgroup_sock_addr hooks not in set_mark rejection list~~ — Fixed: mark validation now uses a flavor whitelist (allows only TC and CGROUP_SKB), so cgroup_sock_addr chains are properly rejected at validation time.

Nits

~~Inaccurate flavor doc: "Headers available: from L3"~~ — Fixed in latest push.
~~Inconsistent include style for linux/bpf.h~~ — Fixed in latest push.
~~@brief mixes description with precondition~~ — Fixed in latest push.
Copyright header missing year in new files — src/bpfilter/cgen/cgroup_sock_addr.c:3 — Existing files use Copyright (c) 2023 Meta Platforms, Inc. but the 2 new files omit the year.
Use backticks instead of @c in Doxygen — src/bpfilter/cgen/matcher/meta.h:18 — Style guide says use backticks for references. (File not in current PR diff.)
~~Inconsistent @brief in _bf_cgroup_sock_addr_get_verdict Doxygen~~ — src/bpfilter/cgen/cgroup_sock_addr.c:94 — The three existing get_verdict docs omit @brief; this one adds it. Low priority.
Pre-existing struct struct __sk_buff * typo in modified comment — src/bpfilter/cgen/runtime.h:76 — Doubled struct in BF_FLAVOR_TC line. Since the PR modifies this block, consider fixing it.
Inconsistent error messages for mark/flow_hash rejection — gen_inline_matcher says "not yet supported for cgroup_sock_addr" while chain validation says "is not supported by" for similar conceptual errors. Using a consistent message pattern would simplify log triage.
Missing comment on R8 register assignment in prologue — src/bpfilter/cgen/cgroup_sock_addr.c:67 — The R7 assignment has a clear comment (Convert bpf_sock_addr.family to L3 protocol ID in R7), but the R8 assignment (bpf_sock_addr.protocol) has none. Since this prologue bypasses the standard stubs and assigns R8 directly, a short comment (e.g., // Store L4 protocol ID in R8) would match the style of the R7 comment above.

src/bpfilter/cgen/program.c

src/libbpfilter/include/bpfilter/flavor.h

src/bpfilter/cgen/cgroup_sock_addr.c

src/bpfilter/cgen/matcher/meta.h

src/libbpfilter/chain.c

src/bpfilter/cgen/runtime.h

src/bpfilter/cgen/cgroup_sock_addr.c

qdeslandes

Please update the documentation for these new hooks, and a test file in tests/e2e/rulesets (no need for rules, only a chain).

src/libbpfilter/chain.c

Add BF_FLAVOR_CGROUP_SOCK_ADDR and BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4/CONNECT6 to support BPF_PROG_TYPE_CGROUP_SOCK_ADDR programs. This is the foundational enum/mapping work for sock_addr filtering. All mapping tables (hook strings, flavor, prog_type, attach_type), BPF type constants, link creation, and hookopts are updated. All existing matchers are blocked on the new hooks via unsupported_hooks. Flavor ops are registered as NULL and codegen is added in a follow-up.

Implement bf_flavor_ops for BF_FLAVOR_CGROUP_SOCK_ADDR so chains with a default policy can be loaded and attached to a cgroup.

src/bpfilter/cgen/cgroup_sock_addr.c

yaakov-stein · 2026-03-12T19:17:50Z

Testing and documentation is left for #465, where it can be done together with the matchers. (Can switch to add some here though if we think that'd be better.)

qdeslandes

Little, LGTM otherwise.

qdeslandes · 2026-03-13T09:02:34Z

src/libbpfilter/chain.c

-        return bf_err_r(-EINVAL,
-                        "XDP and Netfilter chains can't set packet mark");
+        bf_hook_to_flavor(chain->hook) != BF_FLAVOR_TC &&
+        bf_hook_to_flavor(chain->hook) != BF_FLAVOR_CGROUP_SKB) {


You're missing CGROUP_SOCK_ADDR.

This reverses the logic (now that fewer flavors allow for setting the mark than those that don't). So we're checking if it's not an allowed flavor

meta-cla bot added the cla signed label Mar 6, 2026