opts: add option to disable iptables front

Add --no-iptables command line options to prevent iptables front from running: ipt requests will be returned an error, and no cache will be restored. This change involved refactoring how fronts are serialised: every front (even the ones disabled) have they marsh function called with an allocated bf_marsh child. Disabled fronts won't have anything to add to the marsh and will just return. This simplify serialised front management as every front will be represented by a marsh object, so they can be restored sequentially. Signed-off-by: Quentin Deslandes <[email protected]>
facebook · Nov 14, 2023 · 4d4e866 · 4d4e866
1 parent 5c23dc6
commit 4d4e866
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 13 deletions.
diff --git a/src/main.c b/src/main.c
@@ -198,6 +198,10 @@ static int _bf_save(const char *path)
     for (int i = 0; i < _BF_FRONT_MAX; ++i) {
         _cleanup_free_ struct bf_marsh *child = NULL;
 
+        r = bf_marsh_new(&child, NULL, 0);
+        if (r < 0)
+            return r;
+
         r = bf_front_ops_get(i)->marsh(&child);
         if (r < 0)
             return r;
@@ -264,6 +268,9 @@ static int _bf_init(int argc, char *argv[])
     }
 
     for (enum bf_front front = 0; front < _BF_FRONT_MAX; ++front) {
+        if (!bf_opts_is_front_enabled(front))
+            continue;
+
         r = bf_front_ops_get(front)->setup();
         if (r < 0) {
             return bf_err_code(r, "failed to setup front-end %s",
@@ -294,6 +301,9 @@ static int _bf_clean(void)
     int r;
 
     for (enum bf_front front = 0; front < _BF_FRONT_MAX; ++front) {
+        if (!bf_opts_is_front_enabled(front))
+            continue;
+
         r = bf_front_ops_get(front)->teardown();
         if (r < 0) {
             bf_warn_code(r, "failed to teardown front-end %s, continuing",
@@ -333,6 +343,9 @@ static int _process_request(struct bf_request *request,
     bf_assert(request);
     bf_assert(response);
 
+    if (!bf_opts_is_front_enabled(request->front))
+        return bf_response_new_failure(response, -ENOTSUP);
+
     ops = bf_front_ops_get(request->front);
     r = ops->request_handler(request, response);
     if (r) {

diff --git a/src/opts.c b/src/opts.c
@@ -6,7 +6,9 @@
 #include "opts.h"
 
 #include <argp.h>
+#include <stdint.h>
 
+#include "core/logger.h"
 #include "shared/helper.h"
 
 /**
@@ -23,11 +25,15 @@ static struct bf_options
     /** Size of the log buffer when loading a BPF program, as a power of 2. */
     unsigned int bpf_log_buf_len_pow;
 
+    /** Bit flags for enabled fronts. */
+    uint16_t fronts;
+
     /** If true, print debug log messages (bf_debug). */
     bool verbose;
 } _opts = {
     .transient = false,
     .bpf_log_buf_len_pow = 16,
+    .fronts = 0xffff,
     .verbose = false,
 };
 
@@ -38,6 +44,7 @@ static struct argp_option options[] = {
     {"buffer-len", 'b', "BUF_LEN_POW", 0,
      "Size of the BPF log buffer as a power of 2 (only used when --verbose is used). Default: 16.",
      0},
+    {"no-iptables", 0x01, 0, 0, "Disable iptables support", 0},
     {"verbose", 'v', 0, 0, "Print debug logs", 0},
     {0},
 };
@@ -60,6 +67,10 @@ static error_t _bf_opts_parser(int key, char *arg, struct argp_state *state)
     case 'b':
         args->bpf_log_buf_len_pow = atoi(arg);
         break;
+    case 0x01:
+        bf_info("disabling iptables support");
+        args->fronts &= ~(1 << BF_FRONT_IPT);
+        break;
     case 'v':
         args->verbose = true;
         break;
@@ -87,6 +98,11 @@ unsigned int bf_opts_bpf_log_buf_len_pow(void)
     return _opts.bpf_log_buf_len_pow;
 }
 
+bool bf_opts_is_front_enabled(enum bf_front front)
+{
+    return _opts.fronts & (1 << front);
+}
+
 bool bf_opts_verbose(void)
 {
     return _opts.verbose;

diff --git a/src/opts.h b/src/opts.h
@@ -7,7 +7,10 @@
 
 #include <stdbool.h>
 
+#include "shared/front.h"
+
 int bf_opts_init(int argc, char *argv[]);
 bool bf_opts_transient(void);
 unsigned int bf_opts_bpf_log_buf_len_pow(void);
+bool bf_opts_is_front_enabled(enum bf_front front);
 bool bf_opts_verbose(void);
diff --git a/src/xlate/ipt/ipt.c b/src/xlate/ipt/ipt.c
@@ -676,30 +676,26 @@ static int _bf_ipt_request_handler(struct bf_request *request,
 
 static int _bf_ipt_marsh(struct bf_marsh **marsh)
 {
-    _cleanup_bf_marsh_ struct bf_marsh *_marsh = NULL;
-    int r;
+    int r = 0;
 
     bf_assert(marsh);
 
-    r = bf_marsh_new(&_marsh, NULL, 0);
-    if (r < 0)
-        return r;
+    if (!_cache)
+        return 0;
 
-    r |= bf_marsh_add_child_raw(&_marsh, &_cache->valid_hooks,
+    r |= bf_marsh_add_child_raw(marsh, &_cache->valid_hooks,
                                 sizeof(_cache->valid_hooks));
-    r |= bf_marsh_add_child_raw(&_marsh, &_cache->hook_entry,
+    r |= bf_marsh_add_child_raw(marsh, &_cache->hook_entry,
                                 sizeof(_cache->hook_entry));
-    r |= bf_marsh_add_child_raw(&_marsh, &_cache->underflow,
+    r |= bf_marsh_add_child_raw(marsh, &_cache->underflow,
                                 sizeof(_cache->underflow));
-    r |= bf_marsh_add_child_raw(&_marsh, &_cache->num_entries,
+    r |= bf_marsh_add_child_raw(marsh, &_cache->num_entries,
                                 sizeof(_cache->num_entries));
-    r |= bf_marsh_add_child_raw(&_marsh, &_cache->size, sizeof(_cache->size));
-    r |= bf_marsh_add_child_raw(&_marsh, _cache->entries, _cache->size);
+    r |= bf_marsh_add_child_raw(marsh, &_cache->size, sizeof(_cache->size));
+    r |= bf_marsh_add_child_raw(marsh, _cache->entries, _cache->size);
     if (r)
         return r;
 
-    *marsh = TAKE_PTR(_marsh);
-
     bf_dbg("Saved bf_ipt_cache at %p:", _cache);
     bf_dbg("  valid_hooks: %u", _cache->valid_hooks);
     bf_dbg("  num_entries: %u", _cache->num_entries);
@@ -716,6 +712,9 @@ static int _bf_ipt_unmarsh(struct bf_marsh *marsh)
 
     bf_assert(marsh);
 
+    if (marsh->data_len == 0)
+        return 0;
+
     r = _bf_ipt_cache_new(&cache);
     if (r < 0)
         return -ENOMEM;