Add support for netkit

Signed-off-by: Hemanth Malla <[email protected]>

Author: hemanthmalla

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   TMPDIR: /tmp
-  CI_MAX_KERNEL_VERSION: '6.6'
+  CI_MAX_KERNEL_VERSION: '6.7'
   CI_MIN_CLANG_VERSION: '11'
   go_version: '~1.22'
   prev_go_version: '~1.21'

attachtype_string.go

@@ -476,6 +476,17 @@ import (
 				rename("cnt", "count"),
 			},
 		},
+		{
+			"LinkCreateNetkit", retFd, "link_create", "BPF_LINK_CREATE",
+			[]patch{
+				choose(1, "target_ifindex"),
+				choose(4, "netkit"),
+				replace(enumTypes["AttachType"], "attach_type"),
+				flattenAnon,
+				flattenAnon,
+				rename("relative_fd", "relative_fd_or_id"),
+			},
+		},
 		{
 			"LinkUpdate", retError, "link_update", "BPF_LINK_UPDATE",
 			nil,
@@ -575,6 +586,9 @@ import (
 			replace(enumTypes["AttachType"], "attach_type"),
 		}},
 		{"NetfilterLinkInfo", "netfilter", nil},
+		{"NetkitLinkInfo", "netkit", []patch{
+			replace(enumTypes["AttachType"], "attach_type"),
+		}},
 	}
 
 	sort.Slice(linkInfoExtraTypes, func(i, j int) bool {
@@ -604,6 +618,7 @@ import (
 		{"kprobe_multi", "kprobe_multi"},
 		{"perf_event", "perf_event"},
 		{"tcx", "tcx"},
+		{"netkit", "netkit"},
 	})
 	if err != nil {
 		return nil, fmt.Errorf("splitting linkInfo: %w", err)

internal/cmd/gentypes/main.go

@@ -104,6 +104,8 @@ func wrapRawLink(raw *RawLink) (_ Link, err error) {
 		return &tcxLink{*raw}, nil
 	case NetfilterType:
 		return &netfilterLink{*raw}, nil
+	case NetkitType:
+		return &netkitLink{*raw}, nil
 	default:
 		return raw, nil
 	}
@@ -140,6 +142,7 @@ type NetNsInfo sys.NetNsLinkInfo
 type XDPInfo sys.XDPLinkInfo
 type TCXInfo sys.TcxLinkInfo
 type NetfilterInfo sys.NetfilterLinkInfo
+type NetkitInfo sys.NetkitLinkInfo
 
 // Tracing returns tracing type-specific link info.
 //
@@ -343,6 +346,8 @@ func (l *RawLink) Info() (*Info, error) {
 		extra = &TCXInfo{}
 	case NetfilterType:
 		extra = &NetfilterInfo{}
+	case NetkitType:
+		extra = &NetkitInfo{}
 	default:
 		return nil, fmt.Errorf("unknown link info type: %d", info.Type)
 	}

internal/sys/types.go

@@ -0,0 +1,71 @@
+package link
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/internal/sys"
+)
+
+type NetkitOptions struct {
+	// Index of the interface to attach to.
+	Interface int
+	// Program to attach.
+	Program *ebpf.Program
+	// One of the AttachNetkit* constants.
+	Attach ebpf.AttachType
+	// Attach relative to an anchor. Optional.
+	Anchor Anchor
+	// Only attach if the expected revision matches.
+	ExpectedRevision uint64
+	// Flags control the attach behaviour. Specify an Anchor instead of
+	// F_LINK, F_ID, F_BEFORE, F_AFTER and R_REPLACE. Optional.
+	Flags uint32
+}
+
+func AttachNetkit(opts NetkitOptions) (Link, error) {
+	if opts.Interface < 0 {
+		return nil, fmt.Errorf("interface %d is out of bounds", opts.Interface)
+	}
+
+	if opts.Flags&anchorFlags != 0 {
+		return nil, fmt.Errorf("disallowed flags: use Anchor to specify attach target")
+	}
+
+	attr := sys.LinkCreateNetkitAttr{
+		ProgFd:           uint32(opts.Program.FD()),
+		AttachType:       sys.AttachType(opts.Attach),
+		TargetIfindex:    uint32(opts.Interface),
+		ExpectedRevision: opts.ExpectedRevision,
+		Flags:            opts.Flags,
+	}
+
+	if opts.Anchor != nil {
+		fdOrID, flags, err := opts.Anchor.anchor()
+		if err != nil {
+			return nil, fmt.Errorf("attach netkit link: %w", err)
+		}
+
+		attr.RelativeFdOrId = fdOrID
+		attr.Flags |= flags
+	}
+
+	fd, err := sys.LinkCreateNetkit(&attr)
+	runtime.KeepAlive(opts.Program)
+	runtime.KeepAlive(opts.Anchor)
+	if err != nil {
+		if haveFeatErr := haveNetkit(); haveFeatErr != nil {
+			return nil, haveFeatErr
+		}
+		return nil, fmt.Errorf("attach netkit link: %w", err)
+	}
+
+	return &netkitLink{RawLink{fd, ""}}, nil
+}
+
+type netkitLink struct {
+	RawLink
+}
+
+var _ Link = (*netkitLink)(nil)

link/link.go

@@ -27,6 +27,7 @@ const (
 	TCXType           = sys.BPF_LINK_TYPE_TCX
 	UprobeMultiType   = sys.BPF_LINK_TYPE_UPROBE_MULTI
 	NetfilterType     = sys.BPF_LINK_TYPE_NETFILTER
+	NetkitType        = sys.BPF_LINK_TYPE_NETKIT
 )
 
 var haveProgAttach = internal.NewFeatureTest("BPF_PROG_ATTACH", "4.10", func() error {
@@ -162,3 +163,38 @@ var haveTCX = internal.NewFeatureTest("tcx", "6.6", func() error {
 	}
 	return errors.New("syscall succeeded unexpectedly")
 })
+
+var haveNetkit = internal.NewFeatureTest("netkit", "6.7", func() error {
+	prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{
+		Type:    ebpf.SchedCLS,
+		License: "MIT",
+		Instructions: asm.Instructions{
+			asm.Mov.Imm(asm.R0, 0),
+			asm.Return(),
+		},
+	})
+
+	if err != nil {
+		return internal.ErrNotSupported
+	}
+
+	defer prog.Close()
+	attr := sys.LinkCreateNetkitAttr{
+		// We rely on this being checked during the syscall.
+		// With an otherwise correct payload we expect ENODEV here
+		// as an indication that the feature is present.
+		TargetIfindex: ^uint32(0),
+		ProgFd:        uint32(prog.FD()),
+		AttachType:    sys.AttachType(ebpf.AttachNetkitPrimary),
+	}
+
+	_, err = sys.LinkCreateNetkit(&attr)
+
+	if errors.Is(err, unix.ENODEV) {
+		return nil
+	}
+	if err != nil {
+		return ErrNotSupported
+	}
+	return errors.New("syscall succeeded unexpectedly")
+})

link/netkit.go

@@ -25,3 +25,7 @@ func TestHaveProgQuery(t *testing.T) {
 func TestHaveTCX(t *testing.T) {
 	testutils.CheckFeatureTest(t, haveTCX)
 }
+
+func TestHaveNetkit(t *testing.T) {
+	testutils.CheckFeatureTest(t, haveNetkit)
+}

link/syscalls.go

@@ -220,6 +220,13 @@ const (
 	AttachTCXIngress                 = AttachType(sys.BPF_TCX_INGRESS)
 	AttachTCXEgress                  = AttachType(sys.BPF_TCX_EGRESS)
 	AttachTraceUprobeMulti           = AttachType(sys.BPF_TRACE_UPROBE_MULTI)
+	AttachCgroupUnixConnect          = AttachType(sys.BPF_CGROUP_UNIX_CONNECT)
+	AttachCgroupUnixSendmsg          = AttachType(sys.BPF_CGROUP_UNIX_SENDMSG)
+	AttachCgroupUnixRecvmsg          = AttachType(sys.BPF_CGROUP_UNIX_RECVMSG)
+	AttachCgroupUnixGetpeername      = AttachType(sys.BPF_CGROUP_UNIX_GETPEERNAME)
+	AttachCgroupUnixGetsockname      = AttachType(sys.BPF_CGROUP_UNIX_GETSOCKNAME)
+	AttachNetkitPrimary              = AttachType(sys.BPF_NETKIT_PRIMARY)
+	AttachNetkitPeer                 = AttachType(sys.BPF_NETKIT_PEER)
 )
 
 // AttachFlags of the eBPF program used in BPF_PROG_ATTACH command