net: netfilter: add kfunc helper to update ct timeout

.github/actions/vmtest/action.yml

@@ -0,0 +1,39 @@
+name: 'vmtest'
+description: 'Build + run vmtest'
+inputs:
+  arch:
+    description: 'what arch to test'
+    required: true
+    default: 'x86_64'
+  toolchain:
+    description: 'what toolchain to use'
+    required: true
+    default: 'gcc'
+runs:
+  using: "composite"
+  steps:
+    # 1. Setup environment
+    - name: Setup build environment
+      uses: libbpf/ci/setup-build-env@master
+    # 2. Build
+    - name: Build kernel image
+      shell: bash
+      run: ${GITHUB_ACTION_PATH}/build.sh ${{ inputs.arch }} ${{ inputs.toolchain }}
+    - name: Build selftests
+      shell: bash
+      run: ${GITHUB_ACTION_PATH}/build_selftests.sh ${{ inputs.toolchain }}
+      env:
+        VMLINUX_BTF: ${{ github.workspace }}/vmlinux
+    # 3. Test
+    - name: Prepare rootfs
+      uses: libbpf/ci/prepare-rootfs@master
+      with:
+        project-name: 'libbpf'
+        arch: ${{ inputs.arch }}
+        kernel-root: '.'
+    - name: Run selftests
+      uses: libbpf/ci/run-qemu@master
+      with:
+        arch: ${{ inputs.arch}}
+        img: '/tmp/root.img'
+        vmlinuz: '${{ github.workspace }}/vmlinuz'

.github/actions/vmtest/build.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+ARCH="$1"
+TOOLCHAIN="$2"
+TOOLCHAIN_NAME="$(echo $TOOLCHAIN | cut -d '-' -f 1)"
+TOOLCHAIN_VERSION="$(echo $TOOLCHAIN | cut -d '-' -f 2)"
+
+if [ "$TOOLCHAIN_NAME" == "llvm" ]; then
+export LLVM="-$TOOLCHAIN_VERSION"
+fi
+
+THISDIR="$(cd $(dirname $0) && pwd)"
+
+source "${THISDIR}"/helpers.sh
+
+travis_fold start build_kernel "Building kernel with $TOOLCHAIN"
+
+cp ${GITHUB_WORKSPACE}/travis-ci/vmtest/configs/config-latest.${ARCH} .config
+
+make -j $((4*$(nproc))) olddefconfig all > /dev/null
+
+travis_fold end build_kernel

.github/actions/vmtest/build_selftests.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -euo pipefail
+
+THISDIR="$(cd $(dirname $0) && pwd)"
+
+source "${THISDIR}"/helpers.sh
+
+TOOLCHAIN="$1"
+TOOLCHAIN_NAME="$(echo $TOOLCHAIN | cut -d '-' -f 1)"
+TOOLCHAIN_VERSION="$(echo $TOOLCHAIN | cut -d '-' -f 2)"
+
+if [ "$TOOLCHAIN_NAME" == "llvm" ]; then
+export LLVM="-$TOOLCHAIN_VERSION"
+LLVM_VER=$TOOLCHAIN_VERSION
+else
+LLVM_VER=15
+fi
+
+travis_fold start prepare_selftests "Building selftests with $TOOLCHAIN"
+
+LIBBPF_PATH="${REPO_ROOT}"
+
+PREPARE_SELFTESTS_SCRIPT=${THISDIR}/prepare_selftests-${KERNEL}.sh
+if [ -f "${PREPARE_SELFTESTS_SCRIPT}" ]; then
+	(cd "${REPO_ROOT}/${REPO_PATH}/tools/testing/selftests/bpf" && ${PREPARE_SELFTESTS_SCRIPT})
+fi
+
+if [[ "${KERNEL}" = 'LATEST' ]]; then
+	VMLINUX_H=
+else
+	VMLINUX_H=${THISDIR}/vmlinux.h
+fi
+
+cd ${REPO_ROOT}/${REPO_PATH}
+make \
+	CLANG=clang-${LLVM_VER} \
+	LLC=llc-${LLVM_VER} \
+	LLVM_STRIP=llvm-strip-${LLVM_VER} \
+	VMLINUX_BTF="${VMLINUX_BTF}" \
+	VMLINUX_H="${VMLINUX_H}" \
+	-C "${REPO_ROOT}/${REPO_PATH}/tools/testing/selftests/bpf" \
+	-j $((4*$(nproc))) > /dev/null
+cd -
+mkdir "${LIBBPF_PATH}"/selftests
+cp -R "${REPO_ROOT}/${REPO_PATH}/tools/testing/selftests/bpf" \
+	"${LIBBPF_PATH}"/selftests
+cd "${LIBBPF_PATH}"
+rm selftests/bpf/.gitignore
+git add selftests
+
+travis_fold end prepare_selftests

.github/actions/vmtest/helpers.sh

@@ -0,0 +1,44 @@
+# $1 - start or end
+# $2 - fold identifier, no spaces
+# $3 - fold section description
+travis_fold() {
+  local YELLOW='\033[1;33m'
+  local NOCOLOR='\033[0m'
+  if [ -z ${GITHUB_WORKFLOW+x} ]; then
+    echo travis_fold:$1:$2
+    if [ ! -z "${3:-}" ]; then
+      echo -e "${YELLOW}$3${NOCOLOR}"
+    fi
+    echo
+  else
+    if [ $1 = "start" ]; then
+      line="::group::$2"
+      if [ ! -z "${3:-}" ]; then
+        line="$line - ${YELLOW}$3${NOCOLOR}"
+      fi
+    else
+      line="::endgroup::"
+    fi
+    echo -e "$line"
+  fi
+}
+
+__print() {
+  local TITLE=""
+  if [[ -n $2 ]]; then
+      TITLE=" title=$2"
+  fi
+  echo "::$1${TITLE}::$3"
+}
+
+# $1 - title
+# $2 - message
+print_error() {
+  __print error $1 $2
+}
+
+# $1 - title
+# $2 - message
+print_notice() {
+  __print notice $1 $2
+}

.github/workflows/test.yml

@@ -0,0 +1,57 @@
+name: bpf-ci
+
+on:
+  pull_request:
+
+concurrency: 
+  group: ci-test-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  VM_Test:
+    runs-on: ${{ matrix.runs_on }}
+    name: Kernel ${{ matrix.kernel }} on ${{ matrix.runs_on }} with ${{ matrix.toolchain }}
+    timeout-minutes: 100
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - kernel: 'LATEST'
+            runs_on: ubuntu-latest
+            arch: 'x86_64'
+            toolchain: 'gcc'
+          - kernel: 'LATEST'
+            runs_on: ubuntu-latest
+            arch: 'x86_64'
+            toolchain: 'llvm-15'
+          - kernel: 'LATEST'
+            runs_on: z15
+            arch: 's390x'
+            toolchain: 'gcc'
+    env:
+      AUTHOR_EMAIL: "$(git log -1 --pretty=\"%aE\")"
+      KERNEL: LATEST
+      REPO_ROOT: ${{ github.workspace }}
+      REPO_PATH: ""
+    steps:
+      - uses: actions/checkout@v2
+      - if: ${{ github.repository != 'kernel-patches/bpf' && github.repository != 'kernel-patches/bpf-rc' }}
+        name: Download bpf-next tree
+        uses: libbpf/ci/get-linux-source@master
+        with:
+          dest: '.kernel'
+      - if: ${{ github.repository != 'kernel-patches/bpf' && github.repository != 'kernel-patches/bpf-rc' }}
+        name: Move linux source in place
+        shell: bash
+        run: |
+          rm -rf .kernel/.git
+          cp -rf .kernel/. .
+          rm -rf .kernel
+      - uses: libbpf/ci/patch-kernel@master
+        with:
+          patches-root: '${{ github.workspace }}/travis-ci/diffs'
+          repo-root: '${{ github.workspace }}'
+      - uses: ./.github/actions/vmtest
+        with:
+          arch: ${{ matrix.arch }}
+          toolchain: ${{ matrix.toolchain }}

README

@@ -1,18 +0,0 @@
-Linux kernel
-============
-
-There are several guides for kernel developers and users. These guides can
-be rendered in a number of formats, like HTML and PDF. Please read
-Documentation/admin-guide/README.rst first.
-
-In order to build the documentation, use ``make htmldocs`` or
-``make pdfdocs``.  The formatted documentation can also be read online at:
-
-    https://www.kernel.org/doc/html/latest/
-
-There are various text files in the Documentation/ subdirectory,
-several of them using the Restructured Text markup notation.
-
-Please read the Documentation/process/changes.rst file, as it contains the
-requirements for building and running the kernel, and information about
-the problems which may result by upgrading your kernel.

include/net/netfilter/nf_conntrack.h

@@ -205,6 +205,7 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
 		       u_int16_t l3num, struct net *net,
 		       struct nf_conntrack_tuple *tuple);
 
+void nf_ct_refresh_timeout(struct nf_conn *ct, u32 extra_jiffies);
 void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
 			  const struct sk_buff *skb,
 			  u32 extra_jiffies, bool do_acct);

net/netfilter/nf_conntrack_bpf.c

@@ -217,16 +217,36 @@ void bpf_ct_release(struct nf_conn *nfct)
 	nf_ct_put(nfct);
 }
 
+/* bpf_ct_refresh_timeout - Refresh nf_conn object
+ *
+ * Refresh timeout associated to the provided connection tracking entry.
+ * This must be invoked for referenced PTR_TO_BTF_ID.
+ *
+ * Parameters:
+ * @nf_conn      - Pointer to referenced nf_conn object, obtained using
+ *		   bpf_xdp_ct_lookup or bpf_skb_ct_lookup.
+ * @timeout      - delta time in msecs used to increase the ct entry lifetime.
+ */
+void bpf_ct_refresh_timeout(struct nf_conn *nfct, u32 timeout)
+{
+	if (!nfct)
+		return;
+
+	nf_ct_refresh_timeout(nfct, msecs_to_jiffies(timeout));
+}
+
 __diag_pop()
 
 BTF_SET_START(nf_ct_xdp_check_kfunc_ids)
 BTF_ID(func, bpf_xdp_ct_lookup)
 BTF_ID(func, bpf_ct_release)
+BTF_ID(func, bpf_ct_refresh_timeout);
 BTF_SET_END(nf_ct_xdp_check_kfunc_ids)
 
 BTF_SET_START(nf_ct_tc_check_kfunc_ids)
 BTF_ID(func, bpf_skb_ct_lookup)
 BTF_ID(func, bpf_ct_release)
+BTF_ID(func, bpf_ct_refresh_timeout);
 BTF_SET_END(nf_ct_tc_check_kfunc_ids)
 
 BTF_SET_START(nf_ct_acquire_kfunc_ids)

net/netfilter/nf_conntrack_core.c

@@ -2030,24 +2030,29 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply);
 
-/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
-void __nf_ct_refresh_acct(struct nf_conn *ct,
-			  enum ip_conntrack_info ctinfo,
-			  const struct sk_buff *skb,
-			  u32 extra_jiffies,
-			  bool do_acct)
+void nf_ct_refresh_timeout(struct nf_conn *ct, u32 extra_jiffies)
 {
 	/* Only update if this is not a fixed timeout */
 	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status))
-		goto acct;
+		return;
 
 	/* If not in hash table, timer will not be active yet */
 	if (nf_ct_is_confirmed(ct))
 		extra_jiffies += nfct_time_stamp;
 
 	if (READ_ONCE(ct->timeout) != extra_jiffies)
 		WRITE_ONCE(ct->timeout, extra_jiffies);
-acct:
+}
+
+/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
+void __nf_ct_refresh_acct(struct nf_conn *ct,
+			  enum ip_conntrack_info ctinfo,
+			  const struct sk_buff *skb,
+			  u32 extra_jiffies,
+			  bool do_acct)
+{
+	nf_ct_refresh_timeout(ct, extra_jiffies);
+
 	if (do_acct)
 		nf_ct_acct_update(ct, CTINFO2DIR(ctinfo), skb->len);
 }

tools/testing/selftests/bpf/prog_tests/bpf_nf.c

@@ -18,6 +18,13 @@ void test_bpf_nf_ct(int mode)
 		.repeat = 1,
 	);
 
+	/* Flush previous nft ct entries */
+	ASSERT_OK(system("conntrack -F"), "flush ct entries");
+	/* Let's create a nft ct entry to perform lookup */
+	ASSERT_OK(system("conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6  \
+			  --state ESTABLISHED --timeout 3600 --sport 12345 \
+			  --dport 1000 --zone 0"), "create ct entry");
+
 	skel = test_bpf_nf__open_and_load();
 	if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load"))
 		return;
@@ -39,6 +46,9 @@ void test_bpf_nf_ct(int mode)
 	ASSERT_EQ(skel->bss->test_enonet_netns_id, -ENONET, "Test ENONET for bad but valid netns_id");
 	ASSERT_EQ(skel->bss->test_enoent_lookup, -ENOENT, "Test ENOENT for failed lookup");
 	ASSERT_EQ(skel->bss->test_eafnosupport, -EAFNOSUPPORT, "Test EAFNOSUPPORT for invalid len__tuple");
+	ASSERT_EQ(skel->bss->test_succ_lookup, 0, "Test for successful lookup");
+	ASSERT_EQ(skel->bss->test_delta_timeout, 10, "Test for ct timeout update");
+
 end:
 	test_bpf_nf__destroy(skel);
 }