Add CHANGELOG entry for #980

Add a CHANGELOG entry for pull request #980, which added support for
attaching to netfilter hooks. Also fix a few minor things that slipped
through review and remove tests for one more hook which is not available
on a local system and causing test failures because of it.

Signed-off-by: Daniel Müller <[email protected]>

Author: d-e-s-o

examples/netfilter_blocklist/src/bpf/netfilter_blocklist.bpf.c

@@ -51,8 +51,8 @@ int netfilter_local_in(struct bpf_nf_ctx *ctx) {
         /* To view log output, use: cat /sys/kernel/debug/tracing/trace_pipe */
         __be32 addr_host = bpf_ntohl(key.addr);
         bpf_printk("Blocked IP: %d.%d.%d.%d, prefix length: %d, map value: %d\n",
-           (addr_host >> 24) & 0xFF, (addr_host >> 16) & 0xFF, 
-           (addr_host >> 8) & 0xFF, addr_host & 0xFF, 
+           (addr_host >> 24) & 0xFF, (addr_host >> 16) & 0xFF,
+           (addr_host >> 8) & 0xFF, addr_host & 0xFF,
            key.prefixlen, *match_value);
         return NF_DROP;
     }

libbpf-rs/CHANGELOG.md

@@ -1,3 +1,9 @@
+Unreleased
+----------
+- Added `Program::attach_netfilter_with_opts` for attaching to netfilter
+  hooks
+
+
 0.24.5
 ------
 - Renamed `Program::get_id_by_fd` to `id_from_fd`

libbpf-rs/tests/bin/src/netfilter.bpf.c

@@ -21,7 +21,7 @@ int handle_netfilter(struct bpf_nf_ctx *ctx) {
 
     *value = 1;
     bpf_ringbuf_submit(value, 0);
-    
+
     bpf_printk("handle_netfilter: submitted ringbuf value");
     return NF_ACCEPT;
 }

libbpf-rs/tests/test_netfilter.rs

@@ -1,6 +1,10 @@
 #[allow(dead_code)]
 mod common;
 
+use std::net::IpAddr;
+use std::net::Ipv4Addr;
+use std::net::Ipv6Addr;
+use std::net::TcpListener;
 use std::net::TcpStream;
 
 use libbpf_rs::NetfilterOpts;
@@ -9,7 +13,6 @@ use libbpf_rs::Object;
 use libbpf_rs::NFPROTO_IPV4;
 use libbpf_rs::NFPROTO_IPV6;
 
-use libbpf_rs::NF_INET_LOCAL_IN;
 use libbpf_rs::NF_INET_POST_ROUTING;
 use libbpf_rs::NF_INET_PRE_ROUTING;
 
@@ -28,63 +31,54 @@ fn test_attach_and_detach(obj: &mut Object, protocol_family: i32, hooknum: i32,
         hooknum,
         ..NetfilterOpts::default()
     };
-    let error_message = format!(
-        "Failed to attach netfilter protocol {}, hook: {}",
-        protocol_family, hook_desc
-    );
     let link = prog
         .attach_netfilter_with_opts(netfilter_opt)
-        .expect(&error_message);
+        .unwrap_or_else(|err| {
+            panic!(
+                "Failed to attach netfilter protocol {}, hook: {}: {err}",
+                protocol_family, hook_desc
+            )
+        });
 
     let map = get_map_mut(obj, "ringbuf");
 
-    let trigger_addr = match protocol_family {
-        NFPROTO_IPV4 => Some("127.0.0.1:12345"),
-        NFPROTO_IPV6 => Some("[::1]:12345"),
-        _ => {
-            println!("unknow protocol family");
-            None
+    let addr = match protocol_family {
+        NFPROTO_IPV4 => IpAddr::V4(Ipv4Addr::LOCALHOST),
+        NFPROTO_IPV6 => IpAddr::V6(Ipv6Addr::LOCALHOST),
+        _ => panic!("unknow protocol family: {protocol_family}"),
+    };
+    // We let the kernel decide what port to bind to.
+    let listener = TcpListener::bind((addr, 0)).unwrap();
+    let trigger_addr = listener.local_addr().unwrap();
+
+    let result = match hooknum {
+        NF_INET_PRE_ROUTING | NF_INET_POST_ROUTING => {
+            let action = || {
+                let _ = TcpStream::connect(trigger_addr);
+            };
+            with_ringbuffer(&map, action)
         }
+        _ => panic!("unsupported hook: {hooknum} ({hook_desc})"),
     };
-
-    if let Some(trigger_addr) = trigger_addr {
-        let result = match hook_desc {
-            "PRE_ROUTING" | "LOCAL_IN" | "LOCAL_OUT" | "POST_ROUTING" => {
-                let action = || {
-                    let _ = TcpStream::connect(trigger_addr);
-                };
-                with_ringbuffer(&map, action)
-            }
-            "FORWARD" => 1,
-            _ => {
-                panic!("unknow hook")
-            }
-        };
-        assert_eq!(result, 1);
-    }
+    assert_eq!(result, 1);
     assert!(link.detach().is_ok());
 }
 
-// Only selected hooks are tested due to CI failures on certain hooks (e.g., FORWARD, LOCAL_OUT).
-// Although these hooks might work in actual use, they were removed from automated testing to
-// ensure consistent CI results and maintainability. This approach allows the focus to remain
-// on primary netfilter paths (e.g., PRE_ROUTING, LOCAL_IN, POST_ROUTING) that have stable CI
-// support. These hooks may be re-added for automated testing in the future if CI compatibility
-// improves or specific needs arise.
 #[tag(root)]
 #[test]
 fn test_netfilter() {
     bump_rlimit_mlock();
     let mut obj = get_test_object("netfilter.bpf.o");
 
+    // We don't test all hooks here, because support for some may be
+    // more limited.
+
     // IPv4 hook
     test_attach_and_detach(&mut obj, NFPROTO_IPV4, NF_INET_PRE_ROUTING, "PRE_ROUTING");
-    test_attach_and_detach(&mut obj, NFPROTO_IPV4, NF_INET_LOCAL_IN, "LOCAL_IN");
     test_attach_and_detach(&mut obj, NFPROTO_IPV4, NF_INET_POST_ROUTING, "POST_ROUTING");
 
     // IPv6 hook
     test_attach_and_detach(&mut obj, NFPROTO_IPV6, NF_INET_PRE_ROUTING, "PRE_ROUTING");
-    test_attach_and_detach(&mut obj, NFPROTO_IPV6, NF_INET_LOCAL_IN, "LOCAL_IN");
     test_attach_and_detach(&mut obj, NFPROTO_IPV6, NF_INET_POST_ROUTING, "POST_ROUTING");
 }