nettools · Feanor60 · Dec 6, 2022 · dvdhrm · Dec 6, 2022 · dvdhrm
diff --git a/README.md b/README.md
@@ -41,13 +41,6 @@ meson test
 ninja install
 ```
 
-The following configuration options are available:
-
- * `ebpf`: This boolean controls whether `ebpf` features are used to improve
-           the package filtering performance. If disabled, classic bpf will be
-           used. This feature requires a rather recent kernel (>=3.19).
-           Default is: true
-
 ### Repository:
 
  - **web**:   <https://github.com/nettools/n-acd>

diff --git a/meson.build b/meson.build
@@ -22,6 +22,4 @@ dep_crbtree = sub_crbtree.get_variable('libcrbtree_dep')
 dep_csiphash = sub_csiphash.get_variable('libcsiphash_dep')
 dep_cstdaux = sub_cstdaux.get_variable('libcstdaux_dep')
 
-use_ebpf = get_option('ebpf')
-
 subdir('src')
diff --git a/meson_options.txt b/meson_options.txt
diff --git a/src/meson.build b/src/meson.build
@@ -13,20 +13,11 @@ libnacd_deps = [
 
 libnacd_sources = [
         'n-acd.c',
+        'n-acd-bpf.c',
         'n-acd-probe.c',
         'util/timer.c',
 ]
 
-if use_ebpf
-        libnacd_sources += [
-                'n-acd-bpf.c',
-        ]
-else
-        libnacd_sources += [
-                'n-acd-bpf-fallback.c',
-        ]
-endif
-
 libnacd_private = static_library(
         'nacd-private',
         libnacd_sources,
@@ -77,10 +68,8 @@ endif
 test_api = executable('test-api', ['test-api.c'], link_with: libnacd_shared)
 test('API Symbol Visibility', test_api)
 
-if use_ebpf
-        test_bpf = executable('test-bpf', ['test-bpf.c'], dependencies: libnacd_dep)
-        test('eBPF socket filtering', test_bpf)
-endif
+test_bpf = executable('test-bpf', ['test-bpf.c'], dependencies: libnacd_dep)
+test('eBPF socket filtering', test_bpf)
 
 test_loopback = executable('test-loopback', ['test-loopback.c'], dependencies: libnacd_dep)
 test('Echo Suppression via Loopback', test_loopback)

diff --git a/src/n-acd-bpf-fallback.c b/src/n-acd-bpf-fallback.c
diff --git a/src/n-acd-probe.c b/src/n-acd-probe.c
@@ -208,8 +208,6 @@ static int n_acd_probe_link(NAcdProbe *probe) {
          * entry.
          */
         r = n_acd_ensure_bpf_map_space(probe->acd);
-        if (r)
-                return r;
 
         /*
          * Link entry into context, indexed by its IP. Note that we allow
@@ -238,7 +236,7 @@ static int n_acd_probe_link(NAcdProbe *probe) {
         /*
          * Add the ip address to the map, if it is not already there.
          */
-        if (n_acd_probe_is_unique(probe)) {
+        if (probe->acd->fd_bpf_map >= 0 && n_acd_probe_is_unique(probe)) {
                 r = n_acd_bpf_map_add(probe->acd->fd_bpf_map, &probe->ip);
                 if (r) {
                         /*
@@ -261,7 +259,7 @@ static void n_acd_probe_unlink(NAcdProbe *probe) {
          * If this is the only probe for a given IP, remove the IP from the
          * kernel BPF map.
          */
-        if (n_acd_probe_is_unique(probe)) {
+        if (probe->acd->fd_bpf_map >= 0 && n_acd_probe_is_unique(probe)) {
                 r = n_acd_bpf_map_remove(probe->acd->fd_bpf_map, &probe->ip);
                 c_assert(r >= 0);
                 --probe->acd->n_bpf_map;

diff --git a/src/n-acd.c b/src/n-acd.c
@@ -296,7 +296,7 @@ int n_acd_ensure_bpf_map_space(NAcd *acd) {
 
         r = n_acd_bpf_compile(&fd_prog, fd_map, (struct ether_addr*) acd->mac);
         if (r)
-                return r;
+                fd_prog = -1;
 
         if (fd_prog >= 0) {
                 r = setsockopt(acd->fd_socket, SOL_SOCKET, SO_ATTACH_BPF, &fd_prog, sizeof(fd_prog));
@@ -360,12 +360,12 @@ _c_public_ int n_acd_new(NAcd **acdp, NAcdConfig *config) {
         acd->max_bpf_map = 8;
 
         r = n_acd_bpf_map_create(&acd->fd_bpf_map, acd->max_bpf_map);
-        if (r)
-                return r;
 
-        r = n_acd_bpf_compile(&fd_bpf_prog, acd->fd_bpf_map, (struct ether_addr*) acd->mac);
-        if (r)
-                return r;
+        if (acd->fd_bpf_map >= 0) {
+                r = n_acd_bpf_compile(&fd_bpf_prog, acd->fd_bpf_map, (struct ether_addr*) acd->mac);
+                if (r)
+                        fd_bpf_prog = -1;
+        }
 
         r = n_acd_socket_new(&acd->fd_socket, fd_bpf_prog, config);
         if (r)

diff --git a/src/test-bpf.c b/src/test-bpf.c
@@ -48,8 +48,9 @@ static void test_map(void) {
         struct in_addr addr = { 1 };
 
         r = n_acd_bpf_map_create(&mapfd, 8);
-        c_assert(r >= 0);
-        c_assert(mapfd >= 0);
+
+        if (r == -EPERM)
+                return;
 
         r = n_acd_bpf_map_remove(mapfd, &addr);
         c_assert(r == -ENOENT);
@@ -103,7 +104,13 @@ static void test_filter(void) {
         int r, mapfd = -1, progfd = -1, pair[2];
 
         r = n_acd_bpf_map_create(&mapfd, 1);
+
+        if (r == -EPERM)
+                return;
+
         c_assert(r >= 0);
+        c_assert(mapfd >= 0);
+
 
         r = n_acd_bpf_compile(&progfd, mapfd, &mac1);
         c_assert(r >= 0);
@@ -113,7 +120,7 @@ static void test_filter(void) {
         c_assert(r >= 0);
 
         r = setsockopt(pair[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd,
-                       sizeof(progfd));
+                      sizeof(progfd));
         c_assert(r >= 0);
 
         r = n_acd_bpf_map_add(mapfd, &ip1);
@@ -190,9 +197,9 @@ static void test_filter(void) {
         c_assert(errno == EAGAIN);
 
         /*
-         * Send one packet before and one packet after modifying the map,
-         * verify that the modification applies at the time of send(), not recv().
-         */
+        * Send one packet before and one packet after modifying the map,
+        * verify that the modification applies at the time of send(), not recv().
+        */
         *packet = (struct ether_arp)ETHER_ARP_PACKET_INIT(ARPOP_REQUEST, &mac2, &ip1, &ip2);
         r = send(pair[0], buf, sizeof(struct ether_arp), 0);
         c_assert(r == sizeof(struct ether_arp));