Skip to content

Add REDIRECT verdict for TC and XDP #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
qdeslandes merged 5 commits into from
Feb 2, 2026
Merged

Add REDIRECT verdict for TC and XDP #408

qdeslandes merged 5 commits into from
Feb 2, 2026

Conversation

@qdeslandes
Copy link
Contributor

@qdeslandes qdeslandes commented Feb 2, 2026

Add a new REDIRECT verdict in addition to ACCEPT/DROP/CONTINUE to redirect a matched packet to a different interface.

The new verdict expects $iface $dir with:

  • $iface: interface to redirect to, name or index
  • $dir: direction to redirect the packet: in or out of the interface

This new verdict doesn't support Cgroup and Netfilter hooks (redirection is not supported by BPF on those hooks).

Copilot AI review requested due to automatic review settings February 2, 2026 10:42
@meta-cla meta-cla bot added the cla signed label Feb 2, 2026
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new REDIRECT rule verdict (in addition to ACCEPT/DROP/CONTINUE) to redirect matched packets to another interface for TC and XDP, including CLI parsing/printing and test/documentation updates.

Changes:

  • Introduces BF_VERDICT_REDIRECT plus bf_redirect_dir (in/out) string conversions and rule fields (redirect_ifindex, redirect_dir).
  • Extends code generation for TC/XDP to emit bpf_redirect() and wires the new verdict through program generation and bfcli.
  • Adds unit, fuzz, and e2e coverage plus documentation updates for the new verdict and its hook limitations.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tests/unit/libbpfilter/verdict.c Adds unit test coverage for redirect direction enum to/from string.
tests/harness/test.c Updates rule equality helper to include redirect fields.
tests/fuzz/keywords.dict Adds REDIRECT, in, out to fuzzing dictionary.
tests/e2e/rulesets/xdp.bf Adds a sample XDP ruleset rule using REDIRECT.
tests/e2e/rulesets/tc_ingress.bf Adds a sample TC ingress ruleset rule using REDIRECT.
tests/e2e/rulesets/tc_egress.bf Adds a sample TC egress ruleset rule using REDIRECT.
tests/e2e/rules/redirect.sh New e2e test validating redirect behavior and unsupported-hook errors.
tests/e2e/CMakeLists.txt Registers the new redirect e2e test.
src/libbpfilter/verdict.c Implements bf_redirect_dir_{to,from}_str() and adds verdict string mapping for REDIRECT.
src/libbpfilter/rule.c Serializes/deserializes redirect fields and dumps them conditionally.
src/libbpfilter/include/bpfilter/verdict.h Defines redirect direction enum and adds BF_VERDICT_REDIRECT.
src/libbpfilter/include/bpfilter/rule.h Adds redirect parameters to bf_rule and helper accessors.
src/libbpfilter/include/bpfilter/flavor.h Extends flavor ops with gen_inline_redirect.
src/bpfilter/cgen/xdp.c Implements XDP redirect codegen using bpf_redirect().
src/bpfilter/cgen/tc.c Implements TC redirect codegen using bpf_redirect() with BPF_F_INGRESS.
src/bpfilter/cgen/program.c Emits redirect handling for rules with BF_VERDICT_REDIRECT.
src/bfcli/print.c Prints redirect verdict with ifindex and direction.
src/bfcli/parser.y Parses REDIRECT $IFACE $DIR into rule redirect fields.
src/bfcli/lexer.l Lexes REDIRECT, interface, and direction tokens.
doc/usage/bfcli.rst Documents the new verdict, syntax, and hook support constraints.
Comments suppressed due to low confidence (1)

src/libbpfilter/include/bpfilter/verdict.h:55

  • With BF_VERDICT_REDIRECT now placed before BF_VERDICT_CONTINUE, the existing _BF_TERMINAL_VERDICT_MAX = BF_VERDICT_CONTINUE makes REDIRECT fall into the “terminal verdict” range used to validate chain policies. However, chain policies can’t provide the required redirect parameters (ifindex/dir), so allowing BF_VERDICT_REDIRECT as a chain policy via the C API/pack format seems inconsistent. Consider tightening the chain-policy validation logic (e.g., restrict to ACCEPT/DROP only, or add a separate chain-policy enum/range check) so REDIRECT remains rule-only.
    BF_VERDICT_CONTINUE,
    _BF_VERDICT_MAX,
    _BF_TERMINAL_VERDICT_MAX = BF_VERDICT_CONTINUE,
};

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pzmarzly
pzmarzly approved these changes Feb 2, 2026
View reviewed changes
@qdeslandes
lib: add a public function to convert a string into an ifindex
132accb 
Extract the meta.iface matcher parsing logic into if.(c|h) to be reused for
similar parsing.
@qdeslandes
daemon,lib: add REDIRECT verdict
1b9ccf8 
Introduce a new REDIRECT rule verdict to pass a packet to another
interface when a rule matches.

This new verdict is only supported with TC and XDP (egress only): when a
rule with REDIRECT is matched, the packet is redirect to the specific
interface on ingress or egress.
@qdeslandes
cli: add support for REDIRECT verdict
6cb6d71
@qdeslandes
tests: add tests for new REDIRECT verdict
7d14ad5
@qdeslandes
doc: document REDIRECT verdict
987fc30
@qdeslandes qdeslandes merged commit cb48a05 into facebook:main Feb 2, 2026
29 checks passed
@qdeslandes qdeslandes deleted the redirect branch February 2, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pzmarzly pzmarzly pzmarzly approved these changes

Assignees

No one assigned

Labels

cla signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qdeslandes @pzmarzly