Re: [PATCH v2] bpftool: Add 'prepend' option for tcx attach to insert at chain start

[Daniel Borkmann]

Hi Gyutae,

On 1/6/26 9:55 AM, gyutae.opensource@xxxxxxxxxxxxx wrote:
> From: Gyutae Bae <gyutae.bae@xxxxxxxxxxxxx>
>
> Add support for the 'prepend' option when attaching tcx_ingress and
> tcx_egress programs. This option allows inserting a BPF program at
> the beginning of the TCX chain instead of appending it at the end.
>
> The implementation queries the first program ID in the chain and uses
> BPF_F_BEFORE flag with the relative_id to insert the new program before
> the existing first program. If the chain is empty, the program is simply
> attached normally.
>
> This change includes:
> - Add get_first_tcx_prog_id() helper to retrieve the first program ID
> - Modify do_attach_tcx() to support prepend insertion using BPF_F_BEFORE
> - Update documentation to describe the new 'prepend' option
> - Add bash completion support for the 'prepend' option on tcx attach types
> - Add example usage in the documentation
>
> The 'prepend' option is only valid for tcx_ingress and tcx_egress attach
> types. For XDP attach types, the existing 'overwrite' option remains
> available.
>
> Example usage:
>    # bpftool net attach tcx_ingress name tc_prog dev lo prepend
>
> This feature is useful when the order of program execution in the TCX
> chain matters and users need to ensure certain programs run first.

Could we make this a bit more generic? The internal API has BPF_F_BEFORE
and BPF_F_AFTER flags, so we could also support relative ids. Alternatively
"prepend" / "append" is imho also ok and the "before" / "after" could be
added at a later point to bpftool.

BPF_F_BEFORE as a standalone flag (and BPF_F_AFTER as a standalone) flag
will have prepend and append behavior, so your approach of adding
get_first_tcx_prog_id() helper to retrieve the first program id is not
necessary, see also tcx BPF selftests [0].

Thanks,
Daniel

  [0] tools/testing/selftests/bpf/prog_tests/tc_links.c