facebook · qdeslandes · Feb 20, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
@@ -11,7 +11,6 @@ You are welcome to reach out to qde@naccy.de if you need help, or have any quest
 To do
 -----
 
-* Enforce ``clang-format`` and ``clang-tidy`` on all source files.
 * Remove the RPM ``x86_64`` macro `workaround <https://pagure.io/epel/issue/325>`_ from the Fedora ``bpfilter.spec``.
 * Gate the documentation generate in Fedora's ``bpfilter.spec`` with a ``bcond``.
 * Add support for CMake 4.0 and ``ninja``.

@@ -542,7 +542,7 @@ int _bf_cli_chain_flush(const struct bf_request *request,
 }
 
 int _bf_cli_chain_update_set(const struct bf_request *request,
-                       struct bf_response **response)
+                             struct bf_response **response)
 {
     _free_bf_set_ struct bf_set *to_add = NULL;
     _free_bf_set_ struct bf_set *to_remove = NULL;

@@ -9,11 +9,15 @@ file(GLOB_RECURSE bf_srcs
     ${CMAKE_SOURCE_DIR}/src/bpfilter/*.h        ${CMAKE_SOURCE_DIR}/src/bpfilter/*.c
     ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.h     ${CMAKE_SOURCE_DIR}/src/libbpfilter/*.c
     ${CMAKE_SOURCE_DIR}/src/bfcli/*.h           ${CMAKE_SOURCE_DIR}/src/bfcli/*.c
-    # ${CMAKE_SOURCE_DIR}/tests/*.h               ${CMAKE_SOURCE_DIR}/tests/*.c
 )
 list(FILTER bf_srcs EXCLUDE REGEX "src/bpfilter/xlate/nft/nfmsg.*")
 list(FILTER bf_srcs EXCLUDE REGEX "src/bpfilter/xlate/nft/nfgroup.*")
 
+file(GLOB_RECURSE bf_test_srcs
+    ${CMAKE_SOURCE_DIR}/tests/*.h               ${CMAKE_SOURCE_DIR}/tests/*.c
+)
+set(bf_all_srcs ${bf_srcs} ${bf_test_srcs})
+
 add_test(NAME "check.lint"
     COMMAND
         ${CLANG_TIDY_BIN}
@@ -40,7 +44,8 @@ add_test(NAME "check.checkstyle"
         ${CLANG_FORMAT_BIN}
             --style=file:${CMAKE_SOURCE_DIR}/.clang-format
             --dry-run
-            ${bf_srcs}
+            --Werror
+            ${bf_all_srcs}
 )
 
 set_tests_properties("check.checkstyle" PROPERTIES
@@ -52,7 +57,7 @@ add_custom_target(fixstyle
         ${CLANG_FORMAT_BIN}
             --style=file:${CMAKE_SOURCE_DIR}/.clang-format
             -i
-            ${bf_srcs}
+            ${bf_all_srcs}
     COMMENT "Fixing style for all the source files"
 )
 

@@ -172,16 +172,18 @@ int do_in(const struct st_opts *opts)
             if (r == 0)
                 break;
             if (errno != ECONNREFUSED && errno != ENOENT)
-                return bf_err_r(errno, "do_in: failed to connect to socket at %s",
+                return bf_err_r(errno,
+                                "do_in: failed to connect to socket at %s",
                                 opts->socket_path);
             usleep(interval_ms * 1000);
             elapsed_ms += interval_ms;
         }
 
         if (r < 0)
-            return bf_err_r(errno,
-                            "do_in: failed to connect to socket at %s after %d seconds",
-                            opts->socket_path, timeout_ms / 1000);
+            return bf_err_r(
+                errno,
+                "do_in: failed to connect to socket at %s after %d seconds",
+                opts->socket_path, timeout_ms / 1000);
     }
 
     /**

@@ -19,6 +19,7 @@
 #include <bpfilter/rule.h>
 #include <bpfilter/set.h>
 #include <bpfilter/verdict.h>
+
 #include "bpfilter/hook.h"
 
 static int _bft_list_dummy_pack(const void *data, bf_wpack_t *pack)
@@ -88,8 +89,8 @@ struct bf_chain *bft_chain_dummy(bool with_rules)
     uint32_t id = 0;
     int r;
 
-    r = bf_chain_new(&chain, "bft_chain_dummy", BF_HOOK_TC_EGRESS, BF_VERDICT_ACCEPT,
-                     NULL, NULL);
+    r = bf_chain_new(&chain, "bft_chain_dummy", BF_HOOK_TC_EGRESS,
+                     BF_VERDICT_ACCEPT, NULL, NULL);
     if (r)
         return NULL;
 
@@ -106,16 +107,19 @@ struct bf_chain *bft_chain_dummy(bool with_rules)
                 return NULL;
 
             id = 0;
-            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id, sizeof(id));
+            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id,
+                                    sizeof(id));
             if (r)
                 return NULL;
 
-            r = bf_rule_add_matcher(rule, BF_MATCHER_IP4_DADDR, BF_MATCHER_EQ, &ip, sizeof(ip));
+            r = bf_rule_add_matcher(rule, BF_MATCHER_IP4_DADDR, BF_MATCHER_EQ,
+                                    &ip, sizeof(ip));
             if (r)
                 return NULL;
 
             ++id;
-            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id, sizeof(id));
+            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id,
+                                    sizeof(id));
             if (r)
                 return NULL;
 
@@ -155,7 +159,8 @@ struct bf_chain *bft_chain_dummy(bool with_rules)
                 return NULL;
 
             ++id;
-            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id, sizeof(id));
+            r = bf_rule_add_matcher(rule, BF_MATCHER_SET, BF_MATCHER_IN, &id,
+                                    sizeof(id));
             if (r)
                 return NULL;
 

@@ -19,8 +19,7 @@ int isatty(int fd)
     if (!real) {
         real = dlsym(RTLD_NEXT, "isatty");
         if (!real) {
-            (void)fprintf(stderr,
-                          "failed to locate real function for isatty");
+            (void)fprintf(stderr, "failed to locate real function for isatty");
             exit(1);
         }
     }

@@ -24,8 +24,7 @@ int setns(int fd, int nstype)
     if (!real) {
         real = dlsym(RTLD_NEXT, "setns");
         if (!real) {
-            (void)fprintf(stderr,
-                          "failed to locate real function for setns\n");
+            (void)fprintf(stderr, "failed to locate real function for setns\n");
             exit(1);
         }
     }

@@ -4,13 +4,14 @@
  */
 
 #define _GNU_SOURCE
+#include <linux/bpf.h>
+
 #include <dlfcn.h>
 #include <errno.h>
-#include <linux/bpf.h>
 #include <stdarg.h>
+#include <stdatomic.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <stdatomic.h>
 #include <sys/syscall.h>
 #include <unistd.h>
 

@@ -10,10 +10,10 @@
 
 #include <bpfilter/chain.h>
 #include <bpfilter/counter.h>
+#include <bpfilter/helper.h>
 #include <bpfilter/matcher.h>
 #include <bpfilter/rule.h>
 #include <bpfilter/set.h>
-#include <bpfilter/helper.h>
 
 #include "bpfilter/list.h"
 
@@ -241,11 +241,15 @@ bool bft_set_eq(const struct bf_set *lhs, const struct bf_set *rhs)
     n0 = bf_list_get_head(&lhs->elems);
     n1 = bf_list_get_head(&rhs->elems);
     for (; n0 || n1; n0 = bf_list_node_next(n0), n1 = bf_list_node_next(n1)) {
-        if (0 != memcmp(bf_list_node_get_data(n0), bf_list_node_get_data(n1), lhs->elem_size))
+        if (0 != memcmp(bf_list_node_get_data(n0), bf_list_node_get_data(n1),
+                        lhs->elem_size))
             return false;
     }
 
-    return bf_streq(lhs->name, rhs->name) && lhs->n_comps == rhs->n_comps && 0 == memcmp(lhs->key, rhs->key, sizeof(enum bf_matcher_type) * lhs->n_comps) && lhs->use_trie == rhs->use_trie;
+    return bf_streq(lhs->name, rhs->name) && lhs->n_comps == rhs->n_comps &&
+           0 == memcmp(lhs->key, rhs->key,
+                       sizeof(enum bf_matcher_type) * lhs->n_comps) &&
+           lhs->use_trie == rhs->use_trie;
 }
 
 bool bft_chain_equal(const struct bf_chain *chain0,

@@ -64,8 +64,8 @@ static void bpf_prog_load_success(void **state)
 
     // Return fd 10
     bft_mock_syscall_set_retval(10);
-    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1,
-                         BF_BPF_XDP, NULL, 0, -1, &fd);
+    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1, BF_BPF_XDP,
+                         NULL, 0, -1, &fd);
     assert_ok(r);
     assert_int_equal(fd, 10);
 }
@@ -83,8 +83,8 @@ static void bpf_prog_load_failure(void **state)
 
     // Return error
     bft_mock_syscall_set_retval(-EINVAL);
-    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1,
-                         BF_BPF_XDP, NULL, 0, -1, &fd);
+    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1, BF_BPF_XDP,
+                         NULL, 0, -1, &fd);
     assert_err(r);
     assert_int_equal(fd, -1); // fd unchanged on error
 }
@@ -102,8 +102,8 @@ static void bpf_prog_load_with_token(void **state)
 
     // Test with token_fd
     bft_mock_syscall_set_retval(15);
-    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1,
-                         BF_BPF_XDP, NULL, 0, 5, &fd);
+    r = bf_bpf_prog_load("test_prog", BF_BPF_PROG_TYPE_XDP, img, 1, BF_BPF_XDP,
+                         NULL, 0, 5, &fd);
     assert_ok(r);
     assert_int_equal(fd, 15);
 }
@@ -334,8 +334,8 @@ static void bpf_map_create_lpm_trie(void **state)
 
     // LPM_TRIE sets BPF_F_NO_PREALLOC flag
     bft_mock_syscall_set_retval(101);
-    r = bf_bpf_map_create("test_lpm", BF_BPF_MAP_TYPE_LPM_TRIE, 8, 8, 1024, NULL,
-                          -1);
+    r = bf_bpf_map_create("test_lpm", BF_BPF_MAP_TYPE_LPM_TRIE, 8, 8, 1024,
+                          NULL, -1);
     assert_int_equal(r, 101);
 }
 
@@ -349,7 +349,8 @@ static void bpf_map_create_with_token(void **state)
     (void)mock;
 
     bft_mock_syscall_set_retval(102);
-    r = bf_bpf_map_create("test_map", BF_BPF_MAP_TYPE_ARRAY, 4, 8, 100, NULL, 5);
+    r = bf_bpf_map_create("test_map", BF_BPF_MAP_TYPE_ARRAY, 4, 8, 100, NULL,
+                          5);
     assert_int_equal(r, 102);
 }
 

@@ -77,19 +77,25 @@ static void get_set_from_matcher(void **state)
 {
     _free_bf_chain_ struct bf_chain *chain = bft_chain_dummy(true);
     struct bf_rule *r0 = bf_list_node_get_data(bf_list_get_head(&chain->rules));
-    struct bf_matcher *r0_m0 = bf_list_node_get_data(bf_list_get_head(&r0->matchers));
-    struct bf_matcher *r0_m2 = bf_list_node_get_data(bf_list_get_tail(&r0->matchers));
+    struct bf_matcher *r0_m0 =
+        bf_list_node_get_data(bf_list_get_head(&r0->matchers));
+    struct bf_matcher *r0_m2 =
+        bf_list_node_get_data(bf_list_get_tail(&r0->matchers));
 
-    struct bf_rule *r1 = bf_list_node_get_data(bf_list_node_next(bf_list_get_head(&chain->rules)));
-    struct bf_matcher *r1_m0 = bf_list_node_get_data(bf_list_get_head(&r1->matchers));
+    struct bf_rule *r1 = bf_list_node_get_data(
+        bf_list_node_next(bf_list_get_head(&chain->rules)));
+    struct bf_matcher *r1_m0 =
+        bf_list_node_get_data(bf_list_get_head(&r1->matchers));
 
     struct bf_rule *r5 = bf_list_node_get_data(bf_list_get_tail(&chain->rules));
-    struct bf_matcher *r5_m0 = bf_list_node_get_data(bf_list_get_head(&r5->matchers));
+    struct bf_matcher *r5_m0 =
+        bf_list_node_get_data(bf_list_get_head(&r5->matchers));
 
     struct bf_list_node *snode = bf_list_get_head(&chain->sets);
     struct bf_set *set0 = bf_list_node_get_data(snode);
     struct bf_set *set1 = bf_list_node_get_data(bf_list_node_next(snode));
-    struct bf_set *set2 = bf_list_node_get_data(bf_list_node_next(bf_list_node_next(snode)));
+    struct bf_set *set2 =
+        bf_list_node_get_data(bf_list_node_next(bf_list_node_next(snode)));
 
     (void)state;
 
@@ -117,18 +123,18 @@ static void mixed_enabled_disabled_log_flag(void **state)
     set_index = 0;
     assert_ok(bf_rule_new(&r0));
     r0->log = 1;
-    assert_ok(bf_rule_add_matcher(r0, BF_MATCHER_SET, BF_MATCHER_IN,
-                                  &set_index, sizeof(set_index)));
+    assert_ok(bf_rule_add_matcher(r0, BF_MATCHER_SET, BF_MATCHER_IN, &set_index,
+                                  sizeof(set_index)));
     assert_ok(bf_list_add_tail(&rules, r0));
 
     set_index = 1;
     assert_ok(bf_rule_new(&r1));
-    assert_ok(bf_rule_add_matcher(r1, BF_MATCHER_SET, BF_MATCHER_IN,
-                                  &set_index, sizeof(set_index)));
+    assert_ok(bf_rule_add_matcher(r1, BF_MATCHER_SET, BF_MATCHER_IN, &set_index,
+                                  sizeof(set_index)));
     assert_ok(bf_list_add_tail(&rules, r1));
 
-    assert_ok(bf_chain_new(&chain, "test", BF_HOOK_TC_EGRESS,
-                           BF_VERDICT_ACCEPT, &sets, &rules));
+    assert_ok(bf_chain_new(&chain, "test", BF_HOOK_TC_EGRESS, BF_VERDICT_ACCEPT,
+                           &sets, &rules));
 
     assert_true(r0->disabled);
     assert_false(r1->disabled);

@@ -3,10 +3,9 @@
  * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
  */
 
-#include <bpfilter/bpfilter.h>
-
 #include <errno.h>
 
+#include <bpfilter/bpfilter.h>
 #include <bpfilter/chain.h>
 #include <bpfilter/counter.h>
 #include <bpfilter/hook.h>
@@ -151,16 +150,11 @@ static void chain_flush(void **state)
 int main(void)
 {
     const struct CMUnitTest tests[] = {
-        cmocka_unit_test(ruleset_get),
-        cmocka_unit_test(ruleset_set),
-        cmocka_unit_test(ruleset_flush),
-        cmocka_unit_test(chain_set),
-        cmocka_unit_test(chain_get),
-        cmocka_unit_test(chain_prog_fd),
-        cmocka_unit_test(chain_logs_fd),
-        cmocka_unit_test(chain_load),
-        cmocka_unit_test(chain_attach),
-        cmocka_unit_test(chain_update),
+        cmocka_unit_test(ruleset_get),   cmocka_unit_test(ruleset_set),
+        cmocka_unit_test(ruleset_flush), cmocka_unit_test(chain_set),
+        cmocka_unit_test(chain_get),     cmocka_unit_test(chain_prog_fd),
+        cmocka_unit_test(chain_logs_fd), cmocka_unit_test(chain_load),
+        cmocka_unit_test(chain_attach),  cmocka_unit_test(chain_update),
         cmocka_unit_test(chain_flush),
     };
 

@@ -3,10 +3,10 @@
  * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
  */
 
-#include <bpfilter/hook.h>
-
 #include <sys/socket.h>
 
+#include <bpfilter/hook.h>
+
 #include "bpfilter/dump.h"
 #include "bpfilter/list.h"
 #include "bpfilter/pack.h"
@@ -35,8 +35,8 @@ static void hook_from_str(void **state)
 {
     (void)state;
 
-    assert_enum_to_from_str(enum bf_hook, bf_hook_to_str, bf_hook_from_str, BF_HOOK_XDP,
-                            _BF_HOOK_MAX);
+    assert_enum_to_from_str(enum bf_hook, bf_hook_to_str, bf_hook_from_str,
+                            BF_HOOK_XDP, _BF_HOOK_MAX);
 }
 
 static void hook_to_flavor(void **state)

@@ -3,13 +3,13 @@
  * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
  */
 
-#include <bpfilter/bpfilter.h>
-
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
 #include <string.h>
 
+#include <bpfilter/bpfilter.h>
+
 #include "fake.h"
 #include "test.h"