Re: [PATCH v8 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo-Cap9r6Oaw4JrovVCs/uTlw@public•gmane.org>
To: Daniel Mack <daniel-cYrQPVfZoowdnm+yROfE0A@public•gmane.org>
Cc: htejun-b10kYP2dOMg@public•gmane.org,
	daniel-FeC+5ew28dpmcu3hnIyYJQ@public•gmane.org,
	ast-b10kYP2dOMg@public•gmane.org,
	davem-fT/PcQaiUtIeIZ0/mPfg9Q@public•gmane.org,
	kafai-b10kYP2dOMg@public•gmane.org,
	fw-HFFVJYpyMKqzQB+pC5nmwQ@public•gmane.org,
	harald-H+wXaHxf7aLQT0dZR+AlfA@public•gmane.org,
	netdev-u79uwXL29TY76Z2rM5mHXA@public•gmane.org,
	sargun-GaZTRHToo+CzQB+pC5nmwQ@public•gmane.org,
	cgroups-u79uwXL29TY76Z2rM5mHXA@public•gmane.org
Subject: Re: [PATCH v8 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs
Date: Fri, 18 Nov 2016 13:37:32 +0100	[thread overview]
Message-ID: <20161118123732.GA10400@salvia> (raw)
In-Reply-To: <1479407229-14861-6-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>

On Thu, Nov 17, 2016 at 07:27:08PM +0100, Daniel Mack wrote:
[...]
> @@ -312,6 +314,12 @@ int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>  	skb->dev = dev;
>  	skb->protocol = htons(ETH_P_IP);
>  
> +	ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
> +	if (ret) {
> +		kfree_skb(skb);
> +		return ret;
> +	}
> +
>  	/*
>  	 *	Multicasts are looped back for other local users
>  	 */
> @@ -364,12 +372,19 @@ int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>  int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
>  {
>  	struct net_device *dev = skb_dst(skb)->dev;
> +	int ret;
>  
>  	IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);
>  
>  	skb->dev = dev;
>  	skb->protocol = htons(ETH_P_IP);
>  
> +	ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
> +	if (ret) {
> +		kfree_skb(skb);
> +		return ret;
> +	}
> +
>  	return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
>  			    net, sk, skb, NULL, dev,
>  			    ip_finish_output,

Please, place this after the netfilter hook.

Since this new hook may mangle output packets, any mangling
potentially interfers and breaks conntrack.

Thank you.

next prev parent reply	other threads:[~2016-11-18 12:37 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-17 18:27 [PATCH v8 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-11-17 18:27 ` [PATCH v8 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-11-17 18:27 ` [PATCH v8 2/6] cgroup: add support for eBPF programs Daniel Mack
     [not found] ` <1479407229-14861-1-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-11-17 18:27   ` [PATCH v8 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
2016-11-17 18:27 ` [PATCH v8 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-11-17 18:27 ` [PATCH v8 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs Daniel Mack
     [not found]   ` <1479407229-14861-6-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-11-18 12:37     ` Pablo Neira Ayuso [this message]
2016-11-18 17:17       ` Alexei Starovoitov
     [not found]         ` <20161118171715.GA56632-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-11-18 17:44           ` Pablo Neira Ayuso
2016-11-20  6:07             ` Alexei Starovoitov
2016-11-17 18:27 ` [PATCH v8 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161118123732.GA10400@salvia \
    --to=pablo-cap9r6oaw4jrovvcs/utlw@public$(echo .)gmane.org \
    --cc=ast-b10kYP2dOMg@public$(echo .)gmane.org \
    --cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
    --cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public$(echo .)gmane.org \
    --cc=daniel-cYrQPVfZoowdnm+yROfE0A@public$(echo .)gmane.org \
    --cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public$(echo .)gmane.org \
    --cc=fw-HFFVJYpyMKqzQB+pC5nmwQ@public$(echo .)gmane.org \
    --cc=harald-H+wXaHxf7aLQT0dZR+AlfA@public$(echo .)gmane.org \
    --cc=htejun-b10kYP2dOMg@public$(echo .)gmane.org \
    --cc=kafai-b10kYP2dOMg@public$(echo .)gmane.org \
    --cc=netdev-u79uwXL29TY76Z2rM5mHXA@public$(echo .)gmane.org \
    --cc=sargun-GaZTRHToo+CzQB+pC5nmwQ@public$(echo .)gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox