On 11/30/2016 05:10 PM, Thomas Graf wrote:
Registers new BPF program types which correspond to the LWT hooks:
   - BPF_PROG_TYPE_LWT_IN   => dst_input()
   - BPF_PROG_TYPE_LWT_OUT  => dst_output()
   - BPF_PROG_TYPE_LWT_XMIT => lwtunnel_xmit()

The separate program types are required to differentiate between the
capabilities each LWT hook allows:

  * Programs attached to dst_input() or dst_output() are restricted and
    may only read the data of an skb. This prevent modification and
    possible invalidation of already validated packet headers on receive
    and the construction of illegal headers while the IP headers are
    still being assembled.

  * Programs attached to lwtunnel_xmit() are allowed to modify packet
    content as well as prepending an L2 header via a newly introduced
    helper bpf_skb_change_head(). This is safe as lwtunnel_xmit() is
    invoked after the IP header has been assembled completely.

Signed-off-by: Thomas Graf <tg...@suug.ch>


Acked-by: Daniel Borkmann <dan...@iogearbox.net>

For the verifier change in may_access_direct_pkt_data(), would be
great if you could later on follow up with a selftest-suite case,
one where BPF_PROG_TYPE_LWT_IN/OUT prog tries to write and fails,
and one where BPF_PROG_TYPE_LWT_IN/OUT prog uses pkt data to pass
to helpers, for example, so that we can keep testing it when future
changes in that area are made. Thanks.

Reply via email to