On Fri, Oct 27, 2017 at 09:45:53AM -0700, John Fastabend wrote: > Recent additions to support multiple programs in cgroups impose > a strict requirement, "all yes is yes, any no is no". To enforce > this the infrastructure requires the 'no' return code, SK_DROP in > this case, to be 0. > > To apply these rules to SK_SKB program types the sk_actions return > codes need to be adjusted. > > This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove > SK_ABORTED to remove any chance that the API may allow aborted > program flows to be passed up the stack. This would be incorrect > behavior and allow programs to break existing policies. > > Signed-off-by: John Fastabend <john.fastab...@gmail.com>
Acked-by: Alexei Starovoitov <a...@kernel.org>