On Fri, Oct 27, 2017 at 09:45:53AM -0700, John Fastabend wrote:
> Recent additions to support multiple programs in cgroups impose
> a strict requirement, "all yes is yes, any no is no". To enforce
> this the infrastructure requires the 'no' return code, SK_DROP in
> this case, to be 0.
> 
> To apply these rules to SK_SKB program types the sk_actions return
> codes need to be adjusted.
> 
> This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove
> SK_ABORTED to remove any chance that the API may allow aborted
> program flows to be passed up the stack. This would be incorrect
> behavior and allow programs to break existing policies.
> 
> Signed-off-by: John Fastabend <john.fastab...@gmail.com>

Acked-by: Alexei Starovoitov <a...@kernel.org>

Reply via email to