On Tue, Nov 20, 2018 at 07:18:48PM -0500, Vlad Dumitrescu wrote: > This could be used to rate limit egress traffic in concert with a qdisc > which supports Earliest Departure Time, such as FQ. > > Signed-off-by: Vlad Dumitrescu <[email protected]> > --- > include/uapi/linux/bpf.h | 1 + > net/core/filter.c | 26 +++++++++++++++++++++ > tools/include/uapi/linux/bpf.h | 1 + > tools/testing/selftests/bpf/test_verifier.c | 4 ++++ > 4 files changed, 32 insertions(+) > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index c1554aa074659..23e2031a43d43 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -2468,6 +2468,7 @@ struct __sk_buff { > > __u32 data_meta; > struct bpf_flow_keys *flow_keys; > + __u64 tstamp; > }; > > struct bpf_tunnel_key { > diff --git a/net/core/filter.c b/net/core/filter.c > index f6ca38a7d4332..c45155c8e519c 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -5573,6 +5573,10 @@ static bool bpf_skb_is_valid_access(int off, int size, > enum bpf_access_type type > if (size != sizeof(struct bpf_flow_keys *)) > return false; > break; > + case bpf_ctx_range(struct __sk_buff, tstamp): > + if (size != sizeof(__u64)) > + return false; > + break; > default: > /* Only narrow read access allowed for now. */ > if (type == BPF_WRITE) { > @@ -5600,6 +5604,7 @@ static bool sk_filter_is_valid_access(int off, int size, > case bpf_ctx_range(struct __sk_buff, data_end): > case bpf_ctx_range(struct __sk_buff, flow_keys): > case bpf_ctx_range_till(struct __sk_buff, family, local_port): > + case bpf_ctx_range(struct __sk_buff, tstamp): > return false; > } > > @@ -5624,6 +5629,7 @@ static bool cg_skb_is_valid_access(int off, int size, > case bpf_ctx_range(struct __sk_buff, tc_classid): > case bpf_ctx_range(struct __sk_buff, data_meta): > case bpf_ctx_range(struct __sk_buff, flow_keys): > + case bpf_ctx_range(struct __sk_buff, tstamp): > return false;
looks good to me. Any particular reason you decided to disable it for cg_skb ? It seems to me the same EDT approach will work from cgroup-bpf skb hooks just as well and then we can have neat way of controlling traffic per-container instead of tc-clsbpf global. If you're already on cgroup v2 it will save you a lot of classifier cycles, since you'd be able to group apps by cgroup instead of relying on ip only.
