subject:"\[PATCH v7 5\/6\] net\: ipv4, ipv6\: run cgroup eBPF egress programs"

Re: [PATCH v7 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

2016-11-01 Thread Daniel Borkmann

On 10/31/2016 05:40 PM, David Miller wrote: From: Daniel Mack Date: Tue, 25 Oct 2016 12:14:13 +0200 @@ -312,6 +314,13 @@ int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->dev = dev; skb->protocol = htons(ETH_P_IP); + ret =

Re: [PATCH v7 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

2016-10-31 Thread David Miller

From: Daniel Mack Date: Tue, 25 Oct 2016 12:14:13 +0200 > @@ -312,6 +314,13 @@ int ip_mc_output(struct net *net, struct sock *sk, > struct sk_buff *skb) > skb->dev = dev; > skb->protocol = htons(ETH_P_IP); > > + ret = cgroup_bpf_run_filter(sk_to_full_sk(sk),

[PATCH v7 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs

2016-10-25 Thread Daniel Mack

If the cgroup associated with the receiving socket has an eBPF programs installed, run them from ip_output(), ip6_output() and ip_mc_output(). eBPF programs used in this context are expected to either return 1 to let the packet pass, or != 1 to drop them. The programs have access to the skb