Re: [PATCH bpf-next v7 3/7] bpf: add bpf_icmp_send kfunc

[Mahe Tardy <mahe.tardy@gmail.com>]

On Thu, May 28, 2026 at 03:55:21PM -0700, Jordan Rife wrote:
> On Tue, May 26, 2026 at 03:37:04PM +0000, Mahe Tardy wrote:
> > [...]
> > +__bpf_kfunc int bpf_icmp_send(struct __sk_buff *skb_ctx, int type, int code)
> > +{
> > +	struct sk_buff *skb = (struct sk_buff *)skb_ctx;
> > +	struct sk_buff *nskb;
> > +	struct sock *sk;
> > +
> > +	sk = skb_to_full_sk(skb);
> > +	if (sk && sk->sk_kern_sock &&
> 
> Won't this prevent the kfunc from working for traffic emitted from
> kernel sockets like those used by NFS/SMB mounts? I can imagine there
> being a legitimate use case where you'd want those kind of connections
> to fail fast as well by emitting ICMP*_DEST_UNREACH.

I don't know much about NFS/SMB but I'd expect them to use UDP or TCP
for their transport protocol, so the second half of the condition check:

> > +	    (sk->sk_protocol == IPPROTO_ICMP || sk->sk_protocol == IPPROTO_ICMPV6))
> > +		return -EBUSY;

should fail. Meaning that this should be suitable for it.

The goal here was to identify the ICMP kernel sockets, I think this way
should be precise enough and does not require new code. The other more
precise ways we thought about initially were more invasive:
- exposing ipv4_icmp_sk out of net/ipv4/icmp.c to compare the pointer:
  not clean as other part of the code could reuse those sockets.
- expose a helper like is_kernel_icmp_socket from net/ipv4/icmp.c to be
  used in net/core/filter.c: new exported functions.

> > +
> > [...]