From: David Ahern <dsa@cumulusnetworks.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev@vger.kernel.org, daniel@zonque.org, ast@fb.com
Subject: Re: [PATCH net-next 2/3] bpf: Add new cgroups prog type to enable sock modifications
Date: Tue, 25 Oct 2016 20:38:48 -0600 [thread overview]
Message-ID: <c19dfdf7-425d-cf47-6afc-c9433cbc06cf@cumulusnetworks.com> (raw)
In-Reply-To: <20161026015544.GA35758@ast-mbp.thefacebook.com>
On 10/25/16 7:55 PM, Alexei Starovoitov wrote:
> Same question as Daniel... why extra helper?
It can be dropped. wrong path while learning this code.
> If program overwrites bpf_sock->sk_bound_dev_if can we use that
> after program returns?
> Also do you think it's possible to extend this patch to prototype
> the port bind restrictions that were proposed few month back using
> the same bpf_sock input structure?
> Probably the check would need to be moved into different
> place instead of sk_alloc(), but then we'll have more
> opportunities to overwrite bound_dev_if, look at ports and so on ?
>
I think the sk_bound_dev_if should be set when the socket is created versus waiting until it is used (bind, connect, sendmsg, recvmsg). That said, the filter could (should?) be run in the protocol family create function (inet_create and inet6_create) versus sk_alloc. That would allow the filter to allocate a local port based on its logic. I'd prefer interested parties to look into the details of that use case.
I'll move the running of the filter to the end of the create functions for v2.
next prev parent reply other threads:[~2016-10-26 2:39 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-25 22:30 [PATCH net-next 0/3] Add bpf support to set sk_bound_dev_if David Ahern
2016-10-25 22:30 ` [PATCH net-next 1/3] bpf: Refactor cgroups code in prep for new type David Ahern
2016-10-25 23:01 ` Daniel Borkmann
2016-10-25 23:04 ` David Ahern
2016-10-25 22:30 ` [PATCH net-next 2/3] bpf: Add new cgroups prog type to enable sock modifications David Ahern
2016-10-25 23:28 ` Daniel Borkmann
2016-10-26 1:55 ` Alexei Starovoitov
2016-10-26 2:38 ` David Ahern [this message]
2016-10-26 2:05 ` David Ahern
2016-10-26 8:33 ` Daniel Borkmann
2016-10-26 15:44 ` David Ahern
[not found] ` <CAF2d9jhE0OHgWrDfHwYzRk2tDbnmK_=ZdgFd2-ccpbTjdQzqmQ@mail.gmail.com>
2016-10-26 20:42 ` David Ahern
2016-10-25 23:39 ` Eric Dumazet
2016-10-26 2:21 ` David Ahern
2016-10-26 2:48 ` Eric Dumazet
2016-10-26 3:09 ` David Ahern
2016-10-26 8:41 ` Thomas Graf
2016-10-26 16:08 ` David Ahern
2016-10-26 18:57 ` Thomas Graf
2016-10-25 22:30 ` [PATCH net-next 3/3] samples: bpf: add userspace example for modifying sk_bound_dev_if David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c19dfdf7-425d-cf47-6afc-c9433cbc06cf@cumulusnetworks.com \
--to=dsa@cumulusnetworks.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).