summaryrefslogtreecommitdiff
path: root/net/ipv6/tcp_ipv6.c
diff options
context:
space:
mode:
authorDaniel Mack <daniel@zonque.org>2016-11-23 16:52:29 +0100
committerMichael Bestas <mkbestas@lineageos.org>2022-04-19 00:51:53 +0300
commitc6da67a69b16e2f7ad9127b5f047d10b3c8a20b3 (patch)
tree98651b73b24bcc0c4e59c6f2a8d30e1d59373818 /net/ipv6/tcp_ipv6.c
parentd44772d020418d6fae7307b10f240b79e44360c1 (diff)
net: ipv4, ipv6: run cgroup eBPF egress programs
If the cgroup associated with the receiving socket has an eBPF programs installed, run them from ip_output(), ip6_output() and ip_mc_output(). From mentioned functions we have two socket contexts as per 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn()."). We explicitly need to use sk instead of skb->sk here, since otherwise the same program would run multiple times on egress when encap devices are involved, which is not desired in our case. eBPF programs used in this context are expected to either return 1 to let the packet pass, or != 1 to drop them. The programs have access to the skb through bpf_skb_load_bytes(), and the payload starts at the network headers (L3). Note that cgroup_bpf_run_filter() is stubbed out as static inline nop for !CONFIG_CGROUP_BPF, and is otherwise guarded by a static key if the feature is unused. Signed-off-by: Daniel Mack <daniel@zonque.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
0 files changed, 0 insertions, 0 deletions