Hi Alexei, On 08/27/2016 02:03 AM, Alexei Starovoitov wrote: > On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote: >> This patch adds two sets of eBPF program pointers to struct cgroup. >> One for such that are directly pinned to a cgroup, and one for such >> that are effective for it. >> >> To illustrate the logic behind that, assume the following example >> cgroup hierarchy. >> >> A - B - C >> \ D - E >> >> If only B has a program attached, it will be effective for B, C, D >> and E. If D then attaches a program itself, that will be effective for >> both D and E, and the program in B will only affect B and C. Only one >> program of a given type is effective for a cgroup. >> >> Attaching and detaching programs will be done through the bpf(2) >> syscall. For now, ingress and egress inet socket filtering are the >> only supported use-cases. >> >> Signed-off-by: Daniel Mack <dan...@zonque.org> > ... >> + css_for_each_descendant_pre(pos, &cgrp->self) { >> + struct cgroup *desc = container_of(pos, struct cgroup, self); >> + >> + /* skip the subtree if the descendant has its own program */ >> + if (desc->bpf.prog[type] && desc != cgrp) > > is desc != cgrp really needed? > I thought css_for_each_descendant_pre() shouldn't walk itself > or I'm missing how it works.
Hmm, no - that check is necessary in my tests, and also according to the documentation: /** * css_for_each_descendant_pre - pre-order walk of a css's descendants * @pos: the css * to use as the loop cursor * @root: css whose descendants to walk * * Walk @root's descendants. @root is included in the iteration and the * first node to be visited. Must be called under rcu_read_lock(). * Daniel