On 08/30/2016 12:14 AM, Daniel Borkmann wrote:
> On 08/26/2016 09:58 PM, Daniel Mack wrote:
>> For now, this program type is equivalent to BPF_PROG_TYPE_SOCKET_FILTER in
>> terms of checks during the verification process. It may access the skb as
>> well.
>>
>> Programs of this type will be attached to cgroups for network filtering
>> and accounting.
>>
>> Signed-off-by: Daniel Mack <dan...@zonque.org>
>> ---
>> include/uapi/linux/bpf.h | 7 +++++++
>> kernel/bpf/verifier.c | 1 +
>> net/core/filter.c | 6 ++++++
>> 3 files changed, 14 insertions(+)
>>
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index e4c5a1b..1d5db42 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -95,6 +95,13 @@ enum bpf_prog_type {
>> BPF_PROG_TYPE_SCHED_ACT,
>> BPF_PROG_TYPE_TRACEPOINT,
>> BPF_PROG_TYPE_XDP,
>> + BPF_PROG_TYPE_CGROUP_SOCKET_FILTER,
>> +};
>
> Nit: can we drop the _FILTER suffix? So just leaving it
> at BPF_PROG_TYPE_CGROUP_SOCKET. Some of these use cases
> might not always strictly be related to filtering, so
> seems cleaner to just leave it out everywhere.
>
>> +
>> +enum bpf_attach_type {
>> + BPF_ATTACH_TYPE_CGROUP_INET_INGRESS,
>> + BPF_ATTACH_TYPE_CGROUP_INET_EGRESS,
>> + __MAX_BPF_ATTACH_TYPE
>> };
>
> #define BPF_MAX_ATTACH_TYPE __BPF_MAX_ATTACH_TYPE
>
> And then use that in your follow-up patches for declaring
> arrays, etc?
Agreed, will change.
Thanks,
Daniel
