On 9/19/16 10:43 AM, Daniel Mack wrote:
> This is v6 of the patch set to allow eBPF programs for network
> filtering and accounting to be attached to cgroups, so that they apply
> to all sockets of all tasks placed in that cgroup. The logic also
> allows to be extendeded for other cgroup based eBPF logic.
>
>
> Changes from v5:
>
> * The eBPF programs now operate on L3 rather than on L2 of the packets,
> and the egress hooks were moved from __dev_queue_xmit() to
> ip*_output().
>
> * For BPF_PROG_TYPE_CGROUP_SOCKET, disallow direct access to the skb
> through BPF_LD_[ABS|IND] instructions, but hook up the
> bpf_skb_load_bytes() access helper instead. Thanks to Daniel Borkmann
> for the help.
It's been a month since the last response or update to this series. Any
progress in resolving the resistance to hook locations?
As I mentioned in Tokyo I need a solution for VRF that allows running processes
in a VRF context -- meaning a process inherits a default sk_bound_dev_if for
any AF_INET{6} sockets opened. Right now we (Cumulus) are using an l3mdev
cgroup, something that Tejun pushed back on earlier this year. I strongly
believe that cgroups provide the right infrastructure for this feature and
looking at options. I'm sure a few people will chuckle about this, but I do
have another solution that leverages this patchset -- a bpf program on a cgroup
that sets sk_bound_dev_if. So, what's the likelihood of this patchset making
4.10 (or any other release)?
Thanks,
David
