On 10/25/16 7:55 PM, Alexei Starovoitov wrote: > Same question as Daniel... why extra helper?
It can be dropped. wrong path while learning this code. > If program overwrites bpf_sock->sk_bound_dev_if can we use that > after program returns? > Also do you think it's possible to extend this patch to prototype > the port bind restrictions that were proposed few month back using > the same bpf_sock input structure? > Probably the check would need to be moved into different > place instead of sk_alloc(), but then we'll have more > opportunities to overwrite bound_dev_if, look at ports and so on ? > I think the sk_bound_dev_if should be set when the socket is created versus waiting until it is used (bind, connect, sendmsg, recvmsg). That said, the filter could (should?) be run in the protocol family create function (inet_create and inet6_create) versus sk_alloc. That would allow the filter to allocate a local port based on its logic. I'd prefer interested parties to look into the details of that use case. I'll move the running of the filter to the end of the create functions for v2.
