On 11/30/2016 05:10 PM, Thomas Graf wrote:
Registers new BPF program types which correspond to the LWT hooks: - BPF_PROG_TYPE_LWT_IN => dst_input() - BPF_PROG_TYPE_LWT_OUT => dst_output() - BPF_PROG_TYPE_LWT_XMIT => lwtunnel_xmit()The separate program types are required to differentiate between the capabilities each LWT hook allows: * Programs attached to dst_input() or dst_output() are restricted and may only read the data of an skb. This prevent modification and possible invalidation of already validated packet headers on receive and the construction of illegal headers while the IP headers are still being assembled. * Programs attached to lwtunnel_xmit() are allowed to modify packet content as well as prepending an L2 header via a newly introduced helper bpf_skb_change_head(). This is safe as lwtunnel_xmit() is invoked after the IP header has been assembled completely.
[...]
Signed-off-by: Thomas Graf <[email protected]>
LGTMAFAICT, so: Acked-by: Daniel Borkmann <[email protected]> For the verifier change in may_access_direct_pkt_data(), would be great if you could later on follow up with a selftest-suite case, one where BPF_PROG_TYPE_LWT_IN/OUT prog tries to write and fails, and one where BPF_PROG_TYPE_LWT_IN/OUT prog uses pkt data to pass to helpers, for example, so that we can keep testing it when future changes in that area are made. Thanks.
