David Ahern <d...@cumulusnetworks.com> writes: > In cases where bpf programs are looking at sockets and packets > that belong to different netns, it could be useful to compare the > network namespace of the socket or packet > > Introduce bpf_sk_netns_cmp and bpf_skb_netns_cmp helpers to compare > network namespace of the socket or skb to the namespace parameters > in a prorgam.
The code for bpf_sk_netns_cmp looks good. I don't feel comfortable with bpf_skb_netns_cmp. There are two issues: (a) skb->dev is not reliably set and does not have reliable semantics in different parts of the network stack. Making bpf_skb_netns_cmp not work reliably for output packets for example. (b) Every path that processes a network packet in the network stack now has a struct net passed in the function arguments. Either directly or in a function that is passed through. Making it unambiguous and simple to get the struct net. So I recommend a function bpf_context_cmp. Which looks a net passed into the bpf filter of skbs. That should be 100% reliable and quite straight forward to implement today. Eric
