On 10/18/18 5:14 PM, Daniel Borkmann wrote: >> + case bpf_ctx_range(struct __sk_buff, data_meta): >> + case bpf_ctx_range(struct __sk_buff, flow_keys): >> + return false; > ... if it's disallowed anyway (disallowing it is the right thing to do, > but no need to save/restore then..)? >
that's a good point. why shouldn't we allow cg_skb to access data_meta? xdp can set it and cgroup_skb_ingress will consume it here.
