From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Borkmann Subject: Re: [PATCH bpf-next 06/11] bpf: add bpf_skb_cgroup_id helper Date: Tue, 29 May 2018 17:43:13 +0200 Message-ID: <2e119a52-5dc8-6236-1abb-900d9a8f4552@iogearbox.net> References: <20180528004344.3606-1-daniel@iogearbox.net> <20180528004344.3606-7-daniel@iogearbox.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: Quentin Monnet , ast@kernel.org Return-path: Received: from www62.your-server.de ([213.133.104.62]:47920 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934948AbeE2PnQ (ORCPT ); Tue, 29 May 2018 11:43:16 -0400 In-Reply-To: Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 05/29/2018 02:15 PM, Quentin Monnet wrote: > Hi Daniel, > > 2018-05-28 02:43 UTC+0200 ~ Daniel Borkmann >> Add a new bpf_skb_cgroup_id() helper that allows to retrieve the >> cgroup id from the skb's socket. This is useful in particular to >> enable bpf_get_cgroup_classid()-like behavior for cgroup v1 in >> cgroup v2 by allowing ID based matching on egress. This can in >> particular be used in combination with applying policy e.g. from >> map lookups, and also complements the older bpf_skb_under_cgroup() >> interface. In user space the cgroup id for a given path can be >> retrieved through the f_handle as demonstrated in [0] recently. >> >> [0] https://lkml.org/lkml/2018/5/22/1190 >> >> Signed-off-by: Daniel Borkmann >> Acked-by: Alexei Starovoitov >> --- >> include/uapi/linux/bpf.h | 17 ++++++++++++++++- >> net/core/filter.c | 29 +++++++++++++++++++++++++++-- >> 2 files changed, 43 insertions(+), 3 deletions(-) >> >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h >> index 9b8c6e3..e2853aa 100644 >> --- a/include/uapi/linux/bpf.h >> +++ b/include/uapi/linux/bpf.h >> @@ -2004,6 +2004,20 @@ union bpf_attr { >> * direct packet access. >> * Return >> * 0 on success, or a negative error in case of failure. >> + * >> + * uint64_t bpf_skb_cgroup_id(struct sk_buff *skb) >> + * Description >> + * Return the cgroup v2 id of the socket associated with the *skb*. >> + * This is roughly similar to the **bpf_get_cgroup_classid**\ () >> + * helper for cgroup v1 by providing a tag resp. identifier that >> + * can be matched on or used for map lookups e.g. to implement >> + * policy. The cgroup v2 id of a given path in the hierarchy is >> + * exposed in user space through the f_handle API in order to get >> + * to the same 64-bit id. >> + * >> + * This helper can be used on TC egress path, but not on ingress. > > Nitpick: Maybe mention that the kernel must be built with > CONFIG_SOCK_CGROUP_DATA option for the helper to be available? Yeah that's fine. I was planning on a minor respin anyway some time today, so I'll also update the description along with it. Cheers, Daniel