bpf: Add classid helper only based on skb->sk

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Similarly to 5a52ae4e32a6 ("bpf: Allow to retrieve cgroup v1 classid
from v2 hooks"), add a helper to retrieve cgroup v1 classid solely
based on the skb->sk, so it can be used as key as part of BPF map
lookups out of tc from host ns, in particular given the skb->sk is
retained these days when crossing net ns thanks to 9c4c325252c5
("skbuff: preserve sock reference when scrubbing the skb."). This
is similar to bpf_skb_cgroup_id() which implements the same for v2.
Kubernetes ecosystem is still operating on v1 however, hence net_cls
needs to be used there until this can be dropped in with the v2
helper of bpf_skb_cgroup_id().

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/ed633cf27a1c620e901c5aa99ebdefb028dce600.1601477936.git.daniel@iogearbox.net

authored by

Daniel Borkmann and committed by

Alexei Starovoitov 5 years ago b426ce83 963ec27a

+41

3 changed files

expand all

include

uapi

linux

bpf.h

net

core

filter.c

tools

include

uapi

linux

bpf.h

+10

include/uapi/linux/bpf.h

··· 3643 3643 * *flags* are identical to those used for bpf_snprintf_btf. 3644 3644 * Return 3645 3645 * 0 on success or a negative error in case of failure. 3646 + * 3647 + * u64 bpf_skb_cgroup_classid(struct sk_buff *skb) 3648 + * Description 3649 + * See **bpf_get_cgroup_classid**\ () for the main description. 3650 + * This helper differs from **bpf_get_cgroup_classid**\ () in that 3651 + * the cgroup v1 net_cls class is retrieved only from the *skb*'s 3652 + * associated socket instead of the current process. 3653 + * Return 3654 + * The id is returned or 0 in case the id could not be retrieved. 3646 3655 */ 3647 3656 #define __BPF_FUNC_MAPPER(FN) \ 3648 3657 FN(unspec), \ ··· 3805 3796 FN(copy_from_user), \ 3806 3797 FN(snprintf_btf), \ 3807 3798 FN(seq_printf_btf), \ 3799 + FN(skb_cgroup_classid), \ 3808 3800 /* */ 3809 3801 3810 3802 /* integer value in 'imm' field of BPF_CALL instruction selects which helper

+21

net/core/filter.c

··· 2707 2707 .gpl_only = false, 2708 2708 .ret_type = RET_INTEGER, 2709 2709 }; 2710 + 2711 + BPF_CALL_1(bpf_skb_cgroup_classid, const struct sk_buff *, skb) 2712 + { 2713 + struct sock *sk = skb_to_full_sk(skb); 2714 + 2715 + if (!sk || !sk_fullsock(sk)) 2716 + return 0; 2717 + 2718 + return sock_cgroup_classid(&sk->sk_cgrp_data); 2719 + } 2720 + 2721 + static const struct bpf_func_proto bpf_skb_cgroup_classid_proto = { 2722 + .func = bpf_skb_cgroup_classid, 2723 + .gpl_only = false, 2724 + .ret_type = RET_INTEGER, 2725 + .arg1_type = ARG_PTR_TO_CTX, 2726 + }; 2710 2727 #endif 2711 2728 2712 2729 BPF_CALL_1(bpf_get_cgroup_classid, const struct sk_buff *, skb) ··· 6788 6771 #ifdef CONFIG_XFRM 6789 6772 case BPF_FUNC_skb_get_xfrm_state: 6790 6773 return &bpf_skb_get_xfrm_state_proto; 6774 + #endif 6775 + #ifdef CONFIG_CGROUP_NET_CLASSID 6776 + case BPF_FUNC_skb_cgroup_classid: 6777 + return &bpf_skb_cgroup_classid_proto; 6791 6778 #endif 6792 6779 #ifdef CONFIG_SOCK_CGROUP_DATA 6793 6780 case BPF_FUNC_skb_cgroup_id:

+10

tools/include/uapi/linux/bpf.h