bpf: Update __cgroup_bpf_run_filter_skb with cn

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

For egress packets, __cgroup_bpf_fun_filter_skb() will now call
BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY() instead of PROG_CGROUP_RUN_ARRAY()
in order to propagate congestion notifications (cn) requests to TCP
callers.

For egress packets, this function can return:
NET_XMIT_SUCCESS (0) - continue with packet output
NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr
NET_XMIT_CN (2) - continue with packet output and notify TCP
to call cwr
-EPERM - drop packet

For ingress packets, this function will return -EPERM if any attached
program was found and if it returned != 1 during execution. Otherwise 0
is returned.

Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

brakmo and committed by

Alexei Starovoitov 6 years ago e7a3160d 5cf1e914

+20 -5

1 changed file

expand all

kernel

bpf

cgroup.c

+20 -5

kernel/bpf/cgroup.c

··· 587 587 * The program type passed in via @type must be suitable for network 588 588 * filtering. No further check is performed to assert that. 589 589 * 590 - * This function will return %-EPERM if any if an attached program was found 591 - * and if it returned != 1 during execution. In all other cases, 0 is returned. 590 + * For egress packets, this function can return: 591 + * NET_XMIT_SUCCESS (0) - continue with packet output 592 + * NET_XMIT_DROP (1) - drop packet and notify TCP to call cwr 593 + * NET_XMIT_CN (2) - continue with packet output and notify TCP 594 + * to call cwr 595 + * -EPERM - drop packet 596 + * 597 + * For ingress packets, this function will return -EPERM if any 598 + * attached program was found and if it returned != 1 during execution. 599 + * Otherwise 0 is returned. 592 600 */ 593 601 int __cgroup_bpf_run_filter_skb(struct sock *sk, 594 602 struct sk_buff *skb, ··· 622 614 /* compute pointers for the bpf prog */ 623 615 bpf_compute_and_save_data_end(skb, &saved_data_end); 624 616 625 - ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb, 626 - __bpf_prog_run_save_cb); 617 + if (type == BPF_CGROUP_INET_EGRESS) { 618 + ret = BPF_PROG_CGROUP_INET_EGRESS_RUN_ARRAY( 619 + cgrp->bpf.effective[type], skb, __bpf_prog_run_save_cb); 620 + } else { 621 + ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb, 622 + __bpf_prog_run_save_cb); 623 + ret = (ret == 1 ? 0 : -EPERM); 624 + } 627 625 bpf_restore_data_end(skb, saved_data_end); 628 626 __skb_pull(skb, offset); 629 627 skb->sk = save_sk; 630 - return ret == 1 ? 0 : -EPERM; 628 + 629 + return ret; 631 630 } 632 631 EXPORT_SYMBOL(__cgroup_bpf_run_filter_skb); 633 632