Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0e33661d authored by Daniel Mack's avatar Daniel Mack Committed by David S. Miller
Browse files

bpf: add new prog type for cgroup socket filtering 



This program type is similar to BPF_PROG_TYPE_SOCKET_FILTER, except that
it does not allow BPF_LD_[ABS|IND] instructions and hooks up the
bpf_skb_load_bytes() helper.

Programs of this type will be attached to cgroups for network filtering
and accounting.

Signed-off-by: default avatarDaniel Mack <daniel@zonque.org>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 619228d8

include/uapi/linux/bpf.h

+9 −0
Original line number Diff line number Diff line
@@ -98,8 +98,17 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_TRACEPOINT,

	BPF_PROG_TYPE_XDP,

	BPF_PROG_TYPE_PERF_EVENT,

	BPF_PROG_TYPE_CGROUP_SKB,

};



enum bpf_attach_type {

	BPF_CGROUP_INET_INGRESS,

	BPF_CGROUP_INET_EGRESS,

	__MAX_BPF_ATTACH_TYPE

};



#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE



#define BPF_PSEUDO_MAP_FD	1



/* flags for BPF_MAP_UPDATE_ELEM command */

net/core/filter.c

+23 −0
Original line number Diff line number Diff line
@@ -2630,6 +2630,17 @@ xdp_func_proto(enum bpf_func_id func_id) 
	}

}



static const struct bpf_func_proto *

cg_skb_func_proto(enum bpf_func_id func_id)

{

	switch (func_id) {

	case BPF_FUNC_skb_load_bytes:

		return &bpf_skb_load_bytes_proto;

	default:

		return sk_filter_func_proto(func_id);

	}

}



static bool __is_valid_access(int off, int size, enum bpf_access_type type)

{

	if (off < 0 || off >= sizeof(struct __sk_buff))
@@ -2992,6 +3003,12 @@ static const struct bpf_verifier_ops xdp_ops = { 
	.convert_ctx_access	= xdp_convert_ctx_access,

};



static const struct bpf_verifier_ops cg_skb_ops = {

	.get_func_proto		= cg_skb_func_proto,

	.is_valid_access	= sk_filter_is_valid_access,

	.convert_ctx_access	= sk_filter_convert_ctx_access,

};



static struct bpf_prog_type_list sk_filter_type __read_mostly = {

	.ops	= &sk_filter_ops,

	.type	= BPF_PROG_TYPE_SOCKET_FILTER,
@@ -3012,12 +3029,18 @@ static struct bpf_prog_type_list xdp_type __read_mostly = { 
	.type	= BPF_PROG_TYPE_XDP,

};



static struct bpf_prog_type_list cg_skb_type __read_mostly = {

	.ops	= &cg_skb_ops,

	.type	= BPF_PROG_TYPE_CGROUP_SKB,

};



static int __init register_sk_filter_ops(void)

{

	bpf_register_prog_type(&sk_filter_type);

	bpf_register_prog_type(&sched_cls_type);

	bpf_register_prog_type(&sched_act_type);

	bpf_register_prog_type(&xdp_type);

	bpf_register_prog_type(&cg_skb_type);



	return 0;

}