summaryrefslogtreecommitdiffstats
path: root/security/keys
diff options
context:
space:
mode:
authorDaniel Mack <daniel@zonque.org>2016-11-23 16:52:29 +0100
committerDavid S. Miller <davem@davemloft.net>2016-11-25 16:26:04 -0500
commit33b486793cb31311f3a91ae4fe4be5926e7677b0 (patch)
tree2985be4f76a478cab89536ffd1efaaa0fddbb36f /security/keys
parentc11cd3a6ec3a817c6b71b00c559e25d855f7e5b4 (diff)
downloadlinux-33b486793cb31311f3a91ae4fe4be5926e7677b0.tar.bz2
net: ipv4, ipv6: run cgroup eBPF egress programs
If the cgroup associated with the receiving socket has an eBPF programs installed, run them from ip_output(), ip6_output() and ip_mc_output(). From mentioned functions we have two socket contexts as per 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn()."). We explicitly need to use sk instead of skb->sk here, since otherwise the same program would run multiple times on egress when encap devices are involved, which is not desired in our case. eBPF programs used in this context are expected to either return 1 to let the packet pass, or != 1 to drop them. The programs have access to the skb through bpf_skb_load_bytes(), and the payload starts at the network headers (L3). Note that cgroup_bpf_run_filter() is stubbed out as static inline nop for !CONFIG_CGROUP_BPF, and is otherwise guarded by a static key if the feature is unused. Signed-off-by: Daniel Mack <daniel@zonque.org> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/keys')
0 files changed, 0 insertions, 0 deletions