| Message ID | 3cb2908c5690d20e1575ed36177b5881838a9079.1589405669.git.rdna@fb.com |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | bpf: sk lookup, cgroup id helpers in cgroup skb | expand |
On 5/13/20 2:38 PM, Andrey Ignatov wrote: > cgroup skb programs already can use bpf_skb_cgroup_id. Allow > bpf_skb_ancestor_cgroup_id as well so that container policies can be > implemented for a container that can have sub-cgroups dynamically > created, but policies should still be implemented based on cgroup id of > container itself not on an id of a sub-cgroup. > > Signed-off-by: Andrey Ignatov <rdna@fb.com> Acked-by: Yonghong Song <yhs@fb.com>
diff --git a/net/core/filter.c b/net/core/filter.c index ccb560c1a1db..f88df77d0ad4 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -6157,6 +6157,8 @@ cg_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) #ifdef CONFIG_SOCK_CGROUP_DATA case BPF_FUNC_skb_cgroup_id: return &bpf_skb_cgroup_id_proto; + case BPF_FUNC_skb_ancestor_cgroup_id: + return &bpf_skb_ancestor_cgroup_id_proto; #endif #ifdef CONFIG_INET case BPF_FUNC_sk_lookup_tcp:
cgroup skb programs already can use bpf_skb_cgroup_id. Allow bpf_skb_ancestor_cgroup_id as well so that container policies can be implemented for a container that can have sub-cgroups dynamically created, but policies should still be implemented based on cgroup id of container itself not on an id of a sub-cgroup. Signed-off-by: Andrey Ignatov <rdna@fb.com> --- net/core/filter.c | 2 ++ 1 file changed, 2 insertions(+)