On 06/06/2017 10:26 PM, David Miller wrote:
From: Chenbo Feng <fe...@google.com>
Date: Tue, 6 Jun 2017 13:24:11 -0700
On Tue, Jun 6, 2017 at 9:40 AM, Daniel Borkmann <dan...@iogearbox.net>
wrote:
On 06/06/2017 02:04 PM, Daniel Borkmann wrote:
On 06/01/2017 03:15 AM, Chenbo Feng wrote:
From: Chenbo Feng <fe...@google.com>
This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the system,
for example, by creating an iptables rules that causes the packet to
be passed to userspace via NFLOG.
Signed-off-by: Chenbo Feng <fe...@google.com>
Sorry, but I am puzzled what above change log has to do with the
below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
to may_access_skb(), since one can already use bpf_skb_load_bytes()
helper to access pkt data, which is a much more flexible interface.
Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?
See my other email [1], this one is also problematic wrt SKF_LL_OFF.
[1] http://patchwork.ozlabs.org/patch/771946/
Oh sorry I just find out the bpf_skb_load_bytes helper already can achieve
the goal. There is no point to add my patch then. Thanks you for pointing
it out and fixing it.
If something now needs to be reverted, you need to send that revert to me.
It's sitting here: http://patchwork.ozlabs.org/patch/771946/
