On 05/29/2018 02:15 PM, Quentin Monnet wrote: > Hi Daniel, > > 2018-05-28 02:43 UTC+0200 ~ Daniel Borkmann <dan...@iogearbox.net> >> Add a new bpf_skb_cgroup_id() helper that allows to retrieve the >> cgroup id from the skb's socket. This is useful in particular to >> enable bpf_get_cgroup_classid()-like behavior for cgroup v1 in >> cgroup v2 by allowing ID based matching on egress. This can in >> particular be used in combination with applying policy e.g. from >> map lookups, and also complements the older bpf_skb_under_cgroup() >> interface. In user space the cgroup id for a given path can be >> retrieved through the f_handle as demonstrated in [0] recently. >> >> [0] https://lkml.org/lkml/2018/5/22/1190 >> >> Signed-off-by: Daniel Borkmann <dan...@iogearbox.net> >> Acked-by: Alexei Starovoitov <a...@kernel.org> >> --- >> include/uapi/linux/bpf.h | 17 ++++++++++++++++- >> net/core/filter.c | 29 +++++++++++++++++++++++++++-- >> 2 files changed, 43 insertions(+), 3 deletions(-) >> >> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h >> index 9b8c6e3..e2853aa 100644 >> --- a/include/uapi/linux/bpf.h >> +++ b/include/uapi/linux/bpf.h >> @@ -2004,6 +2004,20 @@ union bpf_attr { >> * direct packet access. >> * Return >> * 0 on success, or a negative error in case of failure. >> + * >> + * uint64_t bpf_skb_cgroup_id(struct sk_buff *skb) >> + * Description >> + * Return the cgroup v2 id of the socket associated with the *skb*. >> + * This is roughly similar to the **bpf_get_cgroup_classid**\ () >> + * helper for cgroup v1 by providing a tag resp. identifier that >> + * can be matched on or used for map lookups e.g. to implement >> + * policy. The cgroup v2 id of a given path in the hierarchy is >> + * exposed in user space through the f_handle API in order to get >> + * to the same 64-bit id. >> + * >> + * This helper can be used on TC egress path, but not on ingress. > > Nitpick: Maybe mention that the kernel must be built with > CONFIG_SOCK_CGROUP_DATA option for the helper to be available?
Yeah that's fine. I was planning on a minor respin anyway some time today, so I'll also update the description along with it. Cheers, Daniel
