• Jakub Sitnicki's avatar
    inet: Run SK_LOOKUP BPF program on socket lookup · 1559b4aa
    Jakub Sitnicki authored
    Run a BPF program before looking up a listening socket on the receive path.
    Program selects a listening socket to yield as result of socket lookup by
    calling bpf_sk_assign() helper and returning SK_PASS code. Program can
    revert its decision by assigning a NULL socket with bpf_sk_assign().
    
    Alternatively, BPF program can also fail the lookup by returning with
    SK_DROP, or let the lookup continue as usual with SK_PASS on return, when
    no socket has been selected with bpf_sk_assign().
    
    This lets the user match packets with listening sockets freely at the last
    possible point on the receive path, where we know that packets are destined
    for local delivery after undergoing policing, filtering, and routing.
    
    With BPF code selecting the socket, directing packets destined to an IP
    range or to a port range to a single socket becomes possible.
    
    In case multiple programs are attached, they are run in series in the order
    in which they were attached. The end result is determined from return codes
    of all the programs according to following rules:
    
     1. If any program returned SK_PASS and selected a valid socket, the socket
        is used as result of socket lookup.
     2. If more than one program returned SK_PASS and selected a socket,
        last selection takes effect.
     3. If any program returned SK_DROP, and no program returned SK_PASS and
        selected a socket, socket lookup fails with -ECONNREFUSED.
     4. If all programs returned SK_PASS and none of them selected a socket,
        socket lookup continues to htable-based lookup.
    Suggested-by: default avatarMarek Majkowski <marek@cloudflare.com>
    Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Link: https://lore.kernel.org/bpf/20200717103536.397595-5-jakub@cloudflare.com
    1559b4aa
filter.h 37.9 KB