On Fri, Apr 12, 2019 at 3:01 AM Alban Crequy <alban.crequy@xxxxxxxxx> wrote:
>
> From: Alban Crequy <alban@xxxxxxxxxx>
>
> sockops programs can now access the network namespace inode via
> (struct bpf_sock_ops)->netns. This can be useful to apply different
> policies on different network namespaces.
>
> In the unlikely case where network namespaces are not compiled in
> (CONFIG_NET_NS=n), the verifier will not allow access to ->netns.
>
> Signed-off-by: Alban Crequy <alban@xxxxxxxxxx>
> ---
> include/uapi/linux/bpf.h | 1 +
> net/core/filter.c | 40 ++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 41 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 31a27dd337dc..5afaab25f205 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -3069,6 +3069,7 @@ struct bpf_sock_ops {
> __u32 sk_txhash;
> __u64 bytes_received;
> __u64 bytes_acked;
> + __u64 netns;
> };
stat /proc/self/ns/net
returns inode and device.
inum only is not enough to identify netns.
Both need to be exposed. See netns_dev/netns_ino in bpf.h
