Re: [PATCH v3 bpf-next 0/5] bpf: sk lookup, cgroup id helpers in cgroup skb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, May 14, 2020 at 1:04 PM Andrey Ignatov <rdna@xxxxxx> wrote:
>
> v2->v3:
> - better documentation for bpf_sk_cgroup_id in uapi (Yonghong Song)
> - save/restore errno in network helpers (Yonghong Song)
> - cleanup leftover after switching selftest to skeleton (Yonghong Song)
> - switch from map to skel->bss in selftest (Yonghong Song)
>
> v1->v2:
> - switch selftests to skeleton.
>
> This patch set allows a bunch of existing sk lookup and skb cgroup id
> helpers, and adds two new bpf_sk_{,ancestor_}cgroup_id helpers to be used
> in cgroup skb programs.
>
> It fills the gap to cover a use-case to apply intra-host cgroup-bpf network
> policy based on a source cgroup a packet comes from.
>
> For example, there can be multiple containers A, B, C running on a host.
> Every such container runs in its own cgroup that can have multiple
> sub-cgroups. But all these containers can share some IP addresses.
>
> At the same time container A wants to have a policy for a server S running
> in it so that only clients from this same container can connect to S, but
> not from other containers (such as B, C). Source IP address can't be used
> to decide whether to allow or deny a packet, but it looks reasonable to
> filter by cgroup id.
>
> The patch set allows to implement the following policy:
> * when an ingress packet comes to container's cgroup, lookup peer (client)
>   socket this packet comes from;
> * having peer socket, get its cgroup id;
> * compare peer cgroup id with self cgroup id and allow packet only if they
>   match, i.e. it comes from same cgroup;
> * the "sub-cgroup" part of the story can be addressed by getting not direct
>   cgroup id of the peer socket, but ancestor cgroup id on specified level,
>   similar to existing "ancestor" flavors of cgroup id helpers.
>
> A newly introduced selftest implements such a policy in its basic form to
> provide a better idea on the use-case.
>
> Patch 1 allows existing sk lookup helpers in cgroup skb.
> Patch 2 allows skb_ancestor_cgroup_id in cgrou skb.
> Patch 3 introduces two new helpers to get cgroup id of socket.
> Patch 4 extends network helpers to use them in the next patch.
> Patch 5 adds selftest / example of use-case.

Applied. Thanks
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux