Hi, just one comment related to the discussion on patch 7.
On Tue, Oct 19, 2021 at 7:49 AM Maxim Mikityanskiy <maximmi@xxxxxxxxxx> wrote:
<snip>
> +
> + value = 0; // Flags.
> + ct = bpf_ct_lookup_tcp(ctx, &tup, tup_size, BPF_F_CURRENT_NETNS, &value);
> + if (ct) {
> + unsigned long status = ct->status;
> +
> + bpf_ct_release(ct);
> + if (status & IPS_CONFIRMED_BIT)
> + return XDP_PASS;
> + } else if (value != -ENOENT) {
> + return XDP_ABORTED;
> + }
Is this the only reason that you wish to expose conntrack lookup
functions to the API?
You should be able to find out whether the TCP session is established
by doing a TCP socket lookup and checking sk->state.
