On 2021-10-20 21:01, Joe Stringer wrote:
Hi, just one comment related to the discussion on patch 7. On Tue, Oct 19, 2021 at 7:49 AM Maxim Mikityanskiy <maximmi@xxxxxxxxxx> wrote: <snip>+ + value = 0; // Flags. + ct = bpf_ct_lookup_tcp(ctx, &tup, tup_size, BPF_F_CURRENT_NETNS, &value); + if (ct) { + unsigned long status = ct->status; + + bpf_ct_release(ct); + if (status & IPS_CONFIRMED_BIT) + return XDP_PASS; + } else if (value != -ENOENT) { + return XDP_ABORTED; + }Is this the only reason that you wish to expose conntrack lookup functions to the API? You should be able to find out whether the TCP session is established by doing a TCP socket lookup and checking sk->state.
It's not possible to lookup a socket, because there is no socket. The traffic is forwarded through the firewall machine that runs synproxy and this XDP program.
