On Wed, Dec 29, 2021 at 3:33 AM <menglong8.dong@xxxxxxxxx> wrote: > > From: Menglong Dong <imagedong@xxxxxxxxxxx> > > The cgroup eBPF attach type 'CGROUP_SOCK_OPS' is able to monitor the > state change of a tcp connect with 'BPF_SOCK_OPS_STATE_CB' ops. > > However, it can't trace the whole state change of a tcp connect. While > a connect becomes 'TCP_TIME_WAIT' state, this sock will be release and > a tw sock will be created. While tcp sock release, 'TCP_CLOSE' state > change will be passed to eBPF program. Howeven, the real state of this > connect is 'TCP_TIME_WAIT'. > > To make eBPF get the real state change of a tcp connect, add > 'CGROUP_TWSK_CLOSE' cgroup attach type, which will be called when > tw sock release and tcp connect become CLOSE. The use case is not explained. Why bpf tracing cannot be used to achieve the same? Also there are no selftests.
