On 04/20, Gilad Sever wrote: > When calling socket lookup from L2 (tc, xdp), VRF boundaries aren't > respected. This patchset fixes this by regarding the incoming device's > VRF attachment when performing the socket lookups from tc/xdp. > > The first two patches are coding changes which facilitate this fix by > factoring out the tc helper's logic which was shared with cg/sk_skb > (which operate correctly). Why is not relevant for cgroup/egress? Is it already running with the correct device? Also, do we really need all this refactoring and separate paths? Can we just add that bpf_l2_sdif part to the existing code? It will trigger for tc, but I'm assuming it will be a no-op for cgroup path? And regarding bpf_l2_sdif: seems like it's really generic and should probably be called something like dev_sdif? > The third patch contains the actual bugfix. > > The fourth patch adds bpf tests for these lookup functions. > --- > v2: Fixed uninitialized var in test patch (4). > > Gilad Sever (4): > bpf: factor out socket lookup functions for the TC hookpoint. > bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC > hookpoint > bpf: fix bpf socket lookup from tc/xdp to respect socket VRF bindings > selftests/bpf: Add tc_socket_lookup tests > > net/core/filter.c | 132 +++++-- > .../bpf/prog_tests/tc_socket_lookup.c | 341 ++++++++++++++++++ > .../selftests/bpf/progs/tc_socket_lookup.c | 73 ++++ > 3 files changed, 525 insertions(+), 21 deletions(-) > create mode 100644 tools/testing/selftests/bpf/prog_tests/tc_socket_lookup.c > create mode 100644 tools/testing/selftests/bpf/progs/tc_socket_lookup.c > > -- > 2.34.1 >
