On 10/31/2016 05:40 PM, David Miller wrote:
From: Daniel Mack
Date: Tue, 25 Oct 2016 12:14:13 +0200
@@ -312,6 +314,13 @@ int ip_mc_output(struct net *net, struct sock *sk, struct
sk_buff *skb)
skb->dev = dev;
skb->protocol = htons(ETH_P_IP);
+ ret = cgroup_bpf_run_filte
From: Daniel Mack
Date: Tue, 25 Oct 2016 12:14:13 +0200
> @@ -312,6 +314,13 @@ int ip_mc_output(struct net *net, struct sock *sk,
> struct sk_buff *skb)
> skb->dev = dev;
> skb->protocol = htons(ETH_P_IP);
>
> + ret = cgroup_bpf_run_filter(sk_to_full_sk(sk), skb,
> +
If the cgroup associated with the receiving socket has an eBPF
programs installed, run them from ip_output(), ip6_output() and
ip_mc_output().
eBPF programs used in this context are expected to either return 1 to
let the packet pass, or != 1 to drop them. The programs have access to
the skb throug
