On 04/20, Gilad Sever wrote:
When calling socket lookup from L2 (tc, xdp), VRF boundaries aren't respected. This patchset fixes this by regarding the incoming device's VRF attachment when performing the socket lookups from tc/xdp.
The first two patches are coding changes which facilitate this fix by factoring out the tc helper's logic which was shared with cg/sk_skb (which operate correctly).
Why is not relevant for cgroup/egress? Is it already running with the correct device?
Also, do we really need all this refactoring and separate paths? Can we just add that bpf_l2_sdif part to the existing code? It will trigger for tc, but I'm assuming it will be a no-op for cgroup path?
And regarding bpf_l2_sdif: seems like it's really generic and should probably be called something like dev_sdif?
The third patch contains the actual bugfix.
The fourth patch adds bpf tests for these lookup functions.
v2: Fixed uninitialized var in test patch (4).
Gilad Sever (4): bpf: factor out socket lookup functions for the TC hookpoint. bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint bpf: fix bpf socket lookup from tc/xdp to respect socket VRF bindings selftests/bpf: Add tc_socket_lookup tests
net/core/filter.c | 132 +++++-- .../bpf/prog_tests/tc_socket_lookup.c | 341 ++++++++++++++++++ .../selftests/bpf/progs/tc_socket_lookup.c | 73 ++++ 3 files changed, 525 insertions(+), 21 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/tc_socket_lookup.c create mode 100644 tools/testing/selftests/bpf/progs/tc_socket_lookup.c
-- 2.34.1