Skip to content

Commit 18ab8e6

Browse files
yaakov-steinyaakov-stein
committed
lib,daemon: add cgroup_sock_addr hooks, flavor, and BPF type constants
Add BF_FLAVOR_CGROUP_SOCK_ADDR and BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4/CONNECT6 to support BPF_PROG_TYPE_CGROUP_SOCK_ADDR programs. This is the foundational enum/mapping work for sock_addr filtering. All mapping tables (hook strings, flavor, prog_type, attach_type), BPF type constants, and hookopts are updated. All existing packet-based matchers are blocked on the new hooks via unsupported_hooks. Flavor ops are registered as NULL and codegen is added in a follow-up.
1 parent 1b1be91 commit 18ab8e6

File tree

9 files changed

+155
-10
lines changed

9 files changed

+155
-10
lines changed

src/bfcli/lexer.l

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ set { return SET; }
5858
counter { return COUNTER; }
5959

6060
/* Hooks */
61-
BF_HOOK_[A-Z_]+ { BEGIN(STATE_HOOK_OPTS); yylval.sval = strdup(yytext); return HOOK; }
61+
BF_HOOK_[A-Z0-9_]+ { BEGIN(STATE_HOOK_OPTS); yylval.sval = strdup(yytext); return HOOK; }
6262
<STATE_HOOK_OPTS>{
6363
(\{|,) /* Ignore */
6464
\} { BEGIN(INITIAL); }

src/bpfilter/cgen/program.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor)
8383
[BF_FLAVOR_NF] = &bf_flavor_ops_nf,
8484
[BF_FLAVOR_XDP] = &bf_flavor_ops_xdp,
8585
[BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb,
86+
[BF_FLAVOR_CGROUP_SOCK_ADDR] = NULL,
8687
};
8788

8889
static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX);

src/libbpfilter/flavor.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ const char *bf_flavor_to_str(enum bf_flavor flavor)
1414
[BF_FLAVOR_NF] = "BF_FLAVOR_NF",
1515
[BF_FLAVOR_XDP] = "BF_FLAVOR_XDP",
1616
[BF_FLAVOR_CGROUP_SKB] = "BF_FLAVOR_CGROUP_SKB",
17+
[BF_FLAVOR_CGROUP_SOCK_ADDR] = "BF_FLAVOR_CGROUP_SOCK_ADDR",
1718
};
1819
static_assert_enum_mapping(flavor_str, _BF_FLAVOR_MAX);
1920

src/libbpfilter/hook.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ static const char *_bf_hook_strs[] = {
3535
[BF_HOOK_NF_LOCAL_OUT] = "BF_HOOK_NF_LOCAL_OUT",
3636
[BF_HOOK_NF_POST_ROUTING] = "BF_HOOK_NF_POST_ROUTING",
3737
[BF_HOOK_TC_EGRESS] = "BF_HOOK_TC_EGRESS",
38+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4] = "BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4",
39+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6] = "BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6",
3840
};
3941
static_assert_enum_mapping(_bf_hook_strs, _BF_HOOK_MAX);
4042

@@ -73,6 +75,8 @@ enum bf_flavor bf_hook_to_flavor(enum bf_hook hook)
7375
[BF_HOOK_NF_LOCAL_OUT] = BF_FLAVOR_NF,
7476
[BF_HOOK_NF_POST_ROUTING] = BF_FLAVOR_NF,
7577
[BF_HOOK_TC_EGRESS] = BF_FLAVOR_TC,
78+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4] = BF_FLAVOR_CGROUP_SOCK_ADDR,
79+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6] = BF_FLAVOR_CGROUP_SOCK_ADDR,
7680
};
7781

7882
static_assert_enum_mapping(flavors, _BF_HOOK_MAX);
@@ -93,6 +97,8 @@ enum bf_bpf_attach_type bf_hook_to_bpf_attach_type(enum bf_hook hook)
9397
[BF_HOOK_NF_LOCAL_OUT] = BF_BPF_NETFILTER,
9498
[BF_HOOK_NF_POST_ROUTING] = BF_BPF_NETFILTER,
9599
[BF_HOOK_TC_EGRESS] = BF_BPF_TCX_ENGRESS,
100+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4] = BF_BPF_CGROUP_INET4_CONNECT,
101+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6] = BF_BPF_CGROUP_INET6_CONNECT,
96102
};
97103

98104
static_assert_enum_mapping(attach_types, _BF_HOOK_MAX);
@@ -113,6 +119,8 @@ enum bf_bpf_prog_type bf_hook_to_bpf_prog_type(enum bf_hook hook)
113119
[BF_HOOK_NF_LOCAL_OUT] = BF_BPF_PROG_TYPE_NETFILTER,
114120
[BF_HOOK_NF_POST_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER,
115121
[BF_HOOK_TC_EGRESS] = BF_BPF_PROG_TYPE_SCHED_CLS,
122+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4] = BF_BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
123+
[BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6] = BF_BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
116124
};
117125

118126
static_assert_enum_mapping(prog_types, _BF_HOOK_MAX);
@@ -359,7 +367,8 @@ static struct bf_hookopts_ops
359367
.dump = _bf_hookopts_ifindex_dump},
360368
[BF_HOOKOPTS_CGPATH] = {.name = "cgpath",
361369
.type = BF_HOOKOPTS_CGPATH,
362-
.required_by = BF_FLAGS(BF_FLAVOR_CGROUP_SKB),
370+
.required_by = BF_FLAGS(BF_FLAVOR_CGROUP_SKB,
371+
BF_FLAVOR_CGROUP_SOCK_ADDR),
363372
.supported_by = 0,
364373
.parse = _bf_hookopts_cgpath_parse,
365374
.dump = _bf_hookopts_cgpath_dump},

src/libbpfilter/include/bpfilter/bpf_types.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ enum bf_bpf_prog_type
2727
BF_BPF_PROG_TYPE_XDP = 6,
2828
BF_BPF_PROG_TYPE_SCHED_CLS = 3,
2929
BF_BPF_PROG_TYPE_CGROUP_SKB = 8,
30+
BF_BPF_PROG_TYPE_CGROUP_SOCK_ADDR = 18,
3031
BF_BPF_PROG_TYPE_NETFILTER = 32,
3132
};
3233

@@ -38,6 +39,8 @@ enum bf_bpf_attach_type
3839
BF_BPF_TCX_ENGRESS = 47,
3940
BF_BPF_CGROUP_INET_INGRESS = 0,
4041
BF_BPF_CGROUP_INET_EGRESS = 1,
42+
BF_BPF_CGROUP_INET4_CONNECT = 10,
43+
BF_BPF_CGROUP_INET6_CONNECT = 11,
4144
};
4245

4346
enum bf_bpf_map_type

src/libbpfilter/include/bpfilter/flavor.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,15 @@ enum bf_flavor
6262
* - Return code: 0 to drop, 1 to accept
6363
*/
6464
BF_FLAVOR_CGROUP_SKB,
65+
66+
/**
67+
* cgroup_sock_addr BPF programs, attached to a cgroup to intercept
68+
* socket operations (connect, bind, sendmsg, recvmsg):
69+
* - Input: `struct bpf_sock_addr`
70+
* - Headers available: from L3
71+
* - Return code: 0 to drop, 1 to accept
72+
*/
73+
BF_FLAVOR_CGROUP_SOCK_ADDR,
6574
_BF_FLAVOR_MAX,
6675
};
6776

src/libbpfilter/include/bpfilter/hook.h

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ enum bf_hook
4040
BF_HOOK_NF_LOCAL_OUT,
4141
BF_HOOK_NF_POST_ROUTING,
4242
BF_HOOK_TC_EGRESS,
43+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
44+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6,
4345
_BF_HOOK_MAX,
4446
};
4547

@@ -139,7 +141,7 @@ struct bf_hookopts
139141
// XDP and TC
140142
int ifindex;
141143

142-
// cgroup_skb
144+
// cgroup_skb and cgroup_sock_addr
143145
const char *cgpath;
144146

145147
// Netfilter

src/libbpfilter/matcher.c

Lines changed: 63 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -839,6 +839,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
839839
[BF_MATCHER_META_IFACE] =
840840
{
841841
.layer = BF_MATCHER_NO_LAYER,
842+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
843+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
842844
.ops =
843845
{
844846
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint32_t),
@@ -848,6 +850,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
848850
[BF_MATCHER_META_L3_PROTO] =
849851
{
850852
.layer = BF_MATCHER_NO_LAYER,
853+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
854+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
851855
.ops =
852856
{
853857
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint16_t),
@@ -857,6 +861,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
857861
[BF_MATCHER_META_L4_PROTO] =
858862
{
859863
.layer = BF_MATCHER_NO_LAYER,
864+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
865+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
860866
.ops =
861867
{
862868
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint16_t),
@@ -868,6 +874,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
868874
[BF_MATCHER_META_SPORT] =
869875
{
870876
.layer = BF_MATCHER_NO_LAYER,
877+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
878+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
871879
.ops =
872880
{
873881
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint16_t),
@@ -882,6 +890,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
882890
[BF_MATCHER_META_DPORT] =
883891
{
884892
.layer = BF_MATCHER_NO_LAYER,
893+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
894+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
885895
.ops =
886896
{
887897
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint16_t),
@@ -896,6 +906,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
896906
[BF_MATCHER_META_PROBABILITY] =
897907
{
898908
.layer = BF_MATCHER_NO_LAYER,
909+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
910+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
899911
.ops =
900912
{
901913
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(float),
@@ -906,7 +918,9 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
906918
[BF_MATCHER_META_MARK] =
907919
{
908920
.layer = BF_MATCHER_NO_LAYER,
909-
.unsupported_hooks = BF_FLAGS(BF_HOOK_XDP),
921+
.unsupported_hooks =
922+
BF_FLAGS(BF_HOOK_XDP, BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
923+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
910924
.ops =
911925
{
912926
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint32_t),
@@ -922,7 +936,9 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
922936
BF_FLAGS(BF_HOOK_XDP, BF_HOOK_CGROUP_SKB_INGRESS,
923937
BF_HOOK_CGROUP_SKB_EGRESS, BF_HOOK_NF_FORWARD,
924938
BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT,
925-
BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING),
939+
BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING,
940+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
941+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
926942
.ops =
927943
{
928944
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint32_t),
@@ -938,7 +954,9 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
938954
.layer = BF_MATCHER_NO_LAYER,
939955
.unsupported_hooks = BF_FLAGS(
940956
BF_HOOK_NF_FORWARD, BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT,
941-
BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING),
957+
BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING,
958+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
959+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
942960
.ops =
943961
{
944962
BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(float),
@@ -949,6 +967,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
949967
[BF_MATCHER_IP4_SADDR] =
950968
{
951969
.layer = BF_MATCHER_LAYER_3,
970+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
971+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
952972
.hdr_id = ETH_P_IP,
953973
.hdr_payload_size = sizeof(uint32_t),
954974
.hdr_payload_offset = offsetof(struct iphdr, saddr),
@@ -965,6 +985,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
965985
[BF_MATCHER_IP4_DADDR] =
966986
{
967987
.layer = BF_MATCHER_LAYER_3,
988+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
989+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
968990
.hdr_id = ETH_P_IP,
969991
.hdr_payload_size = sizeof(uint32_t),
970992
.hdr_payload_offset = offsetof(struct iphdr, daddr),
@@ -981,6 +1003,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
9811003
[BF_MATCHER_IP4_SNET] =
9821004
{
9831005
.layer = BF_MATCHER_LAYER_3,
1006+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1007+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
9841008
.hdr_id = ETH_P_IP,
9851009
.hdr_payload_size = sizeof(uint32_t),
9861010
.hdr_payload_offset = offsetof(struct iphdr, saddr),
@@ -997,6 +1021,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
9971021
[BF_MATCHER_IP4_DNET] =
9981022
{
9991023
.layer = BF_MATCHER_LAYER_3,
1024+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1025+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10001026
.hdr_id = ETH_P_IP,
10011027
.hdr_payload_size = sizeof(uint32_t),
10021028
.hdr_payload_offset = offsetof(struct iphdr, daddr),
@@ -1013,6 +1039,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10131039
[BF_MATCHER_IP4_PROTO] =
10141040
{
10151041
.layer = BF_MATCHER_LAYER_3,
1042+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1043+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10161044
.hdr_id = ETH_P_IP,
10171045
.hdr_payload_size = sizeof(uint8_t),
10181046
.hdr_payload_offset = offsetof(struct iphdr, protocol),
@@ -1029,6 +1057,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10291057
[BF_MATCHER_IP4_DSCP] =
10301058
{
10311059
.layer = BF_MATCHER_LAYER_3,
1060+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1061+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10321062
.hdr_id = ETH_P_IP,
10331063
.hdr_payload_size = sizeof(uint8_t),
10341064
.hdr_payload_offset = offsetof(struct iphdr, tos),
@@ -1043,6 +1073,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10431073
[BF_MATCHER_IP6_SADDR] =
10441074
{
10451075
.layer = BF_MATCHER_LAYER_3,
1076+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1077+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10461078
.hdr_id = ETH_P_IPV6,
10471079
.hdr_payload_size = sizeof(struct in6_addr),
10481080
.hdr_payload_offset = offsetof(struct ipv6hdr, saddr),
@@ -1059,6 +1091,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10591091
[BF_MATCHER_IP6_DADDR] =
10601092
{
10611093
.layer = BF_MATCHER_LAYER_3,
1094+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1095+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10621096
.hdr_id = ETH_P_IPV6,
10631097
.hdr_payload_size = sizeof(struct in6_addr),
10641098
.hdr_payload_offset = offsetof(struct ipv6hdr, daddr),
@@ -1075,6 +1109,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10751109
[BF_MATCHER_IP6_SNET] =
10761110
{
10771111
.layer = BF_MATCHER_LAYER_3,
1112+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1113+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10781114
.hdr_id = ETH_P_IPV6,
10791115
.hdr_payload_size = sizeof(struct in6_addr),
10801116
.hdr_payload_offset = offsetof(struct ipv6hdr, saddr),
@@ -1091,6 +1127,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
10911127
[BF_MATCHER_IP6_DNET] =
10921128
{
10931129
.layer = BF_MATCHER_LAYER_3,
1130+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1131+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
10941132
.hdr_id = ETH_P_IPV6,
10951133
.hdr_payload_size = sizeof(struct in6_addr),
10961134
.hdr_payload_offset = offsetof(struct ipv6hdr, daddr),
@@ -1107,6 +1145,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11071145
[BF_MATCHER_IP6_NEXTHDR] =
11081146
{
11091147
.layer = BF_MATCHER_LAYER_3,
1148+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1149+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11101150
.hdr_id = ETH_P_IPV6,
11111151
.hdr_payload_size = sizeof(uint8_t),
11121152
.hdr_payload_offset = offsetof(struct ipv6hdr, nexthdr),
@@ -1123,6 +1163,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11231163
[BF_MATCHER_IP6_DSCP] =
11241164
{
11251165
.layer = BF_MATCHER_LAYER_3,
1166+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1167+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11261168
.hdr_id = ETH_P_IPV6,
11271169
.hdr_payload_size = sizeof(uint8_t),
11281170
.hdr_payload_offset = 0,
@@ -1137,6 +1179,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11371179
[BF_MATCHER_TCP_SPORT] =
11381180
{
11391181
.layer = BF_MATCHER_LAYER_4,
1182+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1183+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11401184
.hdr_id = IPPROTO_TCP,
11411185
.hdr_payload_size = sizeof(uint16_t),
11421186
.hdr_payload_offset = offsetof(struct tcphdr, source),
@@ -1156,6 +1200,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11561200
[BF_MATCHER_TCP_DPORT] =
11571201
{
11581202
.layer = BF_MATCHER_LAYER_4,
1203+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1204+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11591205
.hdr_id = IPPROTO_TCP,
11601206
.hdr_payload_size = sizeof(uint16_t),
11611207
.hdr_payload_offset = offsetof(struct tcphdr, dest),
@@ -1175,6 +1221,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11751221
[BF_MATCHER_TCP_FLAGS] =
11761222
{
11771223
.layer = BF_MATCHER_LAYER_4,
1224+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1225+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11781226
.hdr_id = IPPROTO_TCP,
11791227
.hdr_payload_size = sizeof(uint8_t),
11801228
.hdr_payload_offset = _BF_TCP_FLAGS_OFFSET,
@@ -1193,6 +1241,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
11931241
[BF_MATCHER_UDP_SPORT] =
11941242
{
11951243
.layer = BF_MATCHER_LAYER_4,
1244+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1245+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
11961246
.hdr_id = IPPROTO_UDP,
11971247
.hdr_payload_size = sizeof(uint16_t),
11981248
.hdr_payload_offset = offsetof(struct udphdr, source),
@@ -1212,6 +1262,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
12121262
[BF_MATCHER_UDP_DPORT] =
12131263
{
12141264
.layer = BF_MATCHER_LAYER_4,
1265+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1266+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
12151267
.hdr_id = IPPROTO_UDP,
12161268
.hdr_payload_size = sizeof(uint16_t),
12171269
.hdr_payload_offset = offsetof(struct udphdr, dest),
@@ -1231,6 +1283,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
12311283
[BF_MATCHER_ICMP_TYPE] =
12321284
{
12331285
.layer = BF_MATCHER_LAYER_4,
1286+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1287+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
12341288
.hdr_id = IPPROTO_ICMP,
12351289
.hdr_payload_size = sizeof(uint8_t),
12361290
.hdr_payload_offset = offsetof(struct icmphdr, type),
@@ -1247,6 +1301,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
12471301
[BF_MATCHER_ICMP_CODE] =
12481302
{
12491303
.layer = BF_MATCHER_LAYER_4,
1304+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1305+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
12501306
.hdr_id = IPPROTO_ICMP,
12511307
.hdr_payload_size = sizeof(uint8_t),
12521308
.hdr_payload_offset = offsetof(struct icmphdr, code),
@@ -1263,6 +1319,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
12631319
[BF_MATCHER_ICMPV6_TYPE] =
12641320
{
12651321
.layer = BF_MATCHER_LAYER_4,
1322+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1323+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
12661324
.hdr_id = IPPROTO_ICMPV6,
12671325
.hdr_payload_size = sizeof(uint8_t),
12681326
.hdr_payload_offset = offsetof(struct icmp6hdr, icmp6_type),
@@ -1282,6 +1340,8 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
12821340
[BF_MATCHER_ICMPV6_CODE] =
12831341
{
12841342
.layer = BF_MATCHER_LAYER_4,
1343+
.unsupported_hooks = BF_FLAGS(BF_HOOK_CGROUP_SOCK_ADDR_CONNECT4,
1344+
BF_HOOK_CGROUP_SOCK_ADDR_CONNECT6),
12851345
.hdr_id = IPPROTO_ICMPV6,
12861346
.hdr_payload_size = sizeof(uint8_t),
12871347
.hdr_payload_offset = offsetof(struct icmp6hdr, icmp6_code),

0 commit comments

Comments
 (0)