ebpf: add helper to retrieve net_cls's classid cookie

It would be very useful to retrieve the net_cls's classid from an eBPF program to allow for a more fine-grained classification, it could be directly used or in conjunction with additional policies. I.e. docker, but also tooling such as cgexec, can easily run applications via net_cls cgroups: cgcreate -g net_cls:/foo echo 42 > foo/net_cls.classid cgexec -g net_cls:foo <prog> Thus, their respecitve classid cookie of foo can then be looked up on the egress path to apply further policies. The helper is desigend such that a non-zero value returns the cgroup id. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Thomas Graf <tgraf@suug.ch> Acked-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2015-07-15 14:21:42 +0200
committer: David S. Miller <davem@davemloft.net> 2015-07-20 12:41:30 -0700
commit: 8d20aabe1c76cccac544d9fcc3ad7823d9e98a2d (patch)
tree: be182dc2e3829040518d72c41363ffec458f1245 /include
parent: b87a173e25d6bf5c26f13d329cdddf57dbd4061a (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 29ef6f99e43d..2de87e58b12b 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -249,6 +249,13 @@ enum bpf_func_id {
 	 * Return: 0 on success
 	 */
 	BPF_FUNC_get_current_comm,
+
+	/**
+	 * bpf_get_cgroup_classid(skb) - retrieve a proc's classid
+	 * @skb: pointer to skb
+	 * Return: classid if != 0
+	 */
+	BPF_FUNC_get_cgroup_classid,
 	__BPF_FUNC_MAX_ID,
 };
author	Daniel Borkmann <daniel@iogearbox.net>	2015-07-15 14:21:42 +0200
committer	David S. Miller <davem@davemloft.net>	2015-07-20 12:41:30 -0700
commit	8d20aabe1c76cccac544d9fcc3ad7823d9e98a2d (patch)
tree	be182dc2e3829040518d72c41363ffec458f1245 /include
parent	b87a173e25d6bf5c26f13d329cdddf57dbd4061a (diff)