Wu J
Reputation: 3
where is the entry point in kernel for an eBPF msg_verdict program?
From the git log of linux at 174a7, I know the verdict flow is given as below
- recv_sock -> str_parser (parse_prog) -> verdict_prog -> skb_send_sock
I wonder what the flow is when there is only msg_verdict program.
tracing tcp_bpf_sendmsg(), I can see socket get parsed, but how does it pass to verdict part?
tcp_bpf_sendmsg
tcp_bpf_send_verdict
sk_psock_msg_verdict
...
prog = READ_ONCE(psock->progs.msg_parser)
...
ret = bpf_prog_run_pin_on_cpu(prog, msg)
Upvotes: 0
Views: 82
Answers (1)
pchaigno
Reputation: 13133
This progs.msg_parser BPF program is actually the program you attached with BPF_SK_MSG_VERDICT, i.e. the program that will return a verdict (ex. __SK_PASS).
That can be observed by looking at the kernel code used to lookup and update programs attached to the sockmap:
static int sock_map_prog_lookup(struct bpf_map *map, struct bpf_prog ***pprog,
u32 which)
{
struct sk_psock_progs *progs = sock_map_progs(map);
...
switch (which) {
case BPF_SK_MSG_VERDICT:
*pprog = &progs->msg_parser;
break;
Although that may seem surprising, it is confirmed by the documentation: https://docs.kernel.org/bpf/map_sockmap.html (search for BPF_SK_MSG_VERDICT).
Upvotes: 0
Related Questions
- Different byte order in BPF program
- Problem loading eBPF/XDP program into the kernel
- Error While Compiling xdp ebpf kernel program
- How can an ebpf program change kernel execution flow or call kernel functions?
- eBPF: How to use `bpf_map_update_elem` to send data from kernel space?
- bounded loops in ebpf. Does now the verifier check if the program is a DAG?
- Argument list too long to when loading an eBPF program via the bpf syscall