• Daniel Borkmann's avatar
    sock: make cookie generation global instead of per netns · cd48bdda
    Daniel Borkmann authored
    Generating and retrieving socket cookies are a useful feature that is
    exposed to BPF for various program types through bpf_get_socket_cookie()
    helper.
    
    The fact that the cookie counter is per netns is quite a limitation
    for BPF in practice in particular for programs in host namespace that
    use socket cookies as part of a map lookup key since they will be
    causing socket cookie collisions e.g. when attached to BPF cgroup hooks
    or cls_bpf on tc egress in host namespace handling container traffic
    from veth or ipvlan devices with peer in different netns. Change the
    counter to be global instead.
    
    Socket cookie consumers must assume the value as opqaue in any case.
    Not every socket must have a cookie generated and knowledge of the
    counter value itself does not provide much value either way hence
    conversion to global is fine.
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Alexei Starovoitov <ast@kernel.org>
    Cc: Willem de Bruijn <willemb@google.com>
    Cc: Martynas Pumputis <m@lambda.lt>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    cd48bdda
net_namespace.h 11.5 KB