• Alexei Starovoitov's avatar
    bpf: multi program support for cgroup+bpf · 324bda9e
    Alexei Starovoitov authored
    introduce BPF_F_ALLOW_MULTI flag that can be used to attach multiple
    bpf programs to a cgroup.
    
    The difference between three possible flags for BPF_PROG_ATTACH command:
    - NONE(default): No further bpf programs allowed in the subtree.
    - BPF_F_ALLOW_OVERRIDE: If a sub-cgroup installs some bpf program,
      the program in this cgroup yields to sub-cgroup program.
    - BPF_F_ALLOW_MULTI: If a sub-cgroup installs some bpf program,
      that cgroup program gets run in addition to the program in this cgroup.
    
    NONE and BPF_F_ALLOW_OVERRIDE existed before. This patch doesn't
    change their behavior. It only clarifies the semantics in relation
    to new flag.
    
    Only one program is allowed to be attached to a cgroup with
    NONE or BPF_F_ALLOW_OVERRIDE flag.
    Multiple programs are allowed to be attached to a cgroup with
    BPF_F_ALLOW_MULTI flag. They are executed in FIFO order
    (those that were attached first, run first)
    The programs of sub-cgroup are executed first, then programs of
    this cgroup and then programs of parent cgroup.
    All eligible programs are executed regardless of return code from
    earlier programs.
    
    To allow efficient execution of multiple programs attached to a cgroup
    and to avoid penalizing cgroups without any programs attached
    introduce 'struct bpf_prog_array' which is RCU protected array
    of pointers to bpf programs.
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
    for cgroup bits
    Acked-by: default avatarTejun Heo <tj@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    324bda9e
filter.h 26.4 KB