On 7/29/25 2:09 AM, Mahe Tardy wrote:
On Mon, Jul 28, 2025 at 06:18:11PM -0700, Martin KaFai Lau wrote:
On 7/28/25 2:43 AM, Mahe Tardy wrote:
+SEC("cgroup_skb/egress")
+int egress(struct __sk_buff *skb)
+{
+ void *data = (void *)(long)skb->data;
+ void *data_end = (void *)(long)skb->data_end;
+ struct iphdr *iph;
+ struct tcphdr *tcph;
+
+ iph = data;
+ if ((void *)(iph + 1) > data_end || iph->version != 4 ||
+ iph->protocol != IPPROTO_TCP || iph->daddr != bpf_htonl(SERVER_IP))
+ return SK_PASS;
+
+ tcph = (void *)iph + iph->ihl * 4;
+ if ((void *)(tcph + 1) > data_end ||
+ tcph->dest != bpf_htons(SERVER_PORT))
+ return SK_PASS;
+
+ kfunc_ret = bpf_icmp_send_unreach(skb, unreach_code);
+
+ /* returns SK_PASS to execute the test case quicker */
Do you know why the user space is slower if 0 (SK_DROP) is used?
I tried to write my understanding of this in the commit description:
"Note that the BPF program returns SK_PASS to let the connection being
established to finish the test cases quicker. Otherwise, you have to
wait for the TCP three-way handshake to timeout in the kernel and
retrieve the errno translated from the unreach code set by the ICMP
control message."
This feels like a bit hacky to let the 3WHS finished while the objective of the
patch set is to drop it. It is not unusual for people to directly borrow this
code. Does non blocking connect() help?
