sock: make cookie generation global instead of per netns

Generating and retrieving socket cookies are a useful feature that is exposed to BPF for various program types through bpf_get_socket_cookie() helper. The fact that the cookie counter is per netns is quite a limitation for BPF in practice in particular for programs in host namespace that use socket cookies as part of a map lookup key since they will be causing socket cookie collisions e.g. when attached to BPF cgroup hooks or cls_bpf on tc egress in host namespace handling container traffic from veth or ipvlan devices with peer in different netns. Change the counter to be global instead. Socket cookie consumers must assume the value as opqaue in any case. Not every socket must have a cookie generated and knowledge of the counter value itself does not provide much value either way hence conversion to global is fine. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Willem de Bruijn <willemb@google.com> Cc: Martynas Pumputis <m@lambda.lt> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2019-08-08 07:57:25 -0400
committer: David S. Miller <davem@davemloft.net> 2019-08-09 16:14:46 -0400
commit: cd48bdda4fb82c2fe569d97af4217c530168c99c (patch)
tree: 216caa17af9205eee4c0894fab16af0167408849 /include/uapi/linux/bpf.h
parent: 7bac762d8da39ae215171bfa93c6662894ce17dc (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index fa1c753dcdbc..a5aa7d3ac6a1 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1466,8 +1466,8 @@ union bpf_attr {
 *              If no cookie has been set yet, generate a new cookie. Once
 *              generated, the socket cookie remains stable for the life of the
 *              socket. This helper can be useful for monitoring per socket
- *              networking traffic statistics as it provides a unique socket
+ *              networking traffic statistics as it provides a global socket
- *              identifier per namespace.
+ *              identifier that can be assumed unique.
 *      Return
 *              A 8-byte long non-decreasing number on success, or 0 if the
 *              socket field is missing inside *skb*.
author	Daniel Borkmann <daniel@iogearbox.net>	2019-08-08 07:57:25 -0400
committer	David S. Miller <davem@davemloft.net>	2019-08-09 16:14:46 -0400
commit	cd48bdda4fb82c2fe569d97af4217c530168c99c (patch)
tree	216caa17af9205eee4c0894fab16af0167408849 /include/uapi/linux/bpf.h
parent	7bac762d8da39ae215171bfa93c6662894ce17dc (diff)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index fa1c753dcdbc..a5aa7d3ac6a1 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h
@@ -1466,8 +1466,8 @@ union bpf_attr {
1466	* If no cookie has been set yet, generate a new cookie. Once	1466	* If no cookie has been set yet, generate a new cookie. Once
1467	* generated, the socket cookie remains stable for the life of the	1467	* generated, the socket cookie remains stable for the life of the
1468	* socket. This helper can be useful for monitoring per socket	1468	* socket. This helper can be useful for monitoring per socket
1469	* networking traffic statistics as it provides a unique socket	1469	* networking traffic statistics as it provides a global socket
1470	* identifier per namespace.	1470	* identifier that can be assumed unique.
1471	* Return	1471	* Return
1472	* A 8-byte long non-decreasing number on success, or 0 if the	1472	* A 8-byte long non-decreasing number on success, or 0 if the
1473	* socket field is missing inside skb.	1473	* socket field is missing inside skb.