From 8e4a7945192be617d12a9c171d96927d901b30ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Thu, 2 Mar 2023 00:07:00 +0000 Subject: [PATCH] netd bpf - no-op code hygiene fix for DROP_UNLESS_DNS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We only ever return DROP_UNLESS_DNS on ingress, so the ordering doesn't actually matter. Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: I742b85748433f5319d518bebc05d976d630b72e7 --- bpf_progs/netd.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c index 84da79d971..cb0da19291 100644 --- a/bpf_progs/netd.c +++ b/bpf_progs/netd.c @@ -415,11 +415,6 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo } int match = bpf_owner_match(skb, sock_uid, egress, kver); - if (egress && (match == DROP)) { - // If an outbound packet is going to be dropped, we do not count that - // traffic. - return match; - } // Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details. // Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h @@ -432,6 +427,9 @@ static __always_inline inline int bpf_traffic_account(struct __sk_buff* skb, boo if (match == DROP_UNLESS_DNS) match = DROP; } + // If an outbound packet is going to be dropped, we do not count that traffic. + if (egress && (match == DROP)) return DROP; + StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex}; uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);