Merge "add bpf prog that accounts for to-be-dropped packets filtered by tc"

2 files changed, 12 insertions, 0 deletions

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index e9e1477ff..bac393cd8 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -23,6 +23,7 @@
 #include <linux/in6.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
+#include <linux/pkt_cls.h>
 #include <linux/tcp.h>
 #include <stdbool.h>
 #include <stdint.h>
@@ -318,6 +319,14 @@ DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingres
     return BPF_MATCH;
 }
 
+DEFINE_BPF_PROG("schedact/ingress/account", AID_ROOT, AID_NET_ADMIN, tc_bpf_ingress_account_prog)
+(struct __sk_buff* skb) {
+    // Account for ingress traffic before tc drops it.
+    uint32_t key = skb->ifindex;
+    update_iface_stats_map(skb, BPF_INGRESS, &key);
+    return TC_ACT_UNSPEC;
+}
+
 DEFINE_BPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
 (struct __sk_buff* skb) {
     uint32_t sock_uid = bpf_get_socket_uid(skb);
diff --git a/libnetdbpf/include/netdbpf/bpf_shared.h b/libnetdbpf/include/netdbpf/bpf_shared.h
index 2fcb612de..8206e96c7 100644
--- a/libnetdbpf/include/netdbpf/bpf_shared.h
+++ b/libnetdbpf/include/netdbpf/bpf_shared.h
@@ -108,6 +108,9 @@ const int UID_OWNER_MAP_SIZE = 2000;
 #define XT_BPF_DENYLIST_PROG_PATH BPF_PATH "prog_netd_skfilter_denylist_xtbpf"
 #define CGROUP_SOCKET_PROG_PATH BPF_PATH "prog_netd_cgroupsock_inet_create"
 
+#define TC_BPF_INGRESS_ACCOUNT_PROG_NAME "prog_netd_schedact_ingress_account"
+#define TC_BPF_INGRESS_ACCOUNT_PROG_PATH BPF_PATH TC_BPF_INGRESS_ACCOUNT_PROG_NAME
+
 #define COOKIE_TAG_MAP_PATH BPF_PATH "map_netd_cookie_tag_map"
 #define UID_COUNTERSET_MAP_PATH BPF_PATH "map_netd_uid_counterset_map"
 #define APP_UID_STATS_MAP_PATH BPF_PATH "map_netd_app_uid_stats_map"