Commit 435bf0d3 authored by John Fastabend's avatar John Fastabend Committed by David S. Miller

bpf: enforce TCP only support for sockmap

Only TCP sockets have been tested and at the moment the state change
callback only handles TCP sockets. This adds a check to ensure that
sockets actually being added are TCP sockets.

For net-next we can consider UDP support.
Signed-off-by: default avatarJohn Fastabend <>
Acked-by: default avatarDaniel Borkmann <>
Acked-by: default avatarAlexei Starovoitov <>
Signed-off-by: default avatarDavid S. Miller <>
parent 1cc276ce
......@@ -840,6 +840,12 @@ static int sock_map_update_elem(struct bpf_map *map,
return -EINVAL;
if (>sk_type != SOCK_STREAM ||>sk_protocol != IPPROTO_TCP) {
err = sock_map_ctx_update_elem(&skops, map, key, flags);
return err;
......@@ -466,7 +466,7 @@ static void test_sockmap(int tasks, void *data)
int one = 1, map_fd_rx, map_fd_tx, map_fd_break, s, sc, rc;
struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_break;
int ports[] = {50200, 50201, 50202, 50204};
int err, i, fd, sfd[6] = {0xdeadbeef};
int err, i, fd, udp, sfd[6] = {0xdeadbeef};
u8 buf[20] = {0x0, 0x5, 0x3, 0x2, 0x1, 0x0};
int parse_prog, verdict_prog;
struct sockaddr_in addr;
......@@ -548,6 +548,16 @@ static void test_sockmap(int tasks, void *data)
goto out_sockmap;
/* Test update with unsupported UDP socket */
udp = socket(AF_INET, SOCK_DGRAM, 0);
i = 0;
err = bpf_map_update_elem(fd, &i, &udp, BPF_ANY);
if (!err) {
printf("Failed socket SOCK_DGRAM allowed '%i:%i'\n",
i, udp);
goto out_sockmap;
/* Test update without programs */
for (i = 0; i < 6; i++) {
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY);
