[PATCH RFC 0/9] sk_buff: optimize layout for GRO

Florian Westphal fw at strlen.de
Sun Jul 25 16:25:28 UTC 2021

Paul Moore <paul at paul-moore.com> wrote:
> > There is the skb extension infra, does that work for you?
> I was hopeful that when the skb_ext capability was introduced we might
> be able to use it for the LSM(s), but when I asked netdev if they
> would be willing to accept patches to leverage the skb_ext
> infrastructure I was told "no".

I found


and from what I gather from your comments and that of Casey
I think skb extensions is the correct thing for this (i.e., needs
netlabel/secid config/enablement so typically won't be active on
a distro kernel by default).

It certainly makes more sense to me than doing lookups
in a hashtable based on a ID (I tried to do that to get rid of skb->nf_bridge
pointer years ago and it I could not figure out how to invalidate an entry
without adding a new skb destructor callback).

More information about the Linux-security-module-archive mailing list