Skip to content

aya-ebpf: TcContext, SkBuff: add set_tc_classid#1595

Open
ramos-99 wants to merge 1 commit into
aya-rs:mainfrom
ramos-99:ebpf-tc-classid
Open

aya-ebpf: TcContext, SkBuff: add set_tc_classid#1595
ramos-99 wants to merge 1 commit into
aya-rs:mainfrom
ramos-99:ebpf-tc-classid

Conversation

@ramos-99

@ramos-99 ramos-99 commented Jun 8, 2026
edited by tamird
Loading

Copy link
Copy Markdown

Follow-up to #1571, which added classid to SchedClassifier netlink
attach, setting TCA_BPF_CLASSID (the upper 16 bits of the class a
direct-action program routes to). The lower 16 bits are written by the
program into __sk_buff::tc_classid, but there was no safe way to write
that field from aya-ebpf, so a classifier had to go through a raw pointer
to the skb. This adds set_tc_classid on TcContext and SkBuff.

The field is write-only and only available on TcContext. The verifier
marks __sk_buff::tc_classid write-only for sched_cls/sched_act, so
a getter can't load, and it rejects writes from the program types behind
SkBuffContext (cgroup_skb, socket_filter, sk_skb), so the setter
would compile but fail to load there.

The integration test runs a classifier through BPF_PROG_TEST_RUN to
confirm the verifier accepts the write. It can't check routing: the
kernel leaves ctx_size_out at 0 for sched_cls, same as
test_classifier_test_run. That part was verified manually by attaching
a classifier on lo under an HTB qdisc and confirming packets are routed
to the class the program writes.

Refs: #886

Added/updated tests?

  • Yes

Checklist

  • Rust code has been formatted with cargo +nightly fmt.
  • All clippy lints have been fixed.
  • Unit tests are passing locally with cargo test.
  • The integration tests are passing locally.
  • I have blessed any API changes with cargo xtask public-api --bless.

This change is Reviewable

@ramos-99 @afonso-quintas
aya-ebpf: TcContext, SkBuff: add set_tc_classid
1ac36ad 
Expose set_tc_classid on TcContext and SkBuff so TC classifier
programs can set the skb TC class identifier, enabling packet
steering to HTB/CBQ traffic-control classes.

set_tc_classid is write-only by design: the BPF verifier
rejects reads of __sk_buff::tc_classid for sched_cls and
sched_act program types, so no getter is provided.

The method is not added to SkBuffContext because the BPF
verifier rejects writes to tc_classid from cgroup_skb,
socket_filter and sk_skb program types.

The integration test loads a classifier that calls
set_tc_classid and runs it via BPF_PROG_TEST_RUN to confirm
the BPF verifier accepts the write. Verifying the written
value through ctx_out is not possible for sched_cls programs:
the kernel does not populate ctx_out for that program type
(ctx_size_out is always 0).

Refs: aya-rs#886
Co-authored-by: Afonso Quintas <afonso.quintas@tecnico.ulisboa.pt>
@ramos-99 ramos-99 requested a review from a team as a code owner June 8, 2026 14:29
@netlify

netlify Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for aya-rs-docs ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 1ac36ad
🔍 Latest deploy log https://app.netlify.com/projects/aya-rs-docs/deploys/6a26d22c6b0bc90008787cf8
😎 Deploy Preview https://deploy-preview-1595--aya-rs-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ramos-99