From the git log of linux at 174a7, I know the verdict flow is given as below
I wonder what the flow is when there is only msg_verdict program.
tracing tcp_bpf_sendmsg(), I can see socket get parsed, but how does it pass to verdict part?
tcp_bpf_sendmsg
tcp_bpf_send_verdict
sk_psock_msg_verdict
...
prog = READ_ONCE(psock->progs.msg_parser)
...
ret = bpf_prog_run_pin_on_cpu(prog, msg)
This progs.msg_parser BPF program is actually the program you attached with BPF_SK_MSG_VERDICT, i.e. the program that will return a verdict (ex. __SK_PASS).
That can be observed by looking at the kernel code used to lookup and update programs attached to the sockmap:
static int sock_map_prog_lookup(struct bpf_map *map, struct bpf_prog ***pprog,
u32 which)
{
struct sk_psock_progs *progs = sock_map_progs(map);
...
switch (which) {
case BPF_SK_MSG_VERDICT:
*pprog = &progs->msg_parser;
break;
Although that may seem surprising, it is confirmed by the documentation: https://docs.kernel.org/bpf/map_sockmap.html (search for BPF_SK_MSG_VERDICT).