net/core/filter.c | 2 ++ 1 file changed, 2 insertions(+)
We can already lookup sockets in XDP via the bpf_sk(c)_lookup_(udp|tcp)
helpers. This can be used to determine if a received packet is for an
established socket or not, for example in a load balancer.
But the TCP TIME-WAIT state needs special handling for this: packets
received for a TIME-WAIT socket can either belong to the current
incarnation of the connection, or a new incarnation. The only way to
determine this is to compare the sequence numbers.
Add the bpf_tcp_sock() helper in XDP to allow the socket sequence
numbers to be read.
---
Signed-off-by: Arthur Fabre <afabre@cloudflare.com>
---
net/core/filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index f04982d79d72e92f1b46ccd87633391e38c3da81..5e3a1951130369f070c3a373ea649bd10db412b6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -8506,6 +8506,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_sk_release_proto;
case BPF_FUNC_skc_lookup_tcp:
return &bpf_xdp_skc_lookup_tcp_proto;
+ case BPF_FUNC_tcp_sock:
+ return &bpf_tcp_sock_proto;
case BPF_FUNC_tcp_check_syncookie:
return &bpf_tcp_check_syncookie_proto;
case BPF_FUNC_tcp_gen_syncookie:
---
base-commit: d95d76aa772bf94df353b015b1cb38303d4a415d
change-id: 20260204-afabre-bpf_tcp_sock-117d03c6f0e3
Best regards,
--
Arthur Fabre <afabre@cloudflare.com>> But the TCP TIME-WAIT state needs special handling for this: packets
> received for a TIME-WAIT socket can either belong to the current
> incarnation of the connection, or a new incarnation. The only way to
> determine this is to compare the sequence numbers.
>
> Add the bpf_tcp_sock() helper in XDP to allow the socket sequence
> numbers to be read.
Can this approach work for TIME-WAIT sockets? Looking at bpf_tcp_sock() in
net/core/filter.c:
if (sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP)
return (unsigned long)sk;
return (unsigned long)NULL;
And sk_fullsock() in include/net/sock.h:
static inline bool sk_fullsock(const struct sock *sk)
{
return (1 << sk->sk_state) & ~(TCPF_TIME_WAIT | TCPF_NEW_SYN_RECV);
}
TIME-WAIT sockets are explicitly excluded by sk_fullsock(), so bpf_tcp_sock()
returns NULL for them. The sequence numbers stored in TIME-WAIT sockets
(skc_tw_rcv_nxt and skc_tw_snd_nxt in sock_common) would not be accessible
through this helper.
The change itself is useful for accessing tcp_sock fields from established
connections in XDP, but the commit message implies this solves the TIME-WAIT
sequence number problem described, which doesn't appear to be the case.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21671977729
AI-authorship-score: low
AI-authorship-explanation: The commit message style is consistent with human-written kernel patches, with natural technical language and standard formatting; the technical error is more likely human oversight than AI hallucination.
issues-found: 1
issue-severity-score: low
issue-severity-explanation: The issue is a misleading commit message that claims the change enables TIME-WAIT socket sequence number reading, but the bpf_tcp_sock() helper explicitly returns NULL for TIME-WAIT sockets.
On 2/4/26 5:04 AM, bot+bpf-ci@kernel.org wrote:
>> But the TCP TIME-WAIT state needs special handling for this: packets
>> received for a TIME-WAIT socket can either belong to the current
>> incarnation of the connection, or a new incarnation. The only way to
>> determine this is to compare the sequence numbers.
>>
>> Add the bpf_tcp_sock() helper in XDP to allow the socket sequence
>> numbers to be read.
>
> Can this approach work for TIME-WAIT sockets? Looking at bpf_tcp_sock() in
> net/core/filter.c:
>
> if (sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP)
> return (unsigned long)sk;
> return (unsigned long)NULL;
>
> And sk_fullsock() in include/net/sock.h:
>
> static inline bool sk_fullsock(const struct sock *sk)
> {
> return (1 << sk->sk_state) & ~(TCPF_TIME_WAIT | TCPF_NEW_SYN_RECV);
> }
>
> TIME-WAIT sockets are explicitly excluded by sk_fullsock(), so bpf_tcp_sock()
> returns NULL for them. The sequence numbers stored in TIME-WAIT sockets
> (skc_tw_rcv_nxt and skc_tw_snd_nxt in sock_common) would not be accessible
> through this helper.
>
> The change itself is useful for accessing tcp_sock fields from established
> connections in XDP, but the commit message implies this solves the TIME-WAIT
> sequence number problem described, which doesn't appear to be the case.
or use "tp = bpf_core_cast(sk, struct tcp_sock /* or tcp_timewait_sock
*/);". The bpf prog can also read all members of the kernel struct
instead of a subset defined in bpf_tcp_sock.
pw-bot: cr
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21671977729
>
> AI-authorship-score: low
> AI-authorship-explanation: The commit message style is consistent with human-written kernel patches, with natural technical language and standard formatting; the technical error is more likely human oversight than AI hallucination.
> issues-found: 1
> issue-severity-score: low
> issue-severity-explanation: The issue is a misleading commit message that claims the change enables TIME-WAIT socket sequence number reading, but the bpf_tcp_sock() helper explicitly returns NULL for TIME-WAIT sockets.
On Wed Feb 4, 2026 at 11:27 PM CET, Martin KaFai Lau wrote:
>
>
> On 2/4/26 5:04 AM, bot+bpf-ci@kernel.org wrote:
> >> But the TCP TIME-WAIT state needs special handling for this: packets
> >> received for a TIME-WAIT socket can either belong to the current
> >> incarnation of the connection, or a new incarnation. The only way to
> >> determine this is to compare the sequence numbers.
> >>
> >> Add the bpf_tcp_sock() helper in XDP to allow the socket sequence
> >> numbers to be read.
> >
> > Can this approach work for TIME-WAIT sockets? Looking at bpf_tcp_sock() in
> > net/core/filter.c:
> >
> > if (sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP)
> > return (unsigned long)sk;
> > return (unsigned long)NULL;
> >
> > And sk_fullsock() in include/net/sock.h:
> >
> > static inline bool sk_fullsock(const struct sock *sk)
> > {
> > return (1 << sk->sk_state) & ~(TCPF_TIME_WAIT | TCPF_NEW_SYN_RECV);
> > }
> >
> > TIME-WAIT sockets are explicitly excluded by sk_fullsock(), so bpf_tcp_sock()
> > returns NULL for them. The sequence numbers stored in TIME-WAIT sockets
> > (skc_tw_rcv_nxt and skc_tw_snd_nxt in sock_common) would not be accessible
> > through this helper.
> >
> > The change itself is useful for accessing tcp_sock fields from established
> > connections in XDP, but the commit message implies this solves the TIME-WAIT
> > sequence number problem described, which doesn't appear to be the case.
>
> or use "tp = bpf_core_cast(sk, struct tcp_sock /* or tcp_timewait_sock
> */);". The bpf prog can also read all members of the kernel struct
> instead of a subset defined in bpf_tcp_sock.
Brilliant, that works! Thanks Martin.
>
> pw-bot: cr
>
> >
> >
> > ---
> > AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> > See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
> >
> > CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21671977729
> >
> > AI-authorship-score: low
> > AI-authorship-explanation: The commit message style is consistent with human-written kernel patches, with natural technical language and standard formatting; the technical error is more likely human oversight than AI hallucination.
> > issues-found: 1
> > issue-severity-score: low
> > issue-severity-explanation: The issue is a misleading commit message that claims the change enables TIME-WAIT socket sequence number reading, but the bpf_tcp_sock() helper explicitly returns NULL for TIME-WAIT sockets.
© 2016 - 2026 Red Hat, Inc.