netd bpf - no-op code hygiene fix for DROP_UNLESS_DNS
We only ever return DROP_UNLESS_DNS on ingress,
so the ordering doesn't actually matter.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I742b85748433f5319d518bebc05d976d630b72e7
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index 84da79d..cb0da19 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -415,11 +415,6 @@
}
int match = bpf_owner_match(skb, sock_uid, egress, kver);
- if (egress && (match == DROP)) {
- // If an outbound packet is going to be dropped, we do not count that
- // traffic.
- return match;
- }
// Workaround for secureVPN with VpnIsolation enabled, refer to b/159994981 for details.
// Keep TAG_SYSTEM_DNS in sync with DnsResolver/include/netd_resolv/resolv.h
@@ -432,6 +427,9 @@
if (match == DROP_UNLESS_DNS) match = DROP;
}
+ // If an outbound packet is going to be dropped, we do not count that traffic.
+ if (egress && (match == DROP)) return DROP;
+
StatsKey key = {.uid = uid, .tag = tag, .counterSet = 0, .ifaceIndex = skb->ifindex};
uint8_t* counterSet = bpf_uid_counterset_map_lookup_elem(&uid);