#include <net/checksum.h>
 #include <net/inetpeer.h>
 #include <net/lwtunnel.h>
+#include <linux/bpf-cgroup.h>
 #include <linux/igmp.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_bridge.h>
 static int ip_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
        unsigned int mtu;
+       int ret;
+
+       ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
+       if (ret) {
+               kfree_skb(skb);
+               return ret;
+       }
 
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
        /* Policy lookup after SNAT yielded a new policy */
        return ip_finish_output2(net, sk, skb);
 }
 
+static int ip_mc_finish_output(struct net *net, struct sock *sk,
+                              struct sk_buff *skb)
+{
+       int ret;
+
+       ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
+       if (ret) {
+               kfree_skb(skb);
+               return ret;
+       }
+
+       return dev_loopback_xmit(net, sk, skb);
+}
+
 int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
        struct rtable *rt = skb_rtable(skb);
                        if (newskb)
                                NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
                                        net, sk, newskb, NULL, newskb->dev,
-                                       dev_loopback_xmit);
+                                       ip_mc_finish_output);
                }
 
                /* Multicasts with ttl 0 must not go beyond the host */
                if (newskb)
                        NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
                                net, sk, newskb, NULL, newskb->dev,
-                               dev_loopback_xmit);
+                               ip_mc_finish_output);
        }
 
        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
 
 #include <linux/module.h>
 #include <linux/slab.h>
 
+#include <linux/bpf-cgroup.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv6.h>
 
 
 static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
+       int ret;
+
+       ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
+       if (ret) {
+               kfree_skb(skb);
+               return ret;
+       }
+
        if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
            dst_allfrag(skb_dst(skb)) ||
            (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))