From: Stanislav Fomichev > Sent: 05 June 2020 01:22 > Attaching to these hooks can break iptables because its optval is > usually quite big, or at least bigger than the current PAGE_SIZE limit. > > There are two possible ways to fix it: > 1. Increase the limit to match iptables max optval. > 2. Implement some way to bypass the value if it's too big and trigger > BPF only with level/optname so BPF can still decide whether > to allow/deny big sockopts. > > I went with #1 which means we are potentially increasing the > amount of data we copy from the userspace from PAGE_SIZE to 512M. ... > + const int max_supported_optlen = 512 * 1024 * 1024 + 128; 512MB seems a bit big. I'd have thought that iptables would be usable from a 32bit application where that is 1/6th the process address space. Anything that might be that big ought to be done in chunks. I was looking at the SCTP socket option code. ISTR that may require just over 256kB - still silly, but not as bad. SCTP also requires that getsockopt() copy the buffer in from userspace. One call required more than a 'sockaddr storage' be read in. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
