On Tue, Jun 16, 2020 at 3:53 PM Stanislav Fomichev <sdf@xxxxxxxxxx> wrote: > > Attaching to these hooks can break iptables because its optval is > usually quite big, or at least bigger than the current PAGE_SIZE limit. > David also mentioned some SCTP options can be big (around 256k). > > There are two possible ways to fix it: > 1. Increase the limit to match iptables max optval. There is, however, > no clear upper limit. Technically, iptables can accept up to > 512M of data (not sure how practical it is though). > > 2. Bypass the value (don't expose to BPF) if it's too big and trigger > BPF only with level/optname so BPF can still decide whether > to allow/deny big sockopts. > > The initial attempt was implemented using strategy #1. Due to > listed shortcomings, let's switch to strategy #2. When there is > legitimate a real use-case for iptables/SCTP, we can consider increasing > the PAGE_SIZE limit. > > To support the cases where len(optval) > PAGE_SIZE we can > leverage upcoming sleepable BPF work by providing a helper > which can do copy_from_user (sleepable) at the given offset > from the original large buffer. > > v4: > * use temporary buffer to avoid optval == optval_end == NULL; > this removes the corner case in the verifier that might assume > non-zero PTR_TO_PACKET/PTR_TO_PACKET_END. just replied with another idea in v3 thread...
