On Tue, Jun 16, 2020 at 4:05 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Tue, Jun 16, 2020 at 3:53 PM Stanislav Fomichev <sdf@xxxxxxxxxx> wrote: > > > > Attaching to these hooks can break iptables because its optval is > > usually quite big, or at least bigger than the current PAGE_SIZE limit. > > David also mentioned some SCTP options can be big (around 256k). > > > > There are two possible ways to fix it: > > 1. Increase the limit to match iptables max optval. There is, however, > > no clear upper limit. Technically, iptables can accept up to > > 512M of data (not sure how practical it is though). > > > > 2. Bypass the value (don't expose to BPF) if it's too big and trigger > > BPF only with level/optname so BPF can still decide whether > > to allow/deny big sockopts. > > > > The initial attempt was implemented using strategy #1. Due to > > listed shortcomings, let's switch to strategy #2. When there is > > legitimate a real use-case for iptables/SCTP, we can consider increasing > > the PAGE_SIZE limit. > > > > To support the cases where len(optval) > PAGE_SIZE we can > > leverage upcoming sleepable BPF work by providing a helper > > which can do copy_from_user (sleepable) at the given offset > > from the original large buffer. > > > > v4: > > * use temporary buffer to avoid optval == optval_end == NULL; > > this removes the corner case in the verifier that might assume > > non-zero PTR_TO_PACKET/PTR_TO_PACKET_END. > > just replied with another idea in v3 thread... Yeah, sorry about that, posted 5 mins before your reply :-( Sorry for the noise.
