On Wed, Apr 6, 2022 at 10:09 AM <wuzongyo@xxxxxxxxxxxxxxxx> wrote:
>
> Hi,
>
> I wrote a simple tc-bpf program like that:
>
> #include <linux/bpf.h>
> #include <linux/pkt_cls.h>
> #include <linx/types.h>
> #include <bpf/bpf_helpers.h>
>
> struct {
> __uint(type, BPF_MAP_TYPE_HASH);
> __uint(max_entries, 1);
> __type(key, int);
> __type(value, int);
> } hmap SEC(".maps");
>
> SEC("classifier")
> int _classifier(struct __sk_buff *skb)
> {
> int key = 0;
> int *val;
>
> val = bpf_map_lookup_elem(&hmap, &key);
> if (!val)
> return TC_ACT_OK;
> return TC_ACT_OK;
> }
>
> char __license[] SEC("license") = "GPL";
>
> Then I tried to use tc to load the program:
>
> tc qdisc add dev eth0 clsact
> tc filter add dev eth0 egress bpf da obj test_bpf.o
>
> But the program loading failed with error messages:
> Prog section 'classifier' rejected: Permission denied (13)!
> - Type: 3
> - Instructions: 9 (0 over limit
> - License: GPL
>
> Verifier analysis:
>
> Error fetching program/map!
> Unable to load program
>
> I tried to replace the map definition with the following code and the program is loaded successfully!
>
> struct bpf_map_def SEC("maps") hmap = {
> .type = BPF_MAP_TYPE_HASH,
> .key_size = sizeof(int),
> .value_size = sizeof(int),
> .max_entries = 1,
> };
>
> With bpftrace, I can find that the errno -EACCES is returned by function do_check(). But I am still confused what's wrong with it.
>
> Linux Version: 5.17.0-rc3+ with CONFIG_DEBUG_INFO_BTF=y
> TC Version: 5.14.0
>
> Any suggestion will be appreciated!
>
This is an iproute2 question, please find their mailing list and ask
there. Or bypass iproute2 and use libbpf-provided TC APIS
(bpf_tc_xxx()) to do all this directly from your application without
shelling out or delegating to iproute2
> Thanks
>
