On 1/25/23 11:33 AM, Quentin Monnet wrote:
2023-01-25 08:25 UTC+0530 ~ Chethan Suresh <chethan.suresh@xxxxxxxx>
We've experienced similar issues about bpfilter like below:
https://github.com/moby/moby/issues/43755
https://lore.kernel.org/bpf/CAADnVQJ5MxGkq=ng214aYoH-NmZ1gjoS=ZTY1eU-Fag4RwZjdg@xxxxxxxxxxxxxx/
Considering the current development status of bpfilter,
disable bpfilter kernel config checks in bpftool feature.
For production system, we should disable both
CONFIG_BPFILTER and CONFIG_BPFILTER_UMH for now.
Or can be enabled as some tools depend on bpfilter.
Signed-off-by: Chethan Suresh <chethan.suresh@xxxxxxxx>
Signed-off-by: Kenta Tada <Kenta.Tada@xxxxxxxx>
---
tools/bpf/bpftool/feature.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c
index 36cf0f1517c9..c6087bbc6613 100644
--- a/tools/bpf/bpftool/feature.c
+++ b/tools/bpf/bpftool/feature.c
@@ -426,10 +426,6 @@ static void probe_kernel_image_config(const char *define_prefix)
{ "CONFIG_BPF_STREAM_PARSER", },
/* xt_bpf module for passing BPF programs to netfilter */
{ "CONFIG_NETFILTER_XT_MATCH_BPF", },
- /* bpfilter back-end for iptables */
- { "CONFIG_BPFILTER", },
- /* bpftilter module with "user mode helper" */
- { "CONFIG_BPFILTER_UMH", },
Right, for bpftool this change is rather moot. Maybe until the work from
QuentinD materializes, the BPFILTER should just be built with `depends on
COMPILE_TEST` so that this doesn't negatively affect users as reported in
above links.
/* test_bpf module for BPF tests */
{ "CONFIG_TEST_BPF", },
Hi,
I don't understand. The feature probe simply looks for the kconfig
option in the kconfig file. What are you hoping to achieve by removing
this check? How is it going to help with your issues?
Quentin