On 25/01/2023 03:55, Chethan Suresh wrote: > We've experienced similar issues about bpfilter like below: > https://github.com/moby/moby/issues/43755 I've been looking into this issue a bit more, it seems the author has CONFIG_BPFILTER enabled, which shouldn't be. I've answered to the thread to clarify the situation. Regarding why CONFIG_BPFILTER was enabled, it seems linuxkit [1] project's default configurations for multiple kernel verisons had it enabled, for some reason. This was fixed [2] a few month ago for *some* of the configurations, I've published a PR [3] for the remaining configuration. It's been approved but not merged yet. It's unclear why those configurations had CONFIG_BPFILTER enabled in the first place, but it's definitely a mistake. [1]: https://github.com/linuxkit/linuxkit [2]: https://github.com/linuxkit/linuxkit/pull/3701 [3]: https://github.com/linuxkit/linuxkit/pull/3904 > https://lore.kernel.org/bpf/CAADnVQJ5MxGkq=ng214aYoH-NmZ1gjoS=ZTY1eU-Fag4RwZjdg@xxxxxxxxxxxxxx/ > > Considering the current development status of bpfilter, > disable bpfilter kernel config checks in bpftool feature. > For production system, we should disable both > CONFIG_BPFILTER and CONFIG_BPFILTER_UMH for now. > Or can be enabled as some tools depend on bpfilter. > > Signed-off-by: Chethan Suresh <chethan.suresh@xxxxxxxx> > Signed-off-by: Kenta Tada <Kenta.Tada@xxxxxxxx> > --- > tools/bpf/bpftool/feature.c | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c > index 36cf0f1517c9..c6087bbc6613 100644 > --- a/tools/bpf/bpftool/feature.c > +++ b/tools/bpf/bpftool/feature.c > @@ -426,10 +426,6 @@ static void probe_kernel_image_config(const char *define_prefix) > { "CONFIG_BPF_STREAM_PARSER", }, > /* xt_bpf module for passing BPF programs to netfilter */ > { "CONFIG_NETFILTER_XT_MATCH_BPF", }, > - /* bpfilter back-end for iptables */ > - { "CONFIG_BPFILTER", }, > - /* bpftilter module with "user mode helper" */ > - { "CONFIG_BPFILTER_UMH", }, > > /* test_bpf module for BPF tests */ > { "CONFIG_TEST_BPF", }, Regards, Quentin
