On 09/03/18 18:58, Alexei Starovoitov wrote: > It's not waiting for the whole thing, because once bpfilter starts it > stays running/sleeping because it's stateful. So, this has been bugging me a bit. If bpfilter takes a signal and crashes, all that state goes away. Does that mean your iptables/netfilter config just got forgotten and next time you run iptables it disappears, so you have to re-apply it all again? > It needs normal > malloc-ed memory to keep the state of iptable->bpf translation that > it will use later during subsequent translation calls. > Theoretically it can use bpf maps pinned in kernel memory to keep > this state, but then it's non-swappable. It's better to keep bpfilter > state in its own user memory. Perhaps the state should live in swappable kernel memory (e.g. a tmpfs thing, which bpfilter could access through a mount). It'd be read-only to userspace, listing the existing rules (in untranslated form), and be updated to reflect the new rule after bpfilter has supplied the updated translation. Then bpfilter can cache things if it wants, but the kernel remains the ultimate arbiter of the state and maintains it over a bpfilter crash. Sound reasonable? -Ed -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
