please drop, wrong 'From:' field, will resend v2 On Sun, 17 Sep 2017 14:07:49 +0300 Rafael Buchbinder <shmulik@xxxxxxx> wrote: > Following set of commits fixes xt_bpf extension to correctly handle > pinned eBPF programs. > > The origin of the bug lies in the fact that xt_bpf_info_v1 structure > requires an open file descriptor to create an eBPF match. > This file descriptor is checked on every replace. However, as this file > descriptor is valid only for the iptables invocation which loads the > eBPF for the first time, all subsequent iptables invocations fail in > bpf_mt_check (kernel) function. > > See discussion in [1] for more details. > > The following patches add a hook in extensions which is called > immediately after TC_INIT to fixup whatever needs to be fixed up. > In case of xt_bpf, the fixup function gets the eBPF object by path to > populate xt_bpf_info_v1 structure with a valid file descriptor. > > [1] https://marc.info/?l=netfilter-devel&m=150530909630143&w=2 > > Rafael Buchbinder (2): > iptables: support match info fixup after tc_init > extensions: xt_bpf: get the pinned ebpf object when match is > initialized > > extensions/libxt_bpf.c | 9 +++++++++ > include/xtables.h | 3 +++ > iptables/ip6tables.c | 35 +++++++++++++++++++++++++++++++++++ > iptables/iptables.c | 34 ++++++++++++++++++++++++++++++++++ > 4 files changed, 81 insertions(+) > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
