From: Rafael Buchbinder <rafi@xxxxxx> From: Rafael Buchbinder <rafi@xxxxxx> Following set of commits fixes xt_bpf extension to correctly handle pinned eBPF programs. The origin of the bug lies in the fact that xt_bpf_info_v1 structure requires an open file descriptor to create an eBPF match. This file descriptor is checked on every replace. However, as this file descriptor is valid only for the iptables invocation which loads the eBPF for the first time, all subsequent iptables invocations fail in bpf_mt_check (kernel) function. See discussion in [1] for more details. The following patches add a hook in extensions which is called immediately after TC_INIT to fixup whatever needs to be fixed up. In case of xt_bpf, the fixup function gets the eBPF object by path to populate xt_bpf_info_v1 structure with a valid file descriptor. [1] https://marc.info/?l=netfilter-devel&m=150530909630143&w=2 Since v1: - fixed From field Rafael Buchbinder (2): iptables: support match info fixup after tc_init extensions: xt_bpf: get the pinned ebpf object when match is initialized extensions/libxt_bpf.c | 9 +++++++++ include/xtables.h | 3 +++ iptables/ip6tables.c | 35 +++++++++++++++++++++++++++++++++++ iptables/iptables.c | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 81 insertions(+) -- 2.14.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
