On Sun, Sep 17, 2017 at 7:20 AM, Shmulik Ladkani <shmulik@xxxxxxx> wrote: > From: Rafael Buchbinder <rafi@xxxxxx> > > From: Rafael Buchbinder <rafi@xxxxxx> > > xt_bpf_info_v1 structure requires an open file descriptor to create an > eBPF match. This file descriptor is checked on every replace. However, > as this file descriptor is valid only for the iptables invocation which > loads the eBPF for the first time, all subsequent iptables invocations > fail in bpf_mt_check (kernel) function. > > This commit fixes handling of pinned ebpf objects. > > The file descriptor saved in xt_bpf_info_v1 structure is being re-open > in tc_init_fixup which is invoked immediately after tc_init. > > Signed-off-by: Rafael Buchbinder <rafi@xxxxxx> > Signed-off-by: Shmulik Ladkani <shmulik@xxxxxxx> Thanks a lot for fixing this. Acked-by: Willem de Bruijn <willemb@xxxxxxxxxx> The pinned object at that filepath can change between iptables invocations. This is not very obvious when inserting a new unrelated rule, but an unavoidable effect of iptables reading and re-inserting the entire table on each operation. Even switching to the bpf identifier would not help, as those ids can be recycled, too. Admins just have to be diligent and not rely on objects pinned by unprivileged users. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
