On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote: > Hi Pablo, > > On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > > > > + /* Fixes the match info after init. */ > > > + void (*tc_init_fixup)(struct xt_entry_match *match); > > > > If this is only broken from tc ipt actions, could you fix this from > > iproute2/tc instead? > > No, this is not iproute2/tc specfic. OK. > We named it 'tc_init_fixup' as it occurs just after the TC_INIT > (iptc_init/ip6tc_init) call. > If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup' > or 'iptc_init_fixup'. > > This must occur after every load of entries, as the xt_bpf match needs > a fixup once read from kernel. > > The problem lies in the xt_bpf_info_v1 ABI. > See: > https://marc.info/?l=netfilter-devel&m=150530909630143&w=2 I see, can we get a v2 ABI that fixes this? Given this was included not long time ago, we can quickly deprecate this without this custom hook to address this. We can include this in the next iptables release in the next weeks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
