On Mon, Sep 18, 2017 at 01:50:32PM -0400, Willem de Bruijn wrote: > On Mon, Sep 18, 2017 at 1:23 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote: > >> Hi Pablo, > >> > >> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > >> > >> > > > >> > > + /* Fixes the match info after init. */ > >> > > + void (*tc_init_fixup)(struct xt_entry_match *match); > >> > > >> > If this is only broken from tc ipt actions, could you fix this from > >> > iproute2/tc instead? > >> > >> No, this is not iproute2/tc specfic. > > > > OK. > > > >> We named it 'tc_init_fixup' as it occurs just after the TC_INIT > >> (iptc_init/ip6tc_init) call. > >> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup' > >> or 'iptc_init_fixup'. > >> > >> This must occur after every load of entries, as the xt_bpf match needs > >> a fixup once read from kernel. > >> > >> The problem lies in the xt_bpf_info_v1 ABI. > >> See: > >> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2 > > > > I see, can we get a v2 ABI that fixes this? Given this was included > > not long time ago, we can quickly deprecate this without this custom > > hook to address this. > > We can perhaps change the kernel module to ignore .fd and do a > path lookup for .path directly inside the kernel. That would not > require a v2, even. That sounds very reasonable, so we can just address this as a plain fix and pass it on to -stable. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
