Hi,
On Fri, Feb 09, 2024 at 12:19:54PM +0000, Ignat Korchagin wrote:
> Commit 67ee37360d41 ("netfilter: nf_tables: validate NFPROTO_* family") added
> some validation of NFPROTO_* families in nftables, but it broke our use case for
> xt_bpf module:
>
> * assuming we have a simple bpf program:
>
> #include <linux/bpf.h>
> #include <bpf/bpf_helpers.h>
>
> char _license[] SEC("license") = "GPL";
>
> SEC("socket")
> int prog(struct __sk_buff *skb) { return BPF_OK; }
>
> * we can compile it and pin into bpf FS:
> bpftool prog load bpf.o /sys/fs/bpf/test
>
> * now we want to create a following table
>
> table inet firewall {
> chain input {
> type filter hook prerouting priority filter; policy accept;
> bpf pinned "/sys/fs/bpf/test" drop
This feature does not exist in the tree.
> }
> }
>
> All above used to work, but now we get EOPNOTSUPP, when creating the table.
>
> Fix this by allowing NFPROTO_INET for nft_(match/target)_validate()
We don't support inet family for iptables.
