On Tue, Jul 25, 2023 at 12:33 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
>
> [ CCing bpf/btf experts ]
>
> > I'm running kernel: 6.1.0-10-amd64
> > and
> > nftables v1.0.6 (Lester Gooch #5)
> >
> > I have a set of nftables rules that have served me well for Debian 11
> > - thanks in large part to the netfilter mailing list, so...thank you!
> > nftables on Debian 11 is: 0.9.8-3.1+deb11u1
> >
> > I have recently installed Debian 12 and tried my nftables rules and
> > have hit a snag with the connection tracking and a verdict map.
> > nftables on Debian 12 is: 1.0.6-2+deb12u1
> >
> > When I run the offending snippet:
> >
> > # nft -f /etc/nftables.conf.d/300-common.d/200-connection-tracking.nft
> > /etc/nftables.conf.d/300-common.d/200-connection-tracking.nft:4:9-16:
> > Error: Could not process rule: No such file or directory
> > ct state vmap {
>
> [..]
> ^^^^^^^^
> > When I watch the kernel logs (journalctl), I see:
> >
> > Jul 25 13:44:04 localhost kernel: BPF: [99725] STRUCT
> > Jul 25 13:44:04 localhost kernel: BPF: size=104 vlen=12
> > Jul 25 13:44:04 localhost kernel: BPF:
> > Jul 25 13:44:04 localhost kernel: BPF: Invalid name
> > Jul 25 13:44:04 localhost kernel: BPF:
> > Jul 25 13:44:04 localhost kernel: failed to validate module
> > [nf_conntrack] BTF: -22
> > Jul 25 13:44:04 localhost kernel: missing module BTF, cannot register kfuncs
>
> So nf_conntrack.ko fails to load because of a btf issue.
>
> My question to bpf folks is:
>
> Should we make register_nf_conntrack_bpf() return 'void'?
>
> This way normal conntrack would still work. bpf programs using
> conntrack kfuncs would fail, but above dmesg splat already gives
> a clue as to why conntrack kfuncs aren't there.
>
> No idea about the actual problem or how to debug that, but bpf
> people should know.
The pr_err() was changed to pr_warn() in
commit 3de4d22cc9ac ("bpf, btf: Warn but return no error for NULL btf
from __register_btf_kfunc_id_set()").
Please upgrade the kernel and ignore the warn if you don't need bpf/btf/kfuncs.
Three links in that commit provide more details.
