I have a setup that has 2 namespaces, connected using a linux bridge, with veth pairs in each of the namespace. ns1=192.168.1.10/24 ns2=192.168.1.11/24 host-br=192.168.1.1/24 I can ping between host, ns1, ns2 fine. I'm attaching an xdp filter program https://github.com/xdp-project/xdp-tools/blob/master/xdp-filter/xdpfilt_dny_ip.c I'm using bpftool to attach this to ns1-host end. I also attach a dummy xdp prog (that just returns XDP_PASS) to the end inside the ns1. I see all ping packets to this destination dropped. Dumping xdp_stats_map does show counters incremented for XDP_DROP However, when using bpftool to update the filter_ipv4 map to allow packets with destination to go through, it doesn't work. ./bpftool map update name filter_ipv4 key 192 168 1 10 value 2 0 0 0 0 0 0 0 I've tried with pinned maps, and different combinations of key/value as well, to no avail. The lookup just doesn't seem to succeed. Any suggestions on how I might go about debugging this? -------- Update: I did try with bpf_printk to see what was going on, and there seems to be some really weird issue that happens after the bpf map is updated. So, to keep things simple, I attached the xdp filter program to my host bridge interface. Pinging the bridge address from either namespace drops the packet, AND my printk message is logged and I can read it from /sys/kernel/debug/tracing/trace_pipe I insert entries into the map, and then when I try to do the same, not only does it not work, there is no printk message either. Removing these entries still does not get the printk message back. How do I go about debugging this? Are there any known issues with using maps that are not pinned (I have tried with pinning them, but didn't debug that setup deeply). Thanks. Topi
|