[ adding a subject - please make sure to include one in the future ] > I have a setup that has 2 namespaces, connected using a linux bridge, > with veth pairs in each of the namespace. > > ns1=192.168.1.10/24 > ns2=192.168.1.11/24 > host-br=192.168.1.1/24 > > I can ping between host, ns1, ns2 fine. > > I'm attaching an xdp filter program > https://github.com/xdp-project/xdp-tools/blob/master/xdp-filter/xdpfilt_dny_ip.c > > I'm using bpftool to attach this to ns1-host end. I also attach a > dummy xdp prog (that just returns XDP_PASS) to the end inside the ns1. > I see all ping packets to this destination dropped. Dumping > xdp_stats_map does show counters incremented for XDP_DROP > > However, when using bpftool to update the filter_ipv4 map to allow > packets with destination to go through, it doesn't work. > > ./bpftool map update name filter_ipv4 key 192 168 1 10 value 2 0 0 0 0 0 0 0 > > I've tried with pinned maps, and different combinations of key/value > as well, to no avail. The lookup just doesn't seem to succeed. Any > suggestions on how I might go about debugging this? What kernel version are you using? And how are you attaching the program - from your description I'm guessing you may be using generic XDP? Also, why are you using bpftool to load the program instead of just using the xdp-filter binary? -Toke
|