Sorry about the subject. I had to forward after using text (default is http in gmail). My kernel version is 5.7.17 (quite new). I am using xdp (ip link show on the device shows the xdp, not xdpgeneric). I'm using bpftool, since this is to deploy to a third party, and using standard linux tools (bpftool, iproute2) is fine, userspace binaries are not. Is there anything I miss by not using the xdp-filter binary? However, I think I have figured out the issue, and I'm quite surprised by it. It appears that as soon as the xdpfilter program is attached, the arp entry for that IP is discarded from all the entities connected to that bridge. The peer node consequently does an ARP before ping, and since ARP is not an IP packet, it doesn't show up in the bpf log. Since the remote node doesn't get an ARP response (arp request is dropped), it doesn't send the ping packet at all. Thanks, Hari On Mon, Sep 21, 2020 at 2:44 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > [ adding a subject - please make sure to include one in the future ] > > > I have a setup that has 2 namespaces, connected using a linux bridge, > > with veth pairs in each of the namespace. > > > > ns1=192.168.1.10/24 > > ns2=192.168.1.11/24 > > host-br=192.168.1.1/24 > > > > I can ping between host, ns1, ns2 fine. > > > > I'm attaching an xdp filter program > > https://github.com/xdp-project/xdp-tools/blob/master/xdp-filter/xdpfilt_dny_ip.c > > > > I'm using bpftool to attach this to ns1-host end. I also attach a > > dummy xdp prog (that just returns XDP_PASS) to the end inside the ns1. > > I see all ping packets to this destination dropped. Dumping > > xdp_stats_map does show counters incremented for XDP_DROP > > > > However, when using bpftool to update the filter_ipv4 map to allow > > packets with destination to go through, it doesn't work. > > > > ./bpftool map update name filter_ipv4 key 192 168 1 10 value 2 0 0 0 0 0 0 0 > > > > I've tried with pinned maps, and different combinations of key/value > > as well, to no avail. The lookup just doesn't seem to succeed. Any > > suggestions on how I might go about debugging this? > > What kernel version are you using? And how are you attaching the program > - from your description I'm guessing you may be using generic XDP? Also, > why are you using bpftool to load the program instead of just using the > xdp-filter binary? > > -Toke >
|