From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Willem de Bruijn <willemb@google.com>
Cc: Shmulik Ladkani <shmulik@nsof.io>,
netfilter-devel <netfilter-devel@vger.kernel.org>,
rbk@nsof.io, Rafael Buchbinder <rafi@rbk.ms>
Subject: Re: [PATCH v2 1/2] iptables: support match info fixup after tc_init
Date: Wed, 4 Oct 2017 16:33:01 +0200 [thread overview]
Message-ID: <20171004143301.GA22316@salvia> (raw)
In-Reply-To: <20170918175424.GA17019@salvia>
On Mon, Sep 18, 2017 at 07:54:24PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 18, 2017 at 01:50:32PM -0400, Willem de Bruijn wrote:
> > On Mon, Sep 18, 2017 at 1:23 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > On Mon, Sep 18, 2017 at 08:00:42PM +0300, Shmulik Ladkani wrote:
> > >> Hi Pablo,
> > >>
> > >> On Mon, 18 Sep 2017 18:28:11 +0200 Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > >>
> > >> > >
> > >> > > + /* Fixes the match info after init. */
> > >> > > + void (*tc_init_fixup)(struct xt_entry_match *match);
> > >> >
> > >> > If this is only broken from tc ipt actions, could you fix this from
> > >> > iproute2/tc instead?
> > >>
> > >> No, this is not iproute2/tc specfic.
> > >
> > > OK.
> > >
> > >> We named it 'tc_init_fixup' as it occurs just after the TC_INIT
> > >> (iptc_init/ip6tc_init) call.
> > >> If this is confusing, we can rename to 'init_fixup' or 'post_init_fixup'
> > >> or 'iptc_init_fixup'.
> > >>
> > >> This must occur after every load of entries, as the xt_bpf match needs
> > >> a fixup once read from kernel.
> > >>
> > >> The problem lies in the xt_bpf_info_v1 ABI.
> > >> See:
> > >> https://marc.info/?l=netfilter-devel&m=150530909630143&w=2
> > >
> > > I see, can we get a v2 ABI that fixes this? Given this was included
> > > not long time ago, we can quickly deprecate this without this custom
> > > hook to address this.
> >
> > We can perhaps change the kernel module to ignore .fd and do a
> > path lookup for .path directly inside the kernel. That would not
> > require a v2, even.
>
> That sounds very reasonable, so we can just address this as a plain
> fix and pass it on to -stable.
Anyone following up with this?
Thanks!
next prev parent reply other threads:[~2017-10-04 14:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 11:20 [PATCH v2 0/2] xt_bpf: fix handling of pinned objects Shmulik Ladkani
2017-09-17 11:20 ` [PATCH v2 1/2] iptables: support match info fixup after tc_init Shmulik Ladkani
2017-09-18 16:28 ` Pablo Neira Ayuso
2017-09-18 17:00 ` Shmulik Ladkani
2017-09-18 17:23 ` Pablo Neira Ayuso
2017-09-18 17:50 ` Willem de Bruijn
2017-09-18 17:54 ` Pablo Neira Ayuso
2017-10-04 14:33 ` Pablo Neira Ayuso [this message]
2017-10-04 14:38 ` Shmulik Ladkani
2017-09-18 18:04 ` Jan Engelhardt
2017-09-17 11:20 ` [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object when match is initialized Shmulik Ladkani
2017-09-18 16:22 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171004143301.GA22316@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rafi@rbk.ms \
--cc=rbk@nsof.io \
--cc=shmulik@nsof.io \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.