From: Shmulik Ladkani <shmulik@nsof.io>
To: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Willem de Bruijn <willemb@google.com>,
rbk@nsof.io, shmulik@nsof.io, Rafael Buchbinder <rafi@rbk.ms>
Subject: [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object when match is initialized
Date: Sun, 17 Sep 2017 14:20:31 +0300 [thread overview]
Message-ID: <20170917112031.8644-3-shmulik@nsof.io> (raw)
In-Reply-To: <20170917112031.8644-1-shmulik@nsof.io>
From: Rafael Buchbinder <rafi@rbk.ms>
From: Rafael Buchbinder <rafi@rbk.ms>
xt_bpf_info_v1 structure requires an open file descriptor to create an
eBPF match. This file descriptor is checked on every replace. However,
as this file descriptor is valid only for the iptables invocation which
loads the eBPF for the first time, all subsequent iptables invocations
fail in bpf_mt_check (kernel) function.
This commit fixes handling of pinned ebpf objects.
The file descriptor saved in xt_bpf_info_v1 structure is being re-open
in tc_init_fixup which is invoked immediately after tc_init.
Signed-off-by: Rafael Buchbinder <rafi@rbk.ms>
Signed-off-by: Shmulik Ladkani <shmulik@nsof.io>
---
extensions/libxt_bpf.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/extensions/libxt_bpf.c b/extensions/libxt_bpf.c
index 9510c190..16d6bc25 100644
--- a/extensions/libxt_bpf.c
+++ b/extensions/libxt_bpf.c
@@ -247,6 +247,14 @@ static void bpf_print_v1(const void *ip, const struct xt_entry_match *match,
printf("unknown");
}
+static void bpf_tc_init_fixup_v1(struct xt_entry_match *match)
+{
+ struct xt_bpf_info_v1 *info = (void *) match->data;
+
+ if (info->mode == XT_BPF_MODE_FD_PINNED)
+ bpf_parse_obj_pinned(info, info->path);
+}
+
static struct xtables_match bpf_matches[] = {
{
.family = NFPROTO_UNSPEC,
@@ -272,6 +280,7 @@ static struct xtables_match bpf_matches[] = {
.help = bpf_help_v1,
.print = bpf_print_v1,
.save = bpf_save_v1,
+ .tc_init_fixup = bpf_tc_init_fixup_v1,
.x6_parse = bpf_parse_v1,
.x6_fcheck = bpf_fcheck_v1,
.x6_options = bpf_opts_v1,
--
2.14.1
next prev parent reply other threads:[~2017-09-17 11:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 11:20 [PATCH v2 0/2] xt_bpf: fix handling of pinned objects Shmulik Ladkani
2017-09-17 11:20 ` [PATCH v2 1/2] iptables: support match info fixup after tc_init Shmulik Ladkani
2017-09-18 16:28 ` Pablo Neira Ayuso
2017-09-18 17:00 ` Shmulik Ladkani
2017-09-18 17:23 ` Pablo Neira Ayuso
2017-09-18 17:50 ` Willem de Bruijn
2017-09-18 17:54 ` Pablo Neira Ayuso
2017-10-04 14:33 ` Pablo Neira Ayuso
2017-10-04 14:38 ` Shmulik Ladkani
2017-09-18 18:04 ` Jan Engelhardt
2017-09-17 11:20 ` Shmulik Ladkani [this message]
2017-09-18 16:22 ` [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object when match is initialized Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170917112031.8644-3-shmulik@nsof.io \
--to=shmulik@nsof.io \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rafi@rbk.ms \
--cc=rbk@nsof.io \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).