Re: netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

On Wed, Sep 13, 2017 at 11:05 AM, Willem de Bruijn wrote: > On Wed, Sep 13, 2017 at 10:22 AM, Jan Engelhardt wrote: >> >> On Wednesday 2017-09-13 15:24, Shmulik Ladkani wrote: >>> >>>One way to fix is to have iptables open the object (using the

Re: netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

On Wed, Sep 13, 2017 at 10:22 AM, Jan Engelhardt wrote: > > On Wednesday 2017-09-13 15:24, Shmulik Ladkani wrote: >> >>One way to fix is to have iptables open the object (using the stored >>xt_bpf_info_v1->path), gaining a new process local fd for the object, >>just after getting

Re: netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

On Wednesday 2017-09-13 15:24, Shmulik Ladkani wrote: > >One way to fix is to have iptables open the object (using the stored >xt_bpf_info_v1->path), gaining a new process local fd for the object, >just after getting the rules from IPT_SO_GET_ENTRIES. >However we didn't see any other extensions

netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

Hi, Commit 2c16d60 'netfilter: xt_bpf: support ebpf' introduced 'xt_bpf_info_v1', to support attaching an eBPF object by fd. Alas, seems this ABI is problematic, as the 'fd', which is local to the process attaching the ebpf object (namely iptables) is stored in the matchinfo structure. This