[{"id":1770289,"web_url":"http://patchwork.ozlabs.org/comment/1770289/","msgid":"<CA+FuTSf9SFcgJm7iOCcLUCHMGOwD=-CgFourPt8krCnweWLq7g@mail.gmail.com>","list_archive_url":null,"date":"2017-09-18T16:22:25","subject":"Re: [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object\n\twhen match is initialized","submitter":{"id":67615,"url":"http://patchwork.ozlabs.org/api/people/67615/","name":"Willem de Bruijn","email":"willemdebruijn.kernel@gmail.com"},"content":"On Sun, Sep 17, 2017 at 7:20 AM, Shmulik Ladkani <shmulik@nsof.io> wrote:\n> From: Rafael Buchbinder <rafi@rbk.ms>\n>\n> From: Rafael Buchbinder <rafi@rbk.ms>\n>\n> xt_bpf_info_v1 structure requires an open file descriptor to create an\n> eBPF match. This file descriptor is checked on every replace. However,\n> as this file descriptor is valid only for the iptables invocation which\n> loads the eBPF for the first time, all subsequent iptables invocations\n> fail in bpf_mt_check (kernel) function.\n>\n> This commit fixes handling of pinned ebpf objects.\n>\n> The file descriptor saved in xt_bpf_info_v1 structure is being re-open\n> in tc_init_fixup which is invoked immediately after tc_init.\n>\n> Signed-off-by: Rafael Buchbinder <rafi@rbk.ms>\n> Signed-off-by: Shmulik Ladkani <shmulik@nsof.io>\n\nThanks a lot for fixing this.\n\nAcked-by: Willem de Bruijn <willemb@google.com>\n\nThe pinned object at that filepath can change between iptables invocations.\nThis is not very obvious when inserting a new unrelated rule, but an\nunavoidable effect of iptables reading and re-inserting the entire table on\neach operation. Even switching to the bpf identifier would not help, as those\nids can be recycled, too. Admins just have to be diligent and not rely on\nobjects pinned by unprivileged users.\n--\nTo unsubscribe from this list: send the line \"unsubscribe netfilter-devel\" in\nthe body of a message to majordomo@vger.kernel.org\nMore majordomo info at  http://vger.kernel.org/majordomo-info.html","headers":{"Return-Path":"<netfilter-devel-owner@vger.kernel.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netfilter-devel-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"vOfQErHR\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xwrs16fyJz9s78\n\tfor <incoming@patchwork.ozlabs.org>;\n\tTue, 19 Sep 2017 02:23:01 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1755772AbdIRQXB (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);\n\tMon, 18 Sep 2017 12:23:01 -0400","from mail-wm0-f67.google.com ([74.125.82.67]:36410 \"EHLO\n\tmail-wm0-f67.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752555AbdIRQXA (ORCPT\n\t<rfc822;netfilter-devel@vger.kernel.org>);\n\tMon, 18 Sep 2017 12:23:00 -0400","by mail-wm0-f67.google.com with SMTP id r136so1398022wmf.3\n\tfor <netfilter-devel@vger.kernel.org>;\n\tMon, 18 Sep 2017 09:22:59 -0700 (PDT)","from mail-wm0-f46.google.com (mail-wm0-f46.google.com.\n\t[74.125.82.46]) by smtp.gmail.com with ESMTPSA id\n\tl32sm4093399ede.13.2017.09.18.09.22.57\n\tfor <netfilter-devel@vger.kernel.org>\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 18 Sep 2017 09:22:57 -0700 (PDT)","by mail-wm0-f46.google.com with SMTP id v142so4209715wmv.5\n\tfor <netfilter-devel@vger.kernel.org>;\n\tMon, 18 Sep 2017 09:22:57 -0700 (PDT)","by 10.28.51.137 with HTTP; Mon, 18 Sep 2017 09:22:25 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc; bh=hJYvubtOSfnTa0bmuA0cGqZNi81Lv0/M2/UWE4YY65c=;\n\tb=vOfQErHR2b8z1bjLk9EqjAUt53qm3xpkaKVz7aSapOxWCcuVpwWiCVOKCtwF8XlijJ\n\tSH1gMnbv9vvgPffeJCMoVWfsh1IwLauQUIiwYI3tz6eQ2co1CSgaJllJGi+qPHNwqjhV\n\tyxZ2hUe07XUyzLD1+BBQI+0vFmVdQjT0ahJ4jlqxSkjmLhCythKgclpvCom8WB0GRfgt\n\t/XbzxIVg6t4zB5FUdxnHB2bNbcCra0SKW0BY119xcNPKWtX7JS8TrtZz3LIESED0co9W\n\tWgE77srsn5fVzb61XcxdmabjWyss9Ei8niDMYxwqbsuZM2zxLcFLIATGkY/HmzT4/L3u\n\tIC9A==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc;\n\tbh=hJYvubtOSfnTa0bmuA0cGqZNi81Lv0/M2/UWE4YY65c=;\n\tb=K/oPuNlcYaU9rpwIuXt/+/ANMJixGPGAg1G3YbtNz7FhhgOq3s9m5ZfzICmdDEGEhH\n\tFmz+xTQUJR4Gw/ruwcKh6b7aFRghlLnFzFzpjQ/W46QlYiTI0rgCmzULFCXYih8uIxIk\n\toqEbdGSRWxz5nK/2YTuIqND2smhqk8O8LDtuUXkS/krJCJmvNyCFltvlgcCFWpFKnuX6\n\tUWrpbItldxtK1dsIug7OBFjA8i0JvZzYK4TJSP1RFiTllRtG0Wd6BwtmbyAwDYLYewFt\n\teFUkDdfySQ05lakT5Mds0AAEb/ul0mJfvVP6vHwzE08RcNAXzDiq38Rea5fp3coEkFFP\n\t8Aag==","X-Gm-Message-State":"AHPjjUil17BGpD6GZZ9GxvJXxP3s5OuAvJIHM10mGMruiwALXHW2TSVD\n\tIxDzw2vJwEPstSIyVgQ=","X-Received":["by 10.80.169.45 with SMTP id l42mr12476128edc.131.1505751778664; \n\tMon, 18 Sep 2017 09:22:58 -0700 (PDT)","by 10.28.4.135 with SMTP id 129mr9516729wme.34.1505751776374;\n\tMon, 18 Sep 2017 09:22:56 -0700 (PDT)"],"X-Google-Smtp-Source":"AOwi7QD5c3HNQMwGRlBUu0Pj4JNLfINMwZYp/iLCu1lPewq6mRn1cOIxdeNS6pJ1pcXa1Z9fePQMqIWW3n1ZpeFfLCY=","MIME-Version":"1.0","In-Reply-To":"<20170917112031.8644-3-shmulik@nsof.io>","References":"<20170917112031.8644-1-shmulik@nsof.io>\n\t<20170917112031.8644-3-shmulik@nsof.io>","From":"Willem de Bruijn <willemdebruijn.kernel@gmail.com>","Date":"Mon, 18 Sep 2017 12:22:25 -0400","X-Gmail-Original-Message-ID":"<CA+FuTSf9SFcgJm7iOCcLUCHMGOwD=-CgFourPt8krCnweWLq7g@mail.gmail.com>","Message-ID":"<CA+FuTSf9SFcgJm7iOCcLUCHMGOwD=-CgFourPt8krCnweWLq7g@mail.gmail.com>","Subject":"Re: [PATCH v2 2/2] extensions: xt_bpf: get the pinned ebpf object\n\twhen match is initialized","To":"Shmulik Ladkani <shmulik@nsof.io>","Cc":"netfilter-devel <netfilter-devel@vger.kernel.org>,\n\tPablo Neira Ayuso <pablo@netfilter.org>, rbk@nsof.io,\n\tRafael Buchbinder <rafi@rbk.ms>","Content-Type":"text/plain; charset=\"UTF-8\"","Sender":"netfilter-devel-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netfilter-devel.vger.kernel.org>","X-Mailing-List":"netfilter-devel@vger.kernel.org"}}]