Re: xdp-filter troubles

From: Topi Wala <walatopi@gmail.com>
To: "Toke Høiland-Jørgensen" <toke@redhat.com>
Cc: xdp-newbies@vger.kernel.org
Subject: Re: xdp-filter troubles
Date: Mon, 21 Sep 2020 19:28:52 -0700	[thread overview]
Message-ID: <CAOfgOftCMOv64fZjLCDTcgonCbXuYM+Ot3YPbwin8dfyXR7yaQ@mail.gmail.com> (raw)
In-Reply-To: <87zh5jp6r5.fsf@toke.dk>

You're not the first person to run into the ARP behaviour, BTW. I guess
it may make sense to parse neighbour requests and include them in the IP
filter; feel free to open an issue in the xdp-tools repo for this (or
even better, a pull request!).

Sure, will take a look. There are lots of control packets to be
worried about, especially in the IPv6 world.

On Mon, Sep 21, 2020 at 7:03 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
> Topi Wala <walatopi@gmail.com> writes:
>
> > Sorry about the subject. I had to forward after using text (default is
> > http in gmail).
> > My kernel version is 5.7.17 (quite new). I am using xdp (ip link show
> > on the device shows the xdp, not xdpgeneric).
> > I'm using bpftool, since this is to deploy to a third party, and using
> > standard linux tools (bpftool, iproute2) is fine, userspace binaries
> > are not.
>
> Heh, that's an interesting policy - I'm guessing whoever set it doesn't
> really understand BPF... :)
>
> > Is there anything I miss by not using the xdp-filter binary?
>
> Well, a nicer user interface?
> But no, technically the BPF side should work just fine, as long as you
> populate the maps correctly. Just don't expect any future changes to
> xdp-filter to take your... interesting... use case into account :)
>
> > However, I think I have figured out the issue, and I'm quite surprised by it.
> > It appears that as soon as the xdpfilter program is attached, the arp
> > entry for that IP is discarded from all the entities connected to that
> > bridge.
> > The peer node consequently does an ARP before ping, and since ARP is
> > not an IP packet, it doesn't show up in the bpf log.
> > Since the remote node doesn't get an ARP response (arp request is
> > dropped), it doesn't send the ping packet at all.
>
> Hmm, installing an XDP program does call the netdev notifiers, so I
> guess the iface state can flip, causing the neighbour entries to be
> evicted. In general, it's probably safest to consider loading an XDP
> program to be a potentially destructive event (some physical devices
> will even reconfigure the hardware when this happens). This is only on
> first install, though, swapping between already-installed XDP programs
> should not have such issues.
>
> You're not the first person to run into the ARP behaviour, BTW. I guess
> it may make sense to parse neighbour requests and include them in the IP
> filter; feel free to open an issue in the xdp-tools repo for this (or
> even better, a pull request!).
>
> -Toke
>