[Topi Wala <walatopi@gmail.com>]

I have a setup that has 2 namespaces, connected using a linux bridge,
with veth pairs in each of the namespace.

ns1=192.168.1.10/24
ns2=192.168.1.11/24
host-br=192.168.1.1/24

I can ping between host, ns1, ns2 fine.

I'm attaching an xdp filter program
https://github.com/xdp-project/xdp-tools/blob/master/xdp-filter/xdpfilt_dny_ip.c

I'm using bpftool to attach this to ns1-host end. I also attach a
dummy xdp prog (that just returns XDP_PASS) to the end inside the ns1.
I see all ping packets to this destination dropped. Dumping
xdp_stats_map does show counters incremented for XDP_DROP

However, when using bpftool to update the filter_ipv4 map to allow
packets with destination to go through, it doesn't work.

./bpftool map update name filter_ipv4 key 192 168 1 10 value 2 0 0 0 0 0 0 0

I've tried with pinned maps, and different combinations of key/value
as well, to no avail. The lookup just doesn't seem to succeed. Any
suggestions on how I might go about debugging this?

--------

Update:

I did try with bpf_printk to see what was going on, and there seems to
be some really weird issue that happens after the bpf map is updated.

So, to keep things simple, I attached the xdp filter program to my
host bridge interface. Pinging the bridge address from either
namespace drops the packet, AND my printk message is logged and I can
read it from /sys/kernel/debug/tracing/trace_pipe

I insert entries into the map, and then when I try to do the same, not
only does it not work, there is no printk message either. Removing
these entries still does not get the printk message back.

How do I go about debugging this? Are there any known issues with
using maps that are not pinned (I have tried with pinning them, but
didn't debug that setup deeply).

Thanks.
Topi