Closed g00g1 closed 1 year ago
g00g1
commented
1 year ago I have increased BPF_COMPLEXITY_LIMIT_INSNS from 1000000 (1M) to 10000000 (10M) at include/linux/bpf.h and after kernel rebuild eBPF validator allowed the XDP program to load.
I think this should be mentioned at the README as it is important clarification - currently it is not possible to use XDP-Firewall without applying Linux kernel patch.
gamemann
commented
1 year ago Hey, thank you for reporting this and no need to be sorry!
It appears in newer Linux kernels the BPF limitations are more strict. Although, the complexity limit has always been 1 million which makes this issue strange to me. The firewall has worked for years until this issue arose.
I've decreased the maximum filters from 100 to 90 in commit 8fbab9b which resolves the issue without needing to apply a patch to the kernel. I'll update the README soon and add information from my XDP Forwarding project here that goes over how to increase the limits along with including a patch if anybody needs more than 90 filtering rules.
gamemann
commented
1 year ago I'm going to close this for now since the firewall builds successfully. Thank you again for the report!
I am sorry to bother you once more again, but since my previous issue (#38) I have tried to change environment where I am trying to evaluate and hack on this project.
The new host is: CPU: 2x Intel(R) Xeon(R) Silver 4208 NIC: Intel Corporation Ethernet Controller XL710 for 40GbE QSFP+ (i40e) Kernel: 5.14.0-70.13.1.el9_0.x86_64
I have successfully built xdpfw, but when running
xdpfw -t 5I have encountered LibBPF error, full log is attached belowxdpfw.txt
UPD: exactly the same behavior was reproduced on another machine (as in issue #38)