-
Thomas Haller authoredThe socket BPF filter operates on the entire message (skb). One netlink message (for RTM_NEWROUTE) usually contains a list of routes (struct nlmsghdr), but the BPF filter was only looking at the first route to decide whether to throw away the entire message. That is wrong. This causes that we miss routes. It also means that the response to our RTM_GETROUTE dump request could be filtered and we poll/wait (unsuccessfully) for it: <trace> [1641829930.4111] platform-linux: netlink: read: wait for ACK for sequence number 26... To get this right, the BPF filter would have to look at all routes in the list to find out whether there are any we want to receive (and if there are any, to pass the entire message, regardless that is might also contain routes we want to ignore). As BPF does not support loops, that is not trivial. Arguably, we still could do something where we look at a bounded, unrolled number of routes, in the hope that there are not more routes in one message that we support. The problem is that this BPF filter is supposed to filter out massive amounts of routes, so most messages will be filled to the brim with routes and we would have to expect a high number of routes in the RTM_NEWROUTE that need checking. We could still ignore routes in _new_from_nl_route(), to enter the cache. That means, we would catch them later than with the BPF filter, but still before a lot of the overhead of handling them. That probably will be done next, but for now revert the commit. This reverts commit e9ca5583. https://bugzilla.redhat.com/show_bug.cgi?id=2037411