1

I have an network interface $dev which already had a BPF filter attached to a special qdisc ingress (with pref 1 and direct-action). I have added another one (with pref 2). tc filter show dev $dev ingress reports the following:

filter protocol all pref 1 bpf chain 0 
filter protocol all pref 1 bpf chain 0 handle 0x1 some.o:[some-section] direct-action \
  not_in_hw id ... tag ... jited 
filter protocol all pref 2 bpf chain 1 
filter protocol all pref 2 bpf chain 1 handle 0x1 other.o:[other-section] \
  not_in_hw id ... tag ... jited

What is the relationship between chained filters in such a case: Will the secondary one (i.e. mine) always see the same traffic as the first or does it depend on what the first one has returned, esp. given that it uses direct-action? I suspect the second is true but am not yet certain.

rookie099
  • 2,201
  • 2
  • 26
  • 52
  • 1
    I would guess the same as you, but I'm not 100% certain either. What about experimenting? You could either print some debug messages from your programs (e.g. with `bpf_trace_printk()`) or compare the number of times each program is run (search for `stat` in [bpftool-prog man page](https://www.mankier.com/8/bpftool-prog)). I wonder if [ipftrace2](https://github.com/YutaroHayakawa/ipftrace2/) might also be helpful to follow the travel of the packets, I've never used it in that context. – Qeole May 25 '21 at 21:11
  • 1
    @Qeole I did some experimenting and this also suggested (but did not prove) that the second was true. – rookie099 May 25 '21 at 21:40

1 Answers1

1

What the second BPF programs in the chain sees depends on what the first returns. You can read that logic in cls_bpf_classify().

pchaigno
  • 11,313
  • 2
  • 29
  • 54