From: Stanislav Fomichev
> Sent: 05 June 2020 01:22
> Attaching to these hooks can break iptables because its optval is
> usually quite big, or at least bigger than the current PAGE_SIZE limit.
>
> There are two possible ways to fix it:
> 1. Increase the limit to match iptables max optval.
> 2. Implement some way to bypass the value if it's too big and trigger
> BPF only with level/optname so BPF can still decide whether
> to allow/deny big sockopts.
>
> I went with #1 which means we are potentially increasing the
> amount of data we copy from the userspace from PAGE_SIZE to 512M.
...
> + const int max_supported_optlen = 512 * 1024 * 1024 + 128;
512MB seems a bit big.
I'd have thought that iptables would be usable from a 32bit application
where that is 1/6th the process address space.
Anything that might be that big ought to be done in chunks.
I was looking at the SCTP socket option code.
ISTR that may require just over 256kB - still silly, but not as bad.
SCTP also requires that getsockopt() copy the buffer in from userspace.
One call required more than a 'sockaddr storage' be read in.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)
