diff --git a/nsd.conf.5.in b/nsd.conf.5.in index fb869aaa..c3a46535 100644 --- a/nsd.conf.5.in +++ b/nsd.conf.5.in @@ -593,23 +593,27 @@ The eBPF XDP program to extract the XSKMAP from. Specify your own program here, if you want to use a custom XDP program. The default program shipped with NSD only redirects UDP (over Ethernet[+VLAN]+IPv4/6) traffic to port 53. When using your own XDP program, it needs to define a BPF_MAP_TYPE_XSKMAP -named "xsks_map" and pin it (see \fBxdp-bpffs-path\fR) with read and write -permission for NSD. +named "xsks_map". .IP This option needs to be set, even when NSD is configured not to load the specified XDP program (see \fBxdp-program-load\fR), to be able to determine the -XSKMAP structure. Default is "@sharedfilesdir@/xdp-dns-redirect_kern.o". +XSKMAP structure. In this case your XDP program needs to pin the above +mentioned map in a bpffs (see \fBxdp-bpffs-path\fR). +.IP +Default is "@sharedfilesdir@/xdp-dns-redirect_kern.o". .TP .B xdp\-program\-load:\fR Specify whether NSD should load the XDP program. If set to no, you need to load the XDP program yourself. Default is yes, if xdp-interface is set. .TP .B xdp\-bpffs\-path:\fR -The path to the bpffs to store/read the xsks_map pin. NSD needs to have -read/write access to the specified bpffs. The default of libbpf (/sys/fs/bpf) -usually doesn't have the necessary permissions set for non-root users. -Either set the necessary permissions or mount your own bpffs. -Default is "", letting libbpf decide the default path. +The path to the bpffs to store/read the xsks_map pin. If NSD loads an XDP +program that specifies to pin its map, you will have to unlink the map yourself +when exiting NSD, as NSD won't be able to unpin the map after dropping +privileges. Alternatively, you could mount a custom bpffs and allow the nsd +user to delete files in that directory. +.IP +Default is "/sys/fs/bpf". .\" xdpend .SS "Remote Control" The diff --git a/options.c b/options.c index 648097f1..e98282cb 100644 --- a/options.c +++ b/options.c @@ -163,7 +163,7 @@ nsd_options_create(region_type* region) opt->xdp_interface = NULL; opt->xdp_program_path = SHAREDFILESDIR"/xdp-dns-redirect_kern.o"; opt->xdp_program_load = 1; - opt->xdp_bpffs_path = NULL; + opt->xdp_bpffs_path = "/sys/fs/bpf"; #endif opt->verify_enable = 0; diff --git a/xdp-server.c b/xdp-server.c index a63c304c..19ea1b11 100644 --- a/xdp-server.c +++ b/xdp-server.c @@ -282,11 +282,7 @@ static int load_xdp_program_and_map(struct xdp_server *xdp) { char map_path[PATH_MAX]; int fd; - if (xdp->bpf_bpffs_path) - snprintf(map_path, PATH_MAX, "%s/%s", xdp->bpf_bpffs_path, "xsks_map"); - else - /* document this behaviour, as the current documentation states that bpffs path is chosen by libbpf */ - snprintf(map_path, PATH_MAX, "%s", "/sys/fs/bpf/xsks_map"); + snprintf(map_path, PATH_MAX, "%s/%s", xdp->bpf_bpffs_path, "xsks_map"); fd = bpf_obj_get(map_path); if (fd < 0) { @@ -507,7 +503,13 @@ int xdp_server_cleanup(struct xdp_server *xdp) { if (xdp->bpf_prog_should_load) { if (xdp->xsk_map && bpf_map__is_pinned(xdp->xsk_map)) { if (bpf_map__unpin(xdp->xsk_map, NULL)) { - log_msg(LOG_ERR, "xdp: failed to unpin bpf map during cleanup: \"%s\"\n", + /* We currently ship an XDP program that doesn't pin the map. So + * if this error happens, it is because the user specified their + * custom XDP program to load by NSD. Therefore they should know + * about the pinned map and be able to unlink it themselves. + */ + log_msg(LOG_ERR, "xdp: failed to unpin bpf map during cleanup: \"%s\". " + "This is usually ok, but you need to unpin the map yourself.\n", strerror(errno)); ret = -1; }