tc (from sys-apps/iproute2) fails to load BPF code

[alban]

Current situation
On alpha, 2605.0.0:

$ tc filter add dev bond0 egress bpf da obj mybpf.elf sec filter_egress
No ELF library support compiled in.

Impact
I cannot setup traffic control with BPF code using the iproute2 tools included in the Flatcar OS image.

Workaround
I can use tc from a container. Example:

docker run -ti --rm \
    --net=host \
    -v /:/host ubuntu \
    sh -c "apt-get update ; apt-get install -y iproute2 ; tc filter add dev bond0 egress bpf da obj /host/$PWD/mybpf.elf sec filter_egress"

Ideal future situation
tc is compiled with libelf and can load BPF programs.

Implementation options
See how to compile iproute2 with libelf:
https://github.com/shemminger/iproute2/blob/ea6aeeb90cdbabe0ddf9e30b183ba9ffbf0dbbba/configure#L232-L240

Additional information
Applications running in containers are not affected, since they normally include iptables with the compilation options they need.

Same bug in other distros:

• Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/5673
• Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812774
• Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1290384

/cc @mauriciovasquezbernal

[dongsupark]

Right.
We should first update iproute2 to the latest version, like 5.7.
The current iproute2 4.13.0 does not have the USE flag elf at all.
Then we need to set the elf flag in coreos-overlay profiles.

[t-lo]

@alban what's a good generic way to verify tc supports loading ELF programs (without having mybpf.elf from your example available)?

[alban]

@t-lo you can still run the same command without the file mybpf.elf. If tc has the proper support, the error message will be different:

Error opening object mybpf.elf: No such file or directory
Cannot initialize ELF context!
Unable to load program

[t-lo]

Updated iproute2 to 5.8.0 and added ELF support.