xdp-filter deny mode (IP) filtering stops working randomly

[mscdex]

I have an x86-64 VM running kernel 5.15.67 with two virtio_net network interfaces. Only one of the interfaces uses xdp-filter with the xdpfilt_dny_ip program (compiled using clang 11). I'm using xdp-tools v1.2.8.

I have a program that automates the adding and removing of IPs to/from the filter (by calling out to xdp-filter appropriately) and at some point the packets just get magically lost. When this happens, xdp-filter status typically still shows the packets passing the filter (as evidenced by the XDP_PASS stats counter), however my program (that's listening on 0.0.0.0) never sees the packets on the interface. Definitely if I xdp-filters unload <interface> and restart the program I will see the packets again and sometimes if i re-xdp-filters load ... things will work again, but not all the time.

So I'm at a bit of a loss here as to what's causing it or even what exactly triggers the issue. I've already tried adding -v -v when loading and unloading the filter and adding and removing IPs, but nothing out of the ordinary shows up. There is a note printed when the load happens about virtio_net only having one queue instead of two, so TX and something else will be slower, but that's about it.

Additionally, I've seen some instances where the /sys/fs/bpf/xdp-filter/programs is empty, even when xdp-filter status still shows stats and filtered IPs (I can't remember if it still showed the program as loaded though when this situation occurred).

[tohojo]

Hmm, if the stats are incremented it sounds like xdp-filter is technically working as it should; so sounds like a driver bug? Does this only happen if you continuously add and remove rules, or does it just stop working after a while even if you only load xdp-filter once and then just let it run?