Problem
set_config() applies updates per subsystem. Each subsystem may successfully commit changes to kernel BPF maps before a later subsystem fails. On failure, earlier subsystems remain applied in kernel state, but config_ is not updated.
This breaks consistency: kernel state != config_
When it happens
After partial failure during kernel apply stage, despite full pre-validation of the input configuration.
Typical failure points: ENOMEM in system, ENOSPC in maps.
These errors can occur after partial successful writes to kernel maps (map consistency is guaranteed through other mechanisms).
Current behavior
Some subsystems are committed to kernel state
Later subsystem fails
config_ remains unchanged (old version)
Expected behavior
After failure: config_ == last successfully committed kernel state
Impact
userspace state is stale
kernel state is partially updated but not reflected in config_
future diffs may be computed from outdated baseline
Fix
Incrementally update config_ after each successful subsystem commit to reflect actual kernel state.
Problem
set_config() applies updates per subsystem. Each subsystem may successfully commit changes to kernel BPF maps before a later subsystem fails. On failure, earlier subsystems remain applied in kernel state, but config_ is not updated.
This breaks consistency: kernel state != config_
When it happens
After partial failure during kernel apply stage, despite full pre-validation of the input configuration.
Typical failure points: ENOMEM in system, ENOSPC in maps.
These errors can occur after partial successful writes to kernel maps (map consistency is guaranteed through other mechanisms).
Current behavior
Some subsystems are committed to kernel state
Later subsystem fails
config_ remains unchanged (old version)
Expected behavior
After failure: config_ == last successfully committed kernel state
Impact
userspace state is stale
kernel state is partially updated but not reflected in config_
future diffs may be computed from outdated baseline
Fix
Incrementally update config_ after each successful subsystem commit to reflect actual kernel state.