Quentin Deslandes qde@naccy.de wrote:
The patchset is based on the patches from David S. Miller [1], Daniel Borkmann [2], and Dmitrii Banshchikov [3].
Note: I've partially sent this patchset earlier due to a mistake on my side, sorry for then noise.
The main goal of the patchset is to prepare bpfilter for iptables' configuration blob parsing and code generation.
The patchset introduces data structures and code for matches, targets, rules and tables. Beside that the code generation is introduced.
The first version of the code generation supports only "inline" mode - all chains and their rules emit instructions in linear approach.
Things that are not implemented yet:
- The process of switching from the previous BPF programs to the new set isn't atomic.
You can't make this atomic from userspace perspective, the get/setsockopt API of iptables uses a read-modify-write model.
Tentatively I'd try to extend libnftnl and generate bpf code there, since its used by both iptables(-nft) and nftables we'd automatically get support for both.
I was planning to look into "attach bpf progs to raw netfilter hooks" in Q1 2023, once the initial nf-bpf-codegen is merged.