Le 03/01/2023 à 12:45, Florian Westphal a écrit :
Quentin Deslandes qde@naccy.de wrote:
The patchset is based on the patches from David S. Miller [1], Daniel Borkmann [2], and Dmitrii Banshchikov [3].
Note: I've partially sent this patchset earlier due to a mistake on my side, sorry for then noise.
The main goal of the patchset is to prepare bpfilter for iptables' configuration blob parsing and code generation.
The patchset introduces data structures and code for matches, targets, rules and tables. Beside that the code generation is introduced.
The first version of the code generation supports only "inline" mode - all chains and their rules emit instructions in linear approach.
Things that are not implemented yet:
- The process of switching from the previous BPF programs to the new set isn't atomic.
You can't make this atomic from userspace perspective, the get/setsockopt API of iptables uses a read-modify-write model.
This refers to updating the programs from bpfilter's side. It won't be atomic from iptables point of view, but currently bpfilter will remove the program associated to a table, before installing the new one. This means packets received in between those operations are not filtered. I assume a better solution is possible.
Tentatively I'd try to extend libnftnl and generate bpf code there, since its used by both iptables(-nft) and nftables we'd automatically get support for both.
That's one of the option, this could also remain in the kernel tree or in a dedicated git repository. I don't know which one would be the best, I'm open to suggestions.
I was planning to look into "attach bpf progs to raw netfilter hooks" in Q1 2023, once the initial nf-bpf-codegen is merged.
Is there any plan to support non raw hooks? That's mainly out of curiosity, I don't even know whether that would be a good thing or not.