Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> writes: >> > So you install your libxdp-based firewalls and are happy. Then you >> > decide to install this awesome packet analyzer, which doesn't know >> > about libxdp yet. Suddenly, you get all packets analyzer, but no more >> > firewall, until users somehow notices that it's gone. Or firewall >> > periodically checks that it's still runinng. Both not great, IMO, but >> > might be acceptable for some users, I guess. But imagine all the >> > confusion for user, especially if he doesn't give a damn about XDP and >> > other buzzwords, but only needs a reliable firewall :) >> >> Yes, whereas if the firewall is using bpf_link, then the packet analyser >> will be locked out and can't do its thing. Either way you end up with a >> broken application; it's just moving the breakage. In the case of > > Hm... In one case firewall installation reported success and stopped > working afterwards with no notification and user having no clue. In > another, packet analyzer refused to start and reported error to user. > Let's agree to disagree that those are not at all equivalent. To me > silent failure is so much worse, than application failing to start in > the first place. Oh, sure, obvious failures are preferable to silent ones, do doubt about that. But for things to actually *work*, both applications need to agree on how to do things, which in practice means they'll need to use the same library. At which point you can solve this problem in the library. So again, I'm not saying the two are equivalent, I am just disagreeing with you about how big the benefit is. And sure, we can agree to disagree on that :) -Toke
