Re: [PATCH bpf-next v2 00/13] bpfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/29/21 12:35 PM, Dmitrii Banshchikov wrote:

The patchset is based on the patches from David S. Miller [1] and
Daniel Borkmann [2].

The main goal of the patchset is to prepare bpfilter for
iptables' configuration blob parsing and code generation.
The referenced patches are from 2018. Since then, and since this is bpf-next, places like [1] indicate that we are moving on from iptables towards nftables. 

Any thoughts?

[1] https://wiki.archlinux.org/title/Iptables



The patchset introduces data structures and code for matches,
targets, rules and tables. Beside that the code generation
is introduced.

The first version of the code generation supports only "inline"
mode - all chains and their rules emit instructions in linear
approach. The plan for the code generation is to introduce a
bpf_map_for_each subprogram that will handle all rules that
aren't generated in inline mode due to verifier's limit. This
shall allow to handle arbitrary large rule sets.

Things that are not implemented yet:
   1) The process of switching from the previous BPF programs to the
      new set isn't atomic.
   2) The code generation for FORWARD chain isn't supported
   3) Counters setsockopts() are not handled
   4) No support of device ifindex - it's hardcoded
   5) No helper subprog for counters update

Another problem is using iptables' blobs for tests and filter
table initialization. While it saves lines something more
maintainable should be done here.

The plan for the next iteration:
   1) Handle large rule sets via bpf_map_for_each
   2) Add a helper program for counters update
   3) Handle iptables' counters setsockopts()
   4) Handle ifindex
   5) Add TCP match

Patch 1 adds definitions of the used types.
Patch 2 adds logging to bpfilter.
Patch 3 adds bpfilter header to tools
Patch 4 adds an associative map.
Patch 5 adds code generation basis
Patches 6/7/8/9 add code for matches, targets, rules and table.
Patch 10 adds code generation for table
Patch 11 handles hooked setsockopt(2) calls.
Patch 12 adds filter table
Patch 13 uses prepared code in main().



...



1. https://lore.kernel.org/patchwork/patch/902785/
2. https://lore.kernel.org/patchwork/patch/902783/
3. https://kernel.ubuntu.com/~cking/stress-ng/stress-ng.pdf
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux