Quentin Deslandes <qde@xxxxxxxx> wrote: > The patchset is based on the patches from David S. Miller [1], > Daniel Borkmann [2], and Dmitrii Banshchikov [3]. > > Note: I've partially sent this patchset earlier due to a > mistake on my side, sorry for then noise. > > The main goal of the patchset is to prepare bpfilter for > iptables' configuration blob parsing and code generation. > > The patchset introduces data structures and code for matches, > targets, rules and tables. Beside that the code generation > is introduced. > > The first version of the code generation supports only "inline" > mode - all chains and their rules emit instructions in linear > approach. > > Things that are not implemented yet: > 1) The process of switching from the previous BPF programs to the > new set isn't atomic. You can't make this atomic from userspace perspective, the get/setsockopt API of iptables uses a read-modify-write model. Tentatively I'd try to extend libnftnl and generate bpf code there, since its used by both iptables(-nft) and nftables we'd automatically get support for both. I was planning to look into "attach bpf progs to raw netfilter hooks" in Q1 2023, once the initial nf-bpf-codegen is merged.
