Hi Daniel, On Mon, Feb 19, 2018 at 08:57:39PM +0100, Daniel Borkmann wrote: > On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote: > [...] > > * Simplified infrastructure: We don't need the ebpf verifier complexity > > either given we trust the code we generate from the kernel. We don't > > need any complex userspace tooling either, just libnftnl and nft > > userspace binaries. > > > > * Hardware offload: We can use this to offload rulesets to the only > > smartnic driver that we have in the tree that already implements bpf > > offload, hence, we can reuse this work already in place. > > In addition Dave's points, regarding the above two, this will also only > work behind the verifier since NIC offloading piggy-backs on the verifier's > program analysis to prepare and generate a dev specific JITed BPF > prog, so it's not the same as normal host JITs (and there, the cBPF -> > eBPF in kernel migration adds a lot of headaches already due to > different underlying assumptions coming from the two flavors, even > if both are eBPF insns in the end), and given this, offloading will > also only work for eBPF and not cBPF. We also have a large range of TCAM based hardware offload outthere that will _not_ work with your BPF HW offload infrastructure. What this bpf infrastructure pushes into the kernel is just a blob expressing things in a very low-level instruction-set: trying to find a mapping of that to typical HW intermediate representations in the TCAM based HW offload world will be simply crazy. > There's a lot more the verifier is doing internally, like performing > various different program rewrites from the context, for helpers > (e.g. inlining), and for internal insn mappings that are not exposed > (e.g. in calls), so we definitely need to go through it. If we need to call the verifier from the kernel for the code that we generate there for this initial stage, that should be not an issue. The BPF interface is lacking many of the features and flexibility we have in netlink these days, and it is only allowing for monolitic ruleset replacement. This approach also loses internal rule stateful information that we're doing in the packet path when updating the ruleset. So it's taking us back to exactly the same mistakes we made in iptables back in the 90s as it's been mentioned already. So I just wish I can count with your help in this process, we can get the best of the two worlds by providing a subsystem that allows users to configure packet classification through one single interface, no matter if the policy representation ends up being in software or HW offloads, either TCAM or smartnic. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html