Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > So IIUC correctly, this would all be controlled by userspace anyway (by > the nft binary), right? In which case, couldn't userspace also provide > the reference to the right flowtable instance, by sticking it into a bpf > map? We'd probably need some special handling on the UAPI side to insert > a flowtable pointer, but from the BPF side it could just look like a > kptr in a map that the program pulls out and passes to the lookup kfunc. > And the map would take a refcnt, making sure the table doesn't disappear > underneath the XDP program. It could even improve performance since > there would be one less hashtable lookup. That requires kernel changes. Not only are flowtables not refcounted at this time, we also have no unique identifier in the uapi; only a combination (table name, family, flowtable name, OR table name and handle id). Also all of netfilter userland is network namespaced, so same keys can exist in different net namespaces.
