Re: DoS/DDoS protection for end nodes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/18/24 14:13, William N. wrote:
> On Wed, 17 Apr 2024 20:25:51 +0000 Serg wrote:
> 
>> Your question is too broad,
> 
> Yes, because the subject itself is broad and I am trying to figure the
> general idea correctly. AFAIU, it is performance.
> 
>> However, for high-performance scenarios, XDP is a better alternative
>> to nftables.
> 
> After reading your reply, I did more reading. A few interesting links
> (out of many which I read) from this additional research:
> 
> https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
> https://github.com/mbertrone/bpf-iptables
> https://www.phoronix.com/news/BPFILTER-2021
> 
> IIUC, there is this general long-term idea to move from
> iptables/nftables rules to BPF (bpfilter), thus gaining performance and
> there have been PoCs about that back in 2018. I could not find info
> about how this has actually progressed (as it would really not be fun
> to write firewall rules in C, parallel to using nftables).
> 
> What can you tell me about that?
> How suitable is Cilium for SOHO needs?

Very suitable if and only if you have multiple containers running on the same device,
so depends on your definition of SOHO.

> Is bpfilter practical or not yet? Any documentation about it?
> Am I looking at the wrong things?
> 

Regarding bpfilter have a look at Quentin's LPC talk:
https://lpc.events/event/17/contributions/1589/
So the basic idea is to maintain the iptables and/or nftables interface and "just" translate them to BPFs in the back. So no need to write C if you don't want to.

Greetings,
Florian





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux