On 4/18/24 14:13, William N. wrote: > On Wed, 17 Apr 2024 20:25:51 +0000 Serg wrote: > >> Your question is too broad, > > Yes, because the subject itself is broad and I am trying to figure the > general idea correctly. AFAIU, it is performance. > >> However, for high-performance scenarios, XDP is a better alternative >> to nftables. > > After reading your reply, I did more reading. A few interesting links > (out of many which I read) from this additional research: > > https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/ > https://github.com/mbertrone/bpf-iptables > https://www.phoronix.com/news/BPFILTER-2021 > > IIUC, there is this general long-term idea to move from > iptables/nftables rules to BPF (bpfilter), thus gaining performance and > there have been PoCs about that back in 2018. I could not find info > about how this has actually progressed (as it would really not be fun > to write firewall rules in C, parallel to using nftables). > > What can you tell me about that? > How suitable is Cilium for SOHO needs? Very suitable if and only if you have multiple containers running on the same device, so depends on your definition of SOHO. > Is bpfilter practical or not yet? Any documentation about it? > Am I looking at the wrong things? > Regarding bpfilter have a look at Quentin's LPC talk: https://lpc.events/event/17/contributions/1589/ So the basic idea is to maintain the iptables and/or nftables interface and "just" translate them to BPFs in the back. So no need to write C if you don't want to. Greetings, Florian
