On Thu, 18 Apr 2024, at 4:32 PM, William N. wrote: > On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote: > >> So the basic idea is to maintain the iptables and/or nftables >> interface and "just" translate them to BPFs in the back. So no need >> to write C if you don't want to. > > Then nftables can be used against DDoS with the BPF performance, right? > > Has this made it to the mainline kernel or it is still something > experimental? See: http://vger.kernel.org/bpfconf2023_material/bpfilter.pdf https://www.socallinuxexpo.org/sites/default/files/presentations/Scale21x.pdf Also: https://facebook.github.io/bpfilter/index.html https://github.com/qdeslandes/iptables https://github.com/qdeslandes/nftables/tree/bpfilter_support The latter two links are for Deslandes' forks of iptables and nftables. I don't know what Meta are using behind the scenes but both appear to be highly experimental. -- Kerin Millar