On 18/04/2024 17:32, William N. wrote: > On Thu, 18 Apr 2024 16:11:13 +0200 Florian Kauer wrote: > >> So the basic idea is to maintain the iptables and/or nftables >> interface and "just" translate them to BPFs in the back. So no need >> to write C if you don't want to. That's the idea. bpfilter is the back-end working transparently to convert nftables (or iptables) rules into BPF program(s). Florian Westphal expressed interest a few months ago to offload nftables rules into XDP using bpfilter, so I implemented it. While nftables doesn't support bpfilter officially, my fork [0] enable the --bpf flag to send the Netlink requests to the bpfilter daemon instead of the kernel. nftables support is still early, but you can filter on IP and ports, and bpfilter will create and attach an XDP program to your system. > Then nftables can be used against DDoS with the BPF performance, right? > > Has this made it to the mainline kernel or it is still something > experimental? > The project is still under heavy development, but there was a lot to do in the background. There are a lot more changes planned in the coming months to extend its capabilities. See: - https://github.com/facebook/bpfilter - My talk at LPC 2023: https://www.youtube.com/watch?v=J5Hm6PrJWI4&t=27649s - (Growing) documentation: https://facebook.github.io/bpfilter/index.html Feel free to reach out if you want to know more :) [0]: https://github.com/qdeslandes/nftables/tree/bpfilter_support Regards, Quentin Deslandes
