From: Florian Westphal <fw@strlen.de>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Florian Westphal" <fw@strlen.de>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Network Development" <netdev@vger.kernel.org>,
"Toke Høiland-Jørgensen" <toke@kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>
Subject: Re: [PATCH nf-next] netfilter: nf_tables: add ebpf expression
Date: Fri, 2 Sep 2022 19:52:16 +0200 [thread overview]
Message-ID: <20220902175216.GB4165@breakpoint.cc> (raw)
In-Reply-To: <CAADnVQJUDcahx2R58zEPNi_uRdgUNtKKUTqndDY-NVd03pB_+Q@mail.gmail.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
> > See my reply to Alexey, immediate goal was to get rid of the indirect
> > calls by providing a tailored/jitted equivalent of nf_hook_slow().
> >
> > The next step could be to allow implementation of netfilter hooks
> > (i.e., kernel modules that call nf_register_net_hook()) in bpf
> > but AFAIU it requires addition of BPF_PROG_TYPE_NETFILTER etc.
>
> We were adding new prog and maps types in the past.
> Now new features are being added differently.
> All of the networking either works with sk_buff-s or xdp frames.
> We try hard not to add any new uapi helpers.
> Everything is moving to kfuncs.
> Other sub-systems should be able to use bpf without touching
> the bpf core. See hid-bpf as an example.
> It needs several verifier improvements, but doesn't need
> new prog types, helpers, etc.
I don't see how it can be done without a new prog type, the bpf progs
would need access to "nf_hook_state" struct, passed as argument
to nf_hook_slow() (and down to the individual xt_foo modules...).
We can't change the existing netfilter hook prototype to go by
sk_buff * as that doesn't have all information, most prominent are
the input and output net_device, but also okfn is needed for async
reinject (nf_queue), the hook location and so on.
> > After that, yes, one could think about how to jit nft_do_chain() and
> > all the rest of the nft machinery.
>
> Sounds like a ton of work. All that just to accelerate nft a bit?
> I think there are more impactful projects to work on.
> For example, accelerating classic iptables with bpf would immediately
> help a bunch of users.
Maybe, but from the problem points and the required effort it doesn't matter
if the chosen target is iptables or nftables; as far as the time/effort
needed I'd say they are identical.
The hard issues that need to be solved first are the same; they reside
in the netfilter core and not in the specific interpreter (nft_do_chain
vs. ipt_do_table and friends).
nf_tables might be *slightly* easier once that point would be reached
because the core functionality is more integrated with nf_tables whereas
in iptables there is more copypastry (ipt_do_table, ip6t_do_table,
ebt_do_table, ...).
next prev parent reply other threads:[~2022-09-02 17:52 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 10:16 [PATCH nf-next] netfilter: nf_tables: add ebpf expression Florian Westphal
2022-08-31 12:13 ` Toke Høiland-Jørgensen
2022-08-31 12:56 ` Florian Westphal
2022-08-31 13:41 ` Toke Høiland-Jørgensen
2022-08-31 13:57 ` Florian Westphal
2022-08-31 14:43 ` Toke Høiland-Jørgensen
2022-08-31 15:09 ` Pablo Neira Ayuso
2022-08-31 15:35 ` Florian Westphal
2022-08-31 20:38 ` Pablo Neira Ayuso
2022-08-31 15:26 ` Florian Westphal
2022-08-31 15:39 ` Alexei Starovoitov
2022-08-31 15:53 ` Florian Westphal
2022-08-31 17:26 ` Alexei Starovoitov
2022-08-31 21:49 ` Daniel Borkmann
2022-09-01 5:18 ` Eyal Birger
2022-09-02 16:53 ` Alexei Starovoitov
2022-09-05 17:50 ` Eyal Birger
2022-09-01 10:14 ` Florian Westphal
2022-09-02 17:06 ` Alexei Starovoitov
2022-09-02 17:52 ` Florian Westphal [this message]
2022-08-31 21:57 ` Florian Westphal
2022-09-06 6:57 ` Nicolas Dichtel
2022-09-07 3:04 ` Alexei Starovoitov
2022-09-07 15:52 ` Nicolas Dichtel
2022-09-01 8:08 ` Jan Engelhardt
2022-08-31 20:44 ` Toke Høiland-Jørgensen
2022-08-31 13:44 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220902175216.GB4165@breakpoint.cc \
--to=fw@strlen.de \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.