Re: [RFC PATCH bpf-next 0/4] bpf: Introduce bpf_netpoll

[Jakub Kicinski <kuba@kernel.org>]

On Mon,  9 Mar 2026 13:16:31 +0000 Mahe Tardy wrote:
> This patch series introduces bpf_netpoll, a set of BPF kfuncs that allow
> BPF programs to send UDP packets via the netpoll infrastructure. This
> provides a mechanism for BPF programs (e.g., LSM hooks) to emit
> telemetry over UDP without depending on the regular networking stack.
> 
> For reference, this was discussed at LSF/MM/BPF 2025[^1] in Montreal,
> and again at Plumbers 2025 in Tokyo. Liam Wisehart mentioned this work
> during his presentation of BpfJailer[^2].
> 
> The main use case is to be able to completely dispense with
> agents/daemons for BPF programs after startup. In the case of
> Isovalent's Tetragon, the idea would be to be able to emit security
> alerts or export data from BPF even when the agent is down. For meta,
> according to Liam presentation[^2], this could replace logging via
> ringbuffers which created cross-binary versioning issues.
> 
> The implementation follows the established kfunc lifecycle pattern
> (create/acquire/release with refcounting, kptr map storage, dtor
> registration), for example used by the network bpf_crypto kfuncs.
> 
> Further patches would extend the bpf_netpoll_send kfunc to more program
> types. Note that network program types should not encounter recursion
> issues as netpoll bypasses the network stack and sends directly to the
> driver.

netpoll is a fairly constrained and tricky vehicle for sending data out.
Its built to export logs and crash info, not arbitrary (potentially high
rate) logs.

Plus you will still need user space components in any modern
deployments to establish security associations and/or add some sort of
"security proxy".

Long story short this may be a fun PoC to vibe code but architecturally
having a standard-ish exporter or something integrated with systemd
seems like a much better system architecture.