Re: [PATCH RFC 0/4] net: add bpfilter

[Florian Westphal <fw@strlen.de>]

David Miller <davem@davemloft.net> wrote:
> From: Florian Westphal <fw@strlen.de>
> Date: Mon, 19 Feb 2018 15:53:14 +0100
> 
> > Sure, but looking at all the things that were added to iptables
> > to alleviate some of the issues (ipset for instance) show that we need a
> > meaningful re-design of how things work conceptually.
> 
> As you said iptables is in maintainenance mode.
> 
> But there are millions upon millions of users, like it or not, and
> they aren't going away for decades.  And this is the iptables binary
> ABI I'm talking about, not the iptables user command line interface.

I know.

> my house?"  Please see further than the view inside your home. 
> 
> By in large, we are stuck with iptables's data path for an extremely
> long time.

So?

> Major data centers doesn't even enable NFTABLES in their kernels, and
> there is nothing you can do about that in the short to medium term.

So?

> Therefore, for all of the beneficial reasons I have discussed we
> should make that datapath as aligned and integrated with our core
> important technologies as possible, so that they can benefit from any
> and all improvements in that area rather than just collecting dust.

See my other mail, where I explained, in great detail, the problems
of the xtables UAPI.

If you go through with this, and, eventually somehow get feature parity,
all of the problems remain in full effect.
You will also need to replicate the translation efforts that already
went into nftables.  The translator wasn't yet a high priority as we
lacked some features but this can be changed now that nft is catching
up.

Userspace program expectation is for iptables to be like fib for
instance, i.e. you can add and remove without stomping on each others
feet.  You are setting this in stone.

You're also adding a way to make it so that I can delete entries from
the fib (bpfilter) but iproute2 will still show all entries (iptables
legacy).