Re: [PATCH bpf-next v3 00/16] bpfilter

[Quentin Deslandes]

Le 27/12/2022 à 19:22, Alexei Starovoitov a écrit :
> On Sat, Dec 24, 2022 at 01:03:46AM +0100, Quentin Deslandes wrote:
> > Due to poor hardware availability on my side, I've not been able to
> > benchmark those changes. I plan to get some numbers for the next iteration.
>
> Yeah. Performance numbers would be my main question :)

Hardware is on the way! :)

> > FORWARD filter chain is now supported, however, it's attached to
> > TC INGRESS along with INPUT filter chain. This is due to XDP not supporting
> > multiple programs to be attached. I could generate a single program
> > out of both INPUT and FORWARD chains, but that would prevent another
> > BPF program to be attached to the interface anyway. If a solution
> > exists to attach both those programs to XDP while allowing for other
> > programs to be attached, it requires more investigation. In the meantime,
> > INPUT and FORWARD filtering is supported using TC.
>
> I think we can ignore XDP chaining for now assuming that Daniel's bpf_link-tc work
> will be applicable to XDP as well, so we'll have a simple chaining
> for XDP eventually.
>
> As far as attaching to TC... I think it would be great to combine bpfilter
> codegen and attach to Florian's bpf hooks exactly at netfilter.
> See
> https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&id=0c1ec06503cb8a142d3ad9f760b72d94ea0091fa
> With nf_hook_ingress() calling either into classic iptable or into bpf_prog_run_nf
> which is either generated by Florian's optimizer of nf chains or into
> bpfilter generated code would be ideal.

That sounds interesting. If my understanding is correct, Florian's
work doesn't yet allow for userspace-generated programs to be attached,
which will be required for bpfilter.