Le 27/12/2022 à 19:22, Alexei Starovoitov a écrit :
On Sat, Dec 24, 2022 at 01:03:46AM +0100, Quentin Deslandes wrote:
Due to poor hardware availability on my side, I've not been able to benchmark those changes. I plan to get some numbers for the next iteration.
Yeah. Performance numbers would be my main question :)
Hardware is on the way! :)
FORWARD filter chain is now supported, however, it's attached to TC INGRESS along with INPUT filter chain. This is due to XDP not supporting multiple programs to be attached. I could generate a single program out of both INPUT and FORWARD chains, but that would prevent another BPF program to be attached to the interface anyway. If a solution exists to attach both those programs to XDP while allowing for other programs to be attached, it requires more investigation. In the meantime, INPUT and FORWARD filtering is supported using TC.
I think we can ignore XDP chaining for now assuming that Daniel's bpf_link-tc work will be applicable to XDP as well, so we'll have a simple chaining for XDP eventually.
As far as attaching to TC... I think it would be great to combine bpfilter codegen and attach to Florian's bpf hooks exactly at netfilter. See https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&a... With nf_hook_ingress() calling either into classic iptable or into bpf_prog_run_nf which is either generated by Florian's optimizer of nf chains or into bpfilter generated code would be ideal.
That sounds interesting. If my understanding is correct, Florian's work doesn't yet allow for userspace-generated programs to be attached, which will be required for bpfilter.