From: Eyal Birger <eyal.birger@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Florian Westphal <fw@strlen.de>
Cc: "Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Network Development" <netdev@vger.kernel.org>,
"Toke Høiland-Jørgensen" <toke@kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
"Shmulik Ladkani" <shmulik.ladkani@gmail.com>
Subject: Re: [PATCH nf-next] netfilter: nf_tables: add ebpf expression
Date: Thu, 1 Sep 2022 08:18:20 +0300 [thread overview]
Message-ID: <CAHsH6GtCgb1getXASkqzN75cNfm7_GOg8Mng5ZY37yK99XBVMQ@mail.gmail.com> (raw)
In-Reply-To: <1cc40302-f006-31a7-b270-30813b8f4b67@iogearbox.net>
On Thu, Sep 1, 2022 at 1:16 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 8/31/22 7:26 PM, Alexei Starovoitov wrote:
> > On Wed, Aug 31, 2022 at 8:53 AM Florian Westphal <fw@strlen.de> wrote:
> >> Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
> >>>> 1 and 2 have the upside that its easy to handle a 'file not found'
> >>>> error.
> >>>
> >>> I'm strongly against calling into bpf from the inner guts of nft.
> >>> Nack to all options discussed in this thread.
> >>> None of them make any sense.
> >>
> >> -v please. I can just rework userspace to allow going via xt_bpf
> >> but its brain damaged.
> >
> > Right. xt_bpf was a dead end from the start.
> > It's time to deprecate it and remove it.
> >
> >> This helps gradually moving towards move epbf for those that
> >> still heavily rely on the classic forwarding path.
> >
> > No one is using it.
> > If it was, we would have seen at least one bug report over
> > all these years. We've seen none.
> >
> > tbh we had a fair share of wrong design decisions that look
> > very reasonable early on and turned out to be useless with
> > zero users.
> > BPF_PROG_TYPE_SCHED_ACT and BPF_PROG_TYPE_LWT*
> > are in this category. > All this code does is bit rot.
>
> +1
>
> > As a minimum we shouldn't step on the same rakes.
> > xt_ebpf would be the same dead code as xt_bpf.
>
> +1, and on top, the user experience will just be horrible. :(
>
> >> If you are open to BPF_PROG_TYPE_NETFILTER I can go that route
> >> as well, raw bpf program attachment via NF_HOOK and the bpf dispatcher,
> >> but it will take significantly longer to get there.
> >>
> >> It involves reviving
> >> https://lore.kernel.org/netfilter-devel/20211014121046.29329-1-fw@strlen.de/
> >
> > I missed it earlier. What is the end goal ?
> > Optimize nft run-time with on the fly generation of bpf byte code ?
>
> Or rather to provide a pendant to nft given existence of xt_bpf, and the
> latter will be removed at some point? (If so, can't we just deprecate the
> old xt_bpf?)
FWIW we've been using both lwt bpf and xt_bpf on our production workloads
for a few years now.
xt_bpf allows us to apply custom sophisticated policy logic at connection
establishment - which is not really possible (or efficient) using
iptables/nft constructs - without needing to reinvent all the facilities that
nf provides like connection tracking, ALGs, and simple filtering.
As for lwt bpf, We use it for load balancing towards collect md tunnels.
While this can be done at tc egress for unfragmented packets, the lwt out hook -
when used in tandem with nf fragment reassembly - provides a hooking point
where a bpf program can see reassembled packets and load balance based on
their internals.
Eyal.
next prev parent reply other threads:[~2022-09-01 5:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 10:16 [PATCH nf-next] netfilter: nf_tables: add ebpf expression Florian Westphal
2022-08-31 12:13 ` Toke Høiland-Jørgensen
2022-08-31 12:56 ` Florian Westphal
2022-08-31 13:41 ` Toke Høiland-Jørgensen
2022-08-31 13:57 ` Florian Westphal
2022-08-31 14:43 ` Toke Høiland-Jørgensen
2022-08-31 15:09 ` Pablo Neira Ayuso
2022-08-31 15:35 ` Florian Westphal
2022-08-31 20:38 ` Pablo Neira Ayuso
2022-08-31 15:26 ` Florian Westphal
2022-08-31 15:39 ` Alexei Starovoitov
2022-08-31 15:53 ` Florian Westphal
2022-08-31 17:26 ` Alexei Starovoitov
2022-08-31 21:49 ` Daniel Borkmann
2022-09-01 5:18 ` Eyal Birger [this message]
2022-09-02 16:53 ` Alexei Starovoitov
2022-09-05 17:50 ` Eyal Birger
2022-09-01 10:14 ` Florian Westphal
2022-09-02 17:06 ` Alexei Starovoitov
2022-09-02 17:52 ` Florian Westphal
2022-08-31 21:57 ` Florian Westphal
2022-09-06 6:57 ` Nicolas Dichtel
2022-09-07 3:04 ` Alexei Starovoitov
2022-09-07 15:52 ` Nicolas Dichtel
2022-09-01 8:08 ` Jan Engelhardt
2022-08-31 20:44 ` Toke Høiland-Jørgensen
2022-08-31 13:44 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHsH6GtCgb1getXASkqzN75cNfm7_GOg8Mng5ZY37yK99XBVMQ@mail.gmail.com \
--to=eyal.birger@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=shmulik.ladkani@gmail.com \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).