|
|
Subscribe / Log in / New account

Network filtering for control groups

Network filtering for control groups

Posted Aug 25, 2016 16:49 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
Parent article: Network filtering for control groups

Yeah, it would be nice to actually remove netfilter and replace it with EBPF-based system.

to post comments

Network filtering for control groups

Posted Aug 25, 2016 17:04 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

> Yeah, it would be nice to actually remove netfilter and replace it with EBPF-based system.

Isn't that what nftables was supposed to do?

I see that nftables uses its own VM rather than eBPF, but the main objection to just using eBPF seemed to be simply that with eBPF you can only replace the entire program, not individual rules. It appears to me that this could be handled by treating the nftables VM as an intermediate language and employing a user-mode helper program to compile the rules down to eBPF whenever they change.

The same mechanism would presumably integrate well with this new infrastructure to attach an eBPF filter to a control group.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds