|
|
Log in / Subscribe / Register

BPF comes to firewalls

BPF comes to firewalls

Posted Feb 20, 2018 12:19 UTC (Tue) by bernat (subscriber, #51658)
In reply to: BPF comes to firewalls by eahay
Parent article: BPF comes to firewalls

It will download the whole ruleset from the kernel, modify it to add/remove the single rule and upload it again. When your ruleset becomes huge, adding/removing a single rule takes a significant time.

to post comments

BPF comes to firewalls

Posted Feb 24, 2018 20:07 UTC (Sat) by kleptog (subscriber, #1183) [Link]

Well that explains things... I heard someone mumbling about how iptables updates can get lost and I couldn't see how, until now.

In any case, if we do firewall rules as BPF we end up with the same problem surely? The performance improvement would be that you can pass your firewall through an compiler/optimiser to make it more efficient, but as a side effect you end up with the same problem, namely, to update a single rule you need to replace the whole program. Only now you've added an optimise step in between.

Unless you change your API to transactional one where you can send updates and get a confirmation asynchronously and the backend is smart enough to avoid actually updating the kernel for every change.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds