|
|
Log in / Subscribe / Register

BPF comes to firewalls

BPF comes to firewalls

Posted Feb 20, 2018 12:56 UTC (Tue) by iq-0 (subscriber, #36655)
Parent article: BPF comes to firewalls

I'm in favor of a jit-able packet filter that might partially be offloaded to hardware.

But the real challenges are often not the ruleset overhead, but are related to connection tracking, matching against advanced set datastructures and in the interaction with the rest of the network stack. I feel like here is a basic conflict between calling kernel functions to get better access to advanced algorithms and datastructures and the basic JIT and offloading story of bpfilter.

And didn't BPF programs have a size constraint? Or is that something that can be worked around using BPF_MAP_TYPE_PROG_ARRAY?

to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds