BPF comes to firewalls
BPF comes to firewalls
Posted Feb 24, 2018 20:07 UTC (Sat) by kleptog (subscriber, #1183)In reply to: BPF comes to firewalls by bernat
Parent article: BPF comes to firewalls
Well that explains things... I heard someone mumbling about how iptables updates can get lost and I couldn't see how, until now.
In any case, if we do firewall rules as BPF we end up with the same problem surely? The performance improvement would be that you can pass your firewall through an compiler/optimiser to make it more efficient, but as a side effect you end up with the same problem, namely, to update a single rule you need to replace the whole program. Only now you've added an optimise step in between.
Unless you change your API to transactional one where you can send updates and get a confirmation asynchronously and the backend is smart enough to avoid actually updating the kernel for every change.