LWN: Comments on "Network filtering for control groups"

Network filtering for control groups

RamiRosen — Tue, 11 Oct 2016 07:14:01 +0000

Regarding "Control groups (cgroups) perform two basic functions in the kernel: they allow the hierarchical grouping of processes, and they enable the use of controllers to apply resource limits to the processes in each group.":

I want to add in this context that cgroups are used also for accounting for usage of resources, which is also an important part of their role.

Rami Rosen

Network filtering for control groups

nybble41 — Thu, 25 Aug 2016 17:04:46 +0000

> Yeah, it would be nice to actually remove netfilter and replace it with EBPF-based system.

Isn't that what nftables was supposed to do?

I see that nftables uses its own VM rather than eBPF, but the main objection to just using eBPF seemed to be simply that with eBPF you can only replace the entire program, not individual rules. It appears to me that this could be handled by treating the nftables VM as an intermediate language and employing a user-mode helper program to compile the rules down to eBPF whenever they change.

The same mechanism would presumably integrate well with this new infrastructure to attach an eBPF filter to a control group.

Network filtering for control groups

Cyberax — Thu, 25 Aug 2016 16:49:49 +0000

Yeah, it would be nice to actually remove netfilter and replace it with EBPF-based system.

Network filtering for control groups

smurf — Thu, 25 Aug 2016 11:58:41 +0000

One might arrive at the obvious conclusion that the correct way forward is to implement network filtering in eBNF …