[iovisor-dev] [PATCH RFC] bpf: add connection tracking helper functions

Thomas Graf tgraf at suug.ch
Sun Sep 3 22:26:35 UTC 2017


On 1 September 2017 at 04:30, William Tu via iovisor-dev
<iovisor-dev at lists.iovisor.org> wrote:
> This patch adds two BPF conntrack helper functions, bpf_ct_lookup()
> and bpf_ct_commit(), to enable the possibility of BPF stateful firewall.
>
> There are two ways to implement BPF conntrack.  One way is to not
> rely on helpers but implement the conntrack state table using BPF
> maps.  So conntrack is basically another BPF program extracting
> the tuples and lookup/update its map.  Currenly Cillium project has
> implemented this way.

This helper looks great. The reason why we implemented our own
conntrack table was for two reasons:
1. we wanted to have the option to have per endpoint tables and
netfilter conntrack had already switched back to a global table.
2. The conntrack helper was not available back then and we wanted to
have a backwards compatible alternative

We are definitely interested in using this as well as it is merged.
Are you maintaining a development branch somewhere? We would love to
test it with Cilium.


More information about the iovisor-dev mailing list