[iovisor-dev] [PATCH RFC] bpf: add connection tracking helper functions
tgraf at suug.ch
Sun Sep 3 22:26:35 UTC 2017
On 1 September 2017 at 04:30, William Tu via iovisor-dev
<iovisor-dev at lists.iovisor.org> wrote:
> This patch adds two BPF conntrack helper functions, bpf_ct_lookup()
> and bpf_ct_commit(), to enable the possibility of BPF stateful firewall.
> There are two ways to implement BPF conntrack. One way is to not
> rely on helpers but implement the conntrack state table using BPF
> maps. So conntrack is basically another BPF program extracting
> the tuples and lookup/update its map. Currenly Cillium project has
> implemented this way.
This helper looks great. The reason why we implemented our own
conntrack table was for two reasons:
1. we wanted to have the option to have per endpoint tables and
netfilter conntrack had already switched back to a global table.
2. The conntrack helper was not available back then and we wanted to
have a backwards compatible alternative
We are definitely interested in using this as well as it is merged.
Are you maintaining a development branch somewhere? We would love to
test it with Cilium.
More information about the iovisor-dev