[iovisor-dev] [PATCH RFC] bpf: add connection tracking helper functions
u9012063 at gmail.com
Mon Sep 4 17:15:38 UTC 2017
On Sun, Sep 3, 2017 at 3:26 PM, Thomas Graf <tgraf at suug.ch> wrote:
> On 1 September 2017 at 04:30, William Tu via iovisor-dev
> <iovisor-dev at lists.iovisor.org> wrote:
> > This patch adds two BPF conntrack helper functions, bpf_ct_lookup()
> > and bpf_ct_commit(), to enable the possibility of BPF stateful firewall.
> > There are two ways to implement BPF conntrack. One way is to not
> > rely on helpers but implement the conntrack state table using BPF
> > maps. So conntrack is basically another BPF program extracting
> > the tuples and lookup/update its map. Currenly Cillium project has
> > implemented this way.
> This helper looks great. The reason why we implemented our own
> conntrack table was for two reasons:
> 1. we wanted to have the option to have per endpoint tables and
> netfilter conntrack had already switched back to a global table.
> 2. The conntrack helper was not available back then and we wanted to
> have a backwards compatible alternative
> We are definitely interested in using this as well as it is merged.
> Are you maintaining a development branch somewhere? We would love to
> test it with Cilium.
Thanks for the feedback!
Now I put the branch below, I will work on Daniel's feedback and update
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the iovisor-dev