[iovisor-dev] [PATCH RFC] bpf: add connection tracking helper functions

William Tu u9012063 at gmail.com
Mon Sep 4 17:15:38 UTC 2017


On Sun, Sep 3, 2017 at 3:26 PM, Thomas Graf <tgraf at suug.ch> wrote:

> On 1 September 2017 at 04:30, William Tu via iovisor-dev
> <iovisor-dev at lists.iovisor.org> wrote:
> > This patch adds two BPF conntrack helper functions, bpf_ct_lookup()
> > and bpf_ct_commit(), to enable the possibility of BPF stateful firewall.
> >
> > There are two ways to implement BPF conntrack.  One way is to not
> > rely on helpers but implement the conntrack state table using BPF
> > maps.  So conntrack is basically another BPF program extracting
> > the tuples and lookup/update its map.  Currenly Cillium project has
> > implemented this way.
>
> This helper looks great. The reason why we implemented our own
> conntrack table was for two reasons:
> 1. we wanted to have the option to have per endpoint tables and
> netfilter conntrack had already switched back to a global table.
> 2. The conntrack helper was not available back then and we wanted to
> have a backwards compatible alternative
>
> We are definitely interested in using this as well as it is merged.
> Are you maintaining a development branch somewhere? We would love to
> test it with Cilium.
>

Thanks for the feedback!
Now I put the branch below, I will work on Daniel's feedback and update
later.
https://github.com/williamtu/net-next/commits/bpfct

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.iovisor.org/pipermail/iovisor-dev/attachments/20170904/59d1ab16/attachment-0001.html>


More information about the iovisor-dev mailing list