On Sun, Sep 3, 2017 at 3:26 PM, Thomas Graf <[email protected]> wrote: > On 1 September 2017 at 04:30, William Tu via iovisor-dev > <[email protected]> wrote: > > This patch adds two BPF conntrack helper functions, bpf_ct_lookup() > > and bpf_ct_commit(), to enable the possibility of BPF stateful firewall. > > > > There are two ways to implement BPF conntrack. One way is to not > > rely on helpers but implement the conntrack state table using BPF > > maps. So conntrack is basically another BPF program extracting > > the tuples and lookup/update its map. Currenly Cillium project has > > implemented this way. > > This helper looks great. The reason why we implemented our own > conntrack table was for two reasons: > 1. we wanted to have the option to have per endpoint tables and > netfilter conntrack had already switched back to a global table. > 2. The conntrack helper was not available back then and we wanted to > have a backwards compatible alternative > > We are definitely interested in using this as well as it is merged. > Are you maintaining a development branch somewhere? We would love to > test it with Cilium. >
Thanks for the feedback! Now I put the branch below, I will work on Daniel's feedback and update later. https://github.com/williamtu/net-next/commits/bpfct William
_______________________________________________ iovisor-dev mailing list [email protected] https://lists.iovisor.org/mailman/listinfo/iovisor-dev
