Skip to content

Daemon-less bpfilter #382

@qdeslandes

Description

@qdeslandes

bpfilter currently operates as a daemon running on the system. While this was perfectly acceptable originally, it's now a subpar design that could be improved into a library-only approach.

Exporting bpfilter solely as a library (with bfcli as CLI) would:

  • Reduce risks of ABI breakage: better versioning, no serialized data exposed to the user
  • Allow for easier integration: the long-term plan would be to submit an iptables-legacy integration, then a nftables integration
  • Improve overall design: reduces new features cost
  • Increase stability: users would be responsible for loading/attaching the programs (through the library)

This is a large project that requires extensive design before any work.

Metadata

Metadata

Assignees

Labels

area: cliCommand line interface(s)area: codegenBPF bytecode generationarea: front-endFront-ends: parsing and translationarea: loaderBPF programs managementpriority: 0Critical/blocker

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions