
Why is the kernel community replacing iptables with BPF? - lunchbreak
https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
======
PhantomGremlin
An interesting introduction to how Linux currently does packet filtering and
how changing to BPF will improve performance.

The really amusing thing to me (an OpenBSD user) was the omission of any
discussion of the origin of BPF, or even spelling out the acronym (it's the
Berkeley Packet Filter).

Those GPL guys really really hate acknowledging anything to do with Berkeley!
:) Even though in this case it's not directly the University of California,
Berkeley but instead the origin of BPF is the Lawrence Berkeley Laboratory.

~~~
sunstone
Why are we down voting this post? Is there a real inaccuracy in it somewhere?

~~~
fred_is_fred
Because the author took an omission from a technical post and used it to
extrapolate the behavior of thousands of people.

------
indigodaddy
I posted this on a similar current HN thread about BPF, but also relevant
here. See Poettering's blog for how you can do very cool access control things
via systemd taking advantage of EBPF:

[http://0pointer.net/blog/ip-accounting-and-access-lists-
with...](http://0pointer.net/blog/ip-accounting-and-access-lists-with-
systemd.html)

------
qalmakka
So what about the elephant in the room, nftables? Are they basically dead in
the water now?

~~~
jaimex2
yep.

~~~
aktau
I'd hope not, and that the nftables (nft) language can be implemented in top
of this new infra. It is much easier to use and audit than iptables.

EDIT: me, parent and grandparent should've read the article. There's already
two projects underway to make userspace nft work with bpfilter as a backend.
Sweet!

