
BPF, EBPF, XDP and Bpfilter - lunchbreak
https://www.netronome.com/blog/bpf-ebpf-xdp-and-bpfilter-what-are-these-things-and-what-do-they-mean-enterprise/
======
indigodaddy
Also see Poettering's blog for how you can do very cool access control things
via systemd taking advantage of EBPF:

[http://0pointer.net/blog/ip-accounting-and-access-lists-
with...](http://0pointer.net/blog/ip-accounting-and-access-lists-with-
systemd.html)

------
tux1968
He talks about all this in the context of "NFP" offload but then never
explains what this device is.

~~~
njv4567
Hey Man! Thanks for the comment. Yeah, maybe i assumed that not this many
people would who werent already familiar would see this :)

The NFP is our many core processor with 72 cores (50 used for BPF) each of
those cores has 8 threads which are cooperatively multithreaded. The whole
chip is about 12-14W.

This chip gets used on our NICs and works with our upstream kernel driver,
which contains the JIT, and that is what does the offload work. Check our our
videos from Netdev 1.2 and Netdev 2.2 if you are interested!

~~~
ra1n85
How do you handle buffering? Any challenges with processing new
headers/encapsulation schemes, or is it flexible in that regard?

[ Edit: Nevermind, found the data sheet:
[https://www.netronome.com/media/documents/PB_NFP-4000.pdf](https://www.netronome.com/media/documents/PB_NFP-4000.pdf)
]

One remaining question - how big is the space allocated to lookups/LPM?

~~~
njv4567
So I believe at the moment we allocate about 1GB of on card DRAM backed
storage for lookups, but the chip supports way more DRAM (8GB) and there are
other larger chips that can support way more even (up to 24GB). But we have
focused on this guy for now :).

------
pelasaco
how does this new bpfilter + iptables compares with firewalld?

~~~
gdamjan1
firewalld is just a management daemon with a dbus intrerface. nothing stops it
from using iptables, nftables or bpfilter

