Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The community kind of skipped right over nftables to BPF. Simple use cases use iptables, complicated ones use BPF, nftables isn't flexible enough for the complicated use cases so everyone keeps using iptables.


@WGH_ You're dead - presumably because the profile is new, and immediately made a comment? I think maybe anti-spam is a bit aggressive, unless there's some linked account that accounts for the ban?

At any rate, I agree information on bpf as a iptables work-a-like is scarce. This helps a bit:

https://www.netronome.com/blog/bpf-ebpf-xdp-and-bpfilter-wha...

Then there's of course the kernel docs, eg: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

See also: https://blog.cloudflare.com/introducing-the-bpf-tools/


What is BPF (in the context of iptables/nftables replacement) exactly? I tried searching for it, but only found some articles about early stage kernel support. Nothing about userspace or how to use it at all. It looks like there's still no BPF firewall at this time.


We're using BPF for packet filtering in production on my team today, but it's not directly an iptables/nftables replacement- it's an entire kernel subsystem used in several parts of the kernel and also useful for diverse use cases such as performance profiling, syscall tracing and packet filtering. It's also seen rapid development in recent kernels and most internet articles about it are out of date.

Something I wrote for the ArchWiki [1]:

> BPF is a system used to load and execute bytecode within the kernel dynamically during runtime. It is used in a number of Linux kernel subsystems such as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints) and security (e.g. seccomp). It is also useful for advanced network security, performance profiling and dynamic tracing.

> BPF was originally an acronym of "Berkeley Packet Filter" since the original classic BPF was used for packet capture tools for BSD. This eventually evolved into Extended BPF (eBPF), which was shortly afterwards renamed to just BPF (not an acronym). BPF should not be confused with packet filtering tools like iptables or netfilter, although BPF can be used to implement packet filtering tools.

lwn.net has a decent (although 3 years old) intro article [2]. Cilium has a good document on how they use BPF to implement a packet filter [3].

[1] https://wiki.archlinux.org/index.php/Security#BPF_hardening

[2] https://lwn.net/Articles/740157/

[3] http://docs.cilium.io/en/latest/bpf/


even for simple cases, I prefer nftables. If for no other reason thn I think the syntax is simpler and easier to understand.


Sure, but most admins have to learn iptables anyway, and many prefer to learn one tool instead of two.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: