New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feasible to use bpfilter with uBPF to evaluate/test nftables rulesets in userspace? #56
Comments
That sounds like a cool idea! It's not currently possible to get the generated program from I'll work on this in the coming days, to see how I can integrate this nicely, and come back to this issue to share the progress and a way for you to try it! Is that ok for you? |
@qdeslandes this sounds excellent. before i send you too deep on implementation (but by all means, feel free if you are excited!), i do still need to verify two other requirements:
maybe you know the answer to the first, and i can dig into uBPF to understand its capabilities. |
@khimaros After some more thought, I think this feature is more complicated than it seems, and there are some constraints which are difficult to overcome. However, I might have a solution for you anyway. Firstly, my understanding is that you want to evaluate/validate one or more of
To provide more context, here's how
It's important to mention that 1. Use
|
i have a dream, where all nftables rules are tested statically before insertion into the kernel.
reading the bpfilter documentation, it seems that the daemon can be used (transparently?) as a backend for nftables userspace tools. did i understand that correctly?
if that's possible, i'd like to pull the generated BPF bytecode from bpfilter and pass it through uBPF in order to perform analysis against simulated packets.
does this seem like something that would work well with bpfilter as currently implemented?
The text was updated successfully, but these errors were encountered: