Hi there enthusiasts. Linux kernel has a system called eBPF for creating bytecode that can be used in a variety of places, including in tc filters and the firewall system. Firewalling is a bit more experimental, but the tc-bpf system for classifying packets and doing tc actions is I think more well tested.
Interestingly the Julia programming language which is a very nice just in time compiled language for interactive usage has a module called BPFnative.jl which can take in Julia functions and output bytecode compiled versions. Right now there's not much in the way of documentation but there are a bunch of tests in the package that can be used as examples of how to use it. The output could in theory be dumped to a file and then transported over to a router and loaded into the kernel.
I'm wondering if anyone is interested in experimenting with using eBPF to classify packets on ingress and take actions like setting DSCP values and soforth for the purpose of improving quality of service or other useful actions?
I guess the biggest issue that we would need a method to peek into the NAT tables on ingress, that is the reason for our issues, otherwise, I believe, tc would be workable, but without getting to the NATed internal addresses things are just odd. Now, ebpf might be able to pull that off, but that seems a big step....
I always wondered whether I should try to learn Julia, but I guess in my field Matlab (in spite of the steep license costs) still rules and the next likely candidate would be python...
Yeah, I think that's a big deal, and I've been wondering about it. Perhaps we could do a routing based solution, where things go through the routing machinery, and then get routed to an IFB before then being mirrored to their final destination? at that point it would have the appropriate NATted addresses? Also for IPv6 it's normally not an issue
Julia blows matlab and python both out of the water IMHO. If you learn Julia you will never go back. Might make it hard to keep your job
Probably the solution is still to switch to nftables, and ultimately let nftables compile to eBPF which I think is the direction it will head in.