On 9/21/16 7:19 AM, Tom Herbert wrote:
#1: Should we allow alternate code to run in XDP other than BPF?
separate nft hook - yes generic hook - no since it's one step away from kernel modules abusing this hook. pass/drop/tx of raw buffer at the driver level is a perfect interface to bypass everything in the stack. The tighter we make it the better. If nft and bpf are both not flexible enough to express dataplane functionality we should extend them instead of writing C code or kernel modules. On bpf side we're trying very hard to kill any dream of interoperability with kernel modules. The map and prog type registration is done in a way to make it impossible for kernel modules to register their own map and program types or provide their own helper functions. nfhooks approach is very lax at that and imo it was a mistake, since there are plenty of out of tree modules that using nf hooks and plenty of in-tree modules that are barely maintained.
#2: If #1 is true what is the best way to implement that?
Add separate nft hook that doesn't interfere in any way with bpf hook at xdp level. The order nft-first or bpf-first or exclusive attach doesn't matter to me. These are details to be discussed.