On Thu, Mar 15, 2018 at 06:00:22PM +0100, Florian Westphal wrote: > Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > > The way this IMR defined today looks pretty much like nft and > > it feels a bit too low level than iptable conversion would need. > > It wasn't so much about a specific IMR but to avoid code duplication > between nft and iptables translators. > > > I think it would be simpler to have user space only extensions > > and opcodes added to bpf for the purpose of the translation. > > Like there is no bpf instruction called 'load from IP header', > > but we can make one. Just extend extended bpf with an instruction > > like this and on the first pass do full conversion of nft > > directly into this 'extended extended bpf'. > > I don't want to duplicate any ebpf conversion (and optimisations) > in the nft part. > > If nft can be translated to this 'extended extended bpf' and > this then generates bpf code from nft input all is good.
if possible it's great to avoid duplication, but it shouldn't be such ultimate goal that it cripples iptable->bpf conversion just to reuse nft->bpf bits.
