On top of its many uses, BPF has also been formally verified by the Jitk project in 2014 with more work here in 2015. Since then, someone also built an extraction mechanism that generates C. We also have more tools for automated analysis or testing of C programs, esp small, clean implementations. Long story short, this component could be built with high assurance of correctness and security which benefits many of these other projects depending on it.
The most recent development in the evolution of BPF is an exciting proposal to completely replace the kernel part of iptables with BPF in a way that is completely transparent to the user, i.e. existing iptables client binaries and libraries will continue to work.
So will there by a new syntax/interface as well or do you still have to use iptables exclusively? I’m not saying it’s bad and it’s cool that this is backwards compatible, but I’ve never really warmed up to the iptables syntax and even after 15? years of sporadic use I still have to look up even the simplest things. (Big fan of ferm for that reason and also quite happy administering firewalls is not a part of my dayjob anymore :P)
There are any number of iptables front ends like ufw. They generate insane amounts of rules though. I use them for simplicity, but if I’m ever setting up something like OpenVPN, I typically write my own iptables rules by hand.
On top of its many uses, BPF has also been formally verified by the Jitk project in 2014 with more work here in 2015. Since then, someone also built an extraction mechanism that generates C. We also have more tools for automated analysis or testing of C programs, esp small, clean implementations. Long story short, this component could be built with high assurance of correctness and security which benefits many of these other projects depending on it.
So will there by a new syntax/interface as well or do you still have to use iptables exclusively? I’m not saying it’s bad and it’s cool that this is backwards compatible, but I’ve never really warmed up to the iptables syntax and even after 15? years of sporadic use I still have to look up even the simplest things. (Big fan of ferm for that reason and also quite happy administering firewalls is not a part of my dayjob anymore :P)
There are any number of iptables front ends like ufw. They generate insane amounts of rules though. I use them for simplicity, but if I’m ever setting up something like OpenVPN, I typically write my own iptables rules by hand.
Why is it called BPF? Was there an APF before?
Says the guy who works on OpenASD, right?
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
That paper is quite approachable. However, it assumes onowledge of compilation techniques like code generation from a control flow graph.
There have also been many enhancements since the original paper, which is 25+ yrs old.