Av. Reina Mercedes s/n, 41012 (Seville)
This talk covers the design and implementation of the nftables switchdev support. The goal is to introduce the audience to the new in-kernel infrastructure to represent the rulesets through a generic abstract syntax tree that can be easily transformed from the drivers into the hardware specific representation.
Whenever a netdevice comes with ACL offload capabilities and switchdev support, nftables transparently offloads the ACL configuration to the hardware. The expressiveness is restricted to the hardware capabilities. The frontend Netlink API remains the same as in pure software mode, in order to hide all the complexity to ensure easy extensibility in the long run.
This implementation relies on the rocker switch prototype and it should open the window for other new possible clients already available in the networking tree.
This infrastructure can also be potentially used to provide just-in-time (jit) compilation from the kernel backend in a way that avoids the exposition of this internal representation to userspace.