Hacker News new | ask | show | jobs
by jeroenhd 347 days ago
Effectively, not a lot. eBPF does have the capabilities to do more than a regular firewall, but this just seems to do an IP lookup in a blacklist file.

If you buy a fancy network card from a company like Nvidia, you could run the eBPF program on the card itself and the kernel wouldn't even see the packet come in. This use case doesn't seem like it'd need that kind of performance tweak, though.

It's useful as a fun project to experiment with eBPF, though!
1 comments
blipvert 347 days ago
Do you have a model number for an Nvidia offload card? I thought that only Netronome did them and that they were kinda long in the tooth now. I’d love to get my hands on one.
link
jeroenhd 345 days ago
The trick for anything Nvidia and networking related, of course, is to search for "Mellanox", the network card manufacturer they bought.

This forum post suggests the ConnextX-6 might work: https://forums.developer.nvidia.com/t/connectx-6-dx-crypto-a...

However, details are very hard to come by. Maybe the "offload" they offer isn't actually offloading anything and I've just misunderstood them when I last heard about them (and kernel XDP really is that fast).

link
blipvert 345 days ago
Ah,yes, that makes sense. I’ll have a read around then - thanks.

But, yeah, driver mode seems plenty fast enough and unless traffic goes up over 10x we’re fine for now.

Always good to have a plan, though …

link