You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the things that makes me happiest about this project is that evaluatePacket pretty cleanly separates network policy logic from underlying implementation. Its essentially give me a packet and I will use K8s objects to decide its fate.
The rest of the controller however is pretty coupled to nfqueue. I am wondering if we might benefit from having the controller be completely agnostic to how packet interception happens. A concrete suggestion to do this would be to have the controller take an interface for interception that does two things.
Calls evaluatePacket on each packet it decides to intercept
Takes advice on what local ips it should intercept (sync below)
Very open to refining this interface.
controller to reduce its scope and nfqueue logic to live in its own package.
Other interceptors to be tried out without bothering nfqueue or the core verdict logic. This might be just a future breaking api change in nftables, a windows implementation (maybe https://github.com/tailscale/wf), or another tech completely like ebpf.
Tried putting something together that would pass unittests and it seems doable so wanted start an issue to maybe spark a conversation here or in sig apps slack.
The text was updated successfully, but these errors were encountered:
Slowed down by massive seattle power outage but alrady realized the interface may need a Stop() or has to return a function to defer cleanup. Could also make main defer the cleanup
I'm usually a fan of you don't know what an interface should look like till you have 3 users so I might go play with the windows packet filter just to seee if it fits this interface then come back with adjustments. Refactor is already plenty large though so I would not actually include any implemntations in it (and may try and remove some unceesary changes I made)
One of the things that makes me happiest about this project is that evaluatePacket pretty cleanly separates network policy logic from underlying implementation. Its essentially give me a packet and I will use K8s objects to decide its fate.
The rest of the controller however is pretty coupled to nfqueue. I am wondering if we might benefit from having the controller be completely agnostic to how packet interception happens. A concrete suggestion to do this would be to have the controller take an interface for interception that does two things.
Very open to refining this interface.
This would allow
Tried putting something together that would pass unittests and it seems doable so wanted start an issue to maybe spark a conversation here or in sig apps slack.
The text was updated successfully, but these errors were encountered: