Place your proposals here

XFRM integration with netfilter

• Who: Florian
• Duration: 15 minutes

1. flow table infra
   • Could be even made configureable via ruleset (i.e. trigger encrypt/decrypt from flowtable).
2. policy lookups/assignments with nft obj infra.
   • (lwt)?

Steffen and Daniel talked about XFRM for XDP at netconf and I think its going to be quite hard given XFRM/crypto reliance on skb (async crypto..), so I think we should investigate alternatives. At this time, secpath means we can't offload and will push skb via normal forwarding path. Lets discuss: 1. rx path: handle ipsec decryption in ingress hook. 2. tx path: handle encryption in ingress hook.

This would require caching the secpath to use in the flowtable, so we need a faster way to invalidate it in case there are changes. (flow cache suffered from expensive health checks).

TPROXY infra

• Who: Florian
• Duration: ?

Basically the cloudflare use cases.

1. Where to optimize core infra (listener with no reference on sk)
2. Is nft tproxy good enough (have not checked yet, at least ip/port pairs are coming from registers, so might integrate better. Jakub provided some iptables rules/scenarios they use, I'd like to investigate this more wrt. what we have in nft).

See https://lore.kernel.org/netdev/87sgs6ey43.fsf@cloudflare.com/