[QUESTION] Can I implement NAT with bpftime in no-privileged container

Question

[QUESTION] Can I implement NAT with bpftime in no-privileged container

Charlie17Li opened this issue 4 months ago · 3 comments

For tradictional ebpf, I can implement NAT with xdp/tc. but these ways always require "root".

I want to know if I can implement NAT with bpftime in no-privileged container.

thanks for developing this exciting project.

Answer 1 · 2024-08-01T12:29:15.000Z

For tradictional ebpf, I can implement NAT with xdp/tc. but these ways always require "root".

I want to know if I can implement NAT with bpftime in no-privileged container.

thanks for developing this exciting project.

We didn't support network related features yet, currently we only support uprobe and syscall trace

But maybe using uprobes to hook syscall functions like socket, write, read, would work, but we haven't tested it yet

Answer 2 · 2024-08-06T14:41:57.000Z

We have examples using dpdk or possible using afxdp to run the network functions in xdp.

So part of the answer is yes, bpftime can help deploy these NAT to userspace.

But the dpdk and afxdp still needs root access.

Answer 3 · 2024-08-09T06:15:23.000Z

You can find some code here and we will release more later: https://github.com/eunomia-bpf/XDP-eBPF-in-DPDK