(oops, my system doesn't respond correctly to list messages)
From what I've learned, Oxide's OPTE system isn't really a replacement for ipf, although it could provide incredible features and benefits, or some of the internals may apply.
If I'm understanding Oxide's system correctly, OPTE lets Oxide's bespoke Intel Tofino hardware, or a software emulator encapsulate all traffic destined for a machine in a ipv6 packet. They then route the packet in their network using ipv6 routing which seems to provide extremely efficient routing, or re-directing if necessary when a vm migrates.
I'm a little cloudy on this, but they may have developed a firewall scheme that will share any firewall processing beyond what the Intel Tofino can handle between many machines rather than having the destination machine need to handle all of it.
Finally, the packets that make it through the firewall arrive at an OPTE thread on each vm, where the packet escapes its encapsulation, and is passed to the system/vm.
The best overview I could quickly find detailing their networking scheme is here:
https://rfd.shared.oxide.computer/rfd/0021 ------------------------------------------ illumos: illumos-discuss Permalink: https://illumos.topicbox.com/groups/discuss/T0a8179388427922c-M9b72a0d98f4e993e94fa9486 Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
