building socket aware bpf programs
play

Building socket-aware BPF programs Joe Stringer Cilium.io Linux - PowerPoint PPT Presentation

Jan 15, 2024 •97 likes •432 views

Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC Joe Stringer BPF Socket Lookup Nov 13, 2018 1 / 32 Joe Stringer BPF Socket Lookup Nov 13, 2018 2 / 32 Background Network Policy Endpoint A

  1. Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC Joe Stringer BPF Socket Lookup Nov 13, 2018 1 / 32

  2. Joe Stringer BPF Socket Lookup Nov 13, 2018 2 / 32

  3. Background Network Policy ”Endpoint A can talk to endpoint B” = ⇒ ”Endpoint B can reply to endpoint A” Joe Stringer BPF Socket Lookup Nov 13, 2018 3 / 32

  4. Background How have we built these before? Joe Stringer BPF Socket Lookup Nov 13, 2018 4 / 32

  5. Background Let’s do this with BPF Attach BPF to packet hook ✓ “Connection Tracking” BPF map ✓ Key by 5-tuple Associate counters, NAT state, etc. Handle tuple flipping “Policy” map ✓ Deploy! ✓ Joe Stringer BPF Socket Lookup Nov 13, 2018 5 / 32

  6. Background Let’s do this with BPF Attach BPF to packet hook ✓ “Connection Tracking” BPF map ✓ Key by 5-tuple Associate counters, NAT state, etc. Handle tuple flipping “Policy” map ✓ Deploy! ✗ nf_conntrack: table full, dropping packet Hmm, how big should this map be again? How do we clean this up. . . Joe Stringer BPF Socket Lookup Nov 13, 2018 6 / 32

  7. Background Why model it like this? Firewalls might not be co-located with the workload Firewalls should drop packets as quickly as possible Network stacks may be delicate flowers Solution? Build up state on-demand while processing packets Joe Stringer BPF Socket Lookup Nov 13, 2018 7 / 32

  8. Background Recent trends Joe Stringer BPF Socket Lookup Nov 13, 2018 8 / 32

  9. Socket-based firewalling If we’re co-located with the sockets . . . . . . why build our own connection table? Joe Stringer BPF Socket Lookup Nov 13, 2018 9 / 32

  10. Socket-based firewalling Socket table as a connection tracker Joe Stringer BPF Socket Lookup Nov 13, 2018 10 / 32

  11. Socket-based firewalling Socket safety Sockets are reference-counted internally Some memory-management under RCU rules BPF_PROG_TYPE_CGROUP_SOCK Access safety via reference held across BPF execution Bounds safety provided via bounds access checker Packet hooks may execute before associated socket is known Need to handle reference counting Joe Stringer BPF Socket Lookup Nov 13, 2018 11 / 32

  12. Extending the BPF verifier Joe Stringer BPF Socket Lookup Nov 13, 2018 12 / 32

  13. Extending the BPF verifier Joe Stringer BPF Socket Lookup Nov 13, 2018 13 / 32

  14. Extending the BPF verifier BPF verifier: Recap At load time, loop over all instructions Validate pointer access Ensure no loops . . . Access memory out of bounds? ✗ Loops forever? ✗ Everything safe? ✓ Joe Stringer BPF Socket Lookup Nov 13, 2018 14 / 32

  15. Extending the BPF verifier Socket reference counting Implicit Explicit (mainline) struct bpf_sock *sk; struct bpf_sock *sk; sk = bpf_sk_lookup( . . . ); sk = bpf_sk_lookup( . . . ); if (sk) { if (sk) { . . . . . . } bpf_sk_release(sk); /* Kernel will free ‘sk’ */ } Joe Stringer BPF Socket Lookup Nov 13, 2018 15 / 32

  16. Extending the BPF verifier Reference counting in the BPF verifier 1 Resource acquisition 2 Execution paths while resource is held 3 Resource release Joe Stringer BPF Socket Lookup Nov 13, 2018 16 / 32

  17. Extending the BPF verifier Reference acquisition Resource values are not known! This is the verifier, not the runtime Generate an identifier Store the identifier in the verifier state Associate the register with the identifier Joe Stringer BPF Socket Lookup Nov 13, 2018 17 / 32

  18. Extending the BPF verifier Reference misuse Mangle and release bpf_tail_call() BPF_LD_ABS , BPF_LD_IND Joe Stringer BPF Socket Lookup Nov 13, 2018 18 / 32

  19. Extending the BPF verifier Reference release Validation of pointers Remove identifier reference from state Unassociate register identifier associations Joe Stringer BPF Socket Lookup Nov 13, 2018 19 / 32

  20. Extending the BPF API Joe Stringer BPF Socket Lookup Nov 13, 2018 20 / 32

  21. Extending the BPF API Simplest form struct bpf_sock *bpf_sk_lookup(struct sk_buff *); void bpf_sk_release(struct bpf_sock *); Joe Stringer BPF Socket Lookup Nov 13, 2018 21 / 32

  22. Extending the BPF API Namespaces Joe Stringer BPF Socket Lookup Nov 13, 2018 22 / 32

  23. Extending the BPF API Arbitrary socket lookup Use any tuple for lookup Ease API across clsact, XDP Simplify packet mangle and lookup Joe Stringer BPF Socket Lookup Nov 13, 2018 23 / 32

  24. Extending the BPF API Extensibility Allow influencing lookup behaviour SO_REUSEPORT Determine socket type support at load time Socket type supported? Load the program Not supported? Reject the program Joe Stringer BPF Socket Lookup Nov 13, 2018 24 / 32

  25. Extending the BPF API Optimizations Avoid reference counting Allow lookup using direct packet pointers Joe Stringer BPF Socket Lookup Nov 13, 2018 25 / 32

  26. Extending the BPF API Socket lookup API struct bpf_sock * bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags); struct bpf_sock * bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags); void bpf_sk_release(struct bpf_sock *sk); Joe Stringer BPF Socket Lookup Nov 13, 2018 26 / 32

  27. Extending the BPF API Socket lookup structures struct bpf_sock_tuple { union { struct { __be32 saddr; __be32 daddr; __be16 sport; __be16 dport; } ipv4; struct { __be32 saddr[4]; __be32 daddr[4]; __be16 sport; __be16 dport; } ipv6; }; }; Joe Stringer BPF Socket Lookup Nov 13, 2018 27 / 32

  28. Extending the BPF API Socket structure struct bpf_sock { __u32 bound_dev_if; __u32 family; __u32 type; __u32 protocol; __u32 mark; __u32 priority; __u32 src_ip4; /* NBO */ __u32 src_ip6[4]; /* NBO */ __u32 src_port; /* NBO */ }; Joe Stringer BPF Socket Lookup Nov 13, 2018 28 / 32

  29. Epilogue Joe Stringer BPF Socket Lookup Nov 13, 2018 29 / 32

  30. Epilogue Use case: Network devices Socket lookup from XDP Management traffic? Send up the stack Other traffic? Forward, route, load-balance Joe Stringer BPF Socket Lookup Nov 13, 2018 30 / 32

  31. Epilogue Future work More socket attribute access Associate metadata with sockets More uses for reference tracking Joe Stringer BPF Socket Lookup Nov 13, 2018 31 / 32

  32. Thank you Joe Stringer joe@cilium.io Joe Stringer BPF Socket Lookup Nov 13, 2018 32 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network

Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network

Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network functionality network functionality Samo Poganik Key notes about SACIP Key notes about SACIP On-the-fly changes of network access point of

660 views • 30 slides
Socket Programming CS457, FA 11 What is a socket? Basically, a socket is just a file

Socket Programming CS457, FA 11 What is a socket? Basically, a socket is just a file

Socket Programming CS457, FA 11 What is a socket? Basically, a socket is just a file descriptor that your application can use to read and write data from. Stream and Datagram sockets provide an interface to the transport layer of the

419 views • 14 slides
Socket Service Types The following socket types are defined: 1. SOCK_STREAM : stream socket 2.

Socket Service Types The following socket types are defined: 1. SOCK_STREAM : stream socket 2.

Socket Service Types The following socket types are defined: 1. SOCK_STREAM : stream socket 2. SOCK_DGRAM : datagram socket 3. SOCK_RAW : raw-protocol interface 4. SOCK_RDM : reliably-delivered message 5. SOCK_SEQPACKET : sequenced packet stream

307 views • 27 slides
What is a socket? Socket Programming Socket: An interface between an application process and

What is a socket? Socket Programming Socket: An interface between an application process and

What is a socket? Socket Programming Socket: An interface between an application process and transport layer The application process can send/receive messages to/from another application process (local or remote)via a socket Kameswari

331 views • 6 slides
Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Computer Networks ! Final

Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Computer Networks ! Final

Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Computer Networks ! Final notes Sockets Socket Basics Ports ! An end-point for a IP network connection ! Numbers (vary in BSD, Solaris): what the application layer

318 views • 5 slides
Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Operating Systems ! Final

Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Operating Systems ! Final

Outline ! Socket basics ! TCP sockets ! Socket details ! Socket options Operating Systems ! Final notes ! Project 3 Sockets Socket Basics Ports ! An end-point for a IP network connection ! Numbers (vary in BSD, Solaris): what the

279 views • 4 slides
Building a geo-aware OS Zeeshan Ali (khattak) NO KAT PICTUREZ! What am I babbling about?

Building a geo-aware OS Zeeshan Ali (khattak) NO KAT PICTUREZ! What am I babbling about?

Building a geo-aware OS Zeeshan Ali (khattak) NO KAT PICTUREZ! What am I babbling about? Geo-aware GNOME Geoclue Over-complicated Geoclue2 Simple Privacy 3 sources Mozilla Location Services GeoIP Accuracy: City-level

834 views • 49 slides
Scalable Socket I/O PG Consultants Peter Gordon peter@pg-consultants.com Objective

Scalable Socket I/O PG Consultants Peter Gordon peter@pg-consultants.com Objective

Scalable Socket I/O PG Consultants Peter Gordon peter@pg-consultants.com Objective To download some http pages Quickly Start Small One socket use IO::Socket::INET my $socket = new IO::Socket::INET(PeerAddr =>

659 views • 14 slides
Implementazione di un client creazione socket connessione Dobbiamo andare a costruire un

Implementazione di un client creazione socket connessione Dobbiamo andare a costruire un

Implementazione di un client creazione socket connessione Dobbiamo andare a costruire un programma scambio dati in C che richiede un servizio chiusura canale socket() socket() SOCK_DGRAM SOCK_STREAM /etc/protocols SOCK_RAW

381 views • 6 slides
THT / SMT adapter for Test Socket Why need an adapter? In certain cases, you are not able to

THT / SMT adapter for Test Socket Why need an adapter? In certain cases, you are not able to

THT / SMT adapter for Test Socket Why need an adapter? In certain cases, you are not able to place any test socket on your board, because: - Its density is too high - It was not designed to accommodate any test socket. - The package

463 views • 3 slides
Socket programming Goal: learn how to build client/server application that communicate using

Socket programming Goal: learn how to build client/server application that communicate using

Socket programming Goal: learn how to build client/server application that communicate using sockets Socket API socket 5: Socket Programming introduced in BSD4.1 UNIX, a host-local , application- 1981 created/owned , Sockets are

404 views • 8 slides
Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs

Network Programming UNIX Internet Socket API Everything in Unix is a File When Unix programs do any sort of I/O, they do it by reading or writing to a file descriptor. A file descriptor is simply an integer associated with an open file.

612 views • 47 slides
Java 2 Micro Edition Socket, SMS and Bluetooth F. Ricci 2009/2010 Content Other Connection

Java 2 Micro Edition Socket, SMS and Bluetooth F. Ricci 2009/2010 Content Other Connection

Java 2 Micro Edition Socket, SMS and Bluetooth F. Ricci 2009/2010 Content Other Connection Types Responding to Incoming Connections Socket and Server Socket Security Permissions Security domains Midlet signing

1.04k views • 59 slides
Socket Programming Instruction Sheet In this lab, our goal is to make two machines talk to each

Socket Programming Instruction Sheet In this lab, our goal is to make two machines talk to each

Socket Programming Instruction Sheet In this lab, our goal is to make two machines talk to each other. You will have to write two programs: listener.c and talker.c based on the concepts you have learned so far. listener essentially sits on a

36 views • 3 slides
HTTP Server HTTP Server Servers: Concurrency and Creates a socket ( socket ) Bind s

HTTP Server HTTP Server Servers: Concurrency and Creates a socket ( socket ) Bind s

HTTP Server HTTP Server Servers: Concurrency and Creates a socket ( socket ) Bind s to an address Performance Listen s to setup accept backlog Can call accept to block waiting for connections (Can call select to check for

358 views • 9 slides
Building Engineering Programs at Concordia University Hua Ge, Ph.D., P. Eng. Department of

Building Engineering Programs at Concordia University Hua Ge, Ph.D., P. Eng. Department of

ASTM workshop on Building Science Education in North America Building Engineering Programs at Concordia University Hua Ge, Ph.D., P. Eng. Department of Building, Civil and Environmental Engineering April 6 2014 Dept. of Building, Civil &

441 views • 11 slides
Lab 2: OpenMP + NUMA CSE 6230: HPC Tools & Apps Fall 2014 September 9 Based in part

Lab 2: OpenMP + NUMA CSE 6230: HPC Tools & Apps Fall 2014 September 9 Based in part

Notes on Lab 2: OpenMP + NUMA CSE 6230: HPC Tools & Apps Fall 2014 September 9 Based in part on the LLNL tutorial @ https://computing.llnl.gov/tutorials/openMP/ See also the textbook, Chapters 68 Part 0: Code reviews + last shot

331 views • 10 slides
Recap: Pipes main() { char *s, buf[1024]; int fds[2]; s = Hello World \n"; /* create

Recap: Pipes main() { char *s, buf[1024]; int fds[2]; s = Hello World \n"; /* create

Recap: Pipes main() { char *s, buf[1024]; int fds[2]; s = Hello World \n"; /* create a pipe */ (*) Img. source: http://beej.us/guide/bgipc/output/html/multipage/pipes.html pipe (fds); /* create a new process using fork */ if ( fork

697 views • 32 slides
Client Design Client Design Srinidhi Varadarajan Topics Topics Concurrency in client

Client Design Client Design Srinidhi Varadarajan Topics Topics Concurrency in client

Client Design Client Design Srinidhi Varadarajan Topics Topics Concurrency in client Concepts Approaches TCP timed echo example Why Use Concurrency in Servers Servers ? ? Why Use Concurrency in Improved response time

188 views • 15 slides
UNP Chapter 4: Elementary TCP Sockets CMPS 105: Systems Programming Prof. Scott Brandt T Th

UNP Chapter 4: Elementary TCP Sockets CMPS 105: Systems Programming Prof. Scott Brandt T Th

UNP Chapter 4: Elementary TCP Sockets CMPS 105: Systems Programming Prof. Scott Brandt T Th 2-3:45 Soc Sci 2, Rm. 167 Introduction First: Elementary socket functions Next: TCP client-server example Concurrent services Common

1.31k views • 18 slides
DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

Social Network Social Network Web Network DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs Nonuniform comp requirement Contentiousness of the memory Nonuniform comm requirement

861 views • 50 slides
Layers, Naming, and Sockets CS 118 Computer Network Fundamentals Peter Reiher Lecture 10 CS

Layers, Naming, and Sockets CS 118 Computer Network Fundamentals Peter Reiher Lecture 10 CS

Layers, Naming, and Sockets CS 118 Computer Network Fundamentals Peter Reiher Lecture 10 CS 118 Page 1 Winter 2016 Outline Whats a party? Inside names Outside names Linking the two Sockets as an example Lecture 10 CS

864 views • 70 slides
CSE 333 Section 8 Client-Side Networking Computer Networks: A 7-ish Layer Cake format/meaning

CSE 333 Section 8 Client-Side Networking Computer Networks: A 7-ish Layer Cake format/meaning

CSE 333 Section 8 Client-Side Networking Computer Networks: A 7-ish Layer Cake format/meaning of messages sending data end-to-end routing of packets across networks multiple computers on a local network bit encoding at signal level

434 views • 19 slides
Sockets Sockets Communication domains The original method for process communication in UNIX

Sockets Sockets Communication domains The original method for process communication in UNIX

Sockets Sockets Communication domains The original method for process communication in UNIX is pipes . All processes that communicates in the same communication domain use the same address format . A disadvantage with pipes is that they

267 views • 5 slides

More recommend