unifying network filtering rules for the linux kernel
play

Unifying network filtering rules for the Linux kernel with eBPF - PowerPoint PPT Presentation

Aug 25, 2023 •179 likes •415 views

FOSDEM19 Brussels, 2019-02-02 Unifying network filtering rules for the Linux kernel with eBPF Quentin Monnet <quentin.monnet@netronome.com> @qeole Outline Several network filtering mechanisms in the Linux kernel What are they,

  1. FOSDEM’19 • Brussels, 2019-02-02 Unifying network filtering rules for the Linux kernel with eBPF Quentin Monnet <quentin.monnet@netronome.com> @qeole

  2. Outline Several network filtering mechanisms in the Linux kernel What are they, and what do they do? How are they used? Latest addition: eBPF What does it bring to filter networking? Increasing number of convergence leads between the different models What are the objectives? How can they be unified? Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 2/22

  3. Some network filtering mechanisms in the Linux kernel Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 3/22

  4. Netfilter (iptables/nf_tables) Framework for packet filtering (firewall), NAT Often the default choice for dropping flows Several front-end components (ebtables, arptables, iptables, ip6tables, nf_tables, conntrack) Back-end: Netfilter nf_tables successor to iptables: more flexible, more efficient Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 4/22

  5. Traffic Control filters (tc, iproute2) TC framework for Traffic Control in the kernel: traffic shaping, scheduling, policing, dropping “Queueing disciplines” (qdisc), possibly applied to “classes” Filters are used to dispatch packets into the different classes (Traffic control mostly applies to egress traffic, but filters also usable for ingress) Framework actually using a variety of filters: Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 5/22 • basic (ematch, “extended match”) • flow • flower • u32 • [bpf] • Specific filters: fw, route, rsvp, tcindex

  6. Hardware filters (ethtool) “Receive network flow classification”: Hardware filters Main objective: flow steering, but able to drop flows Needs hardware support, not all NICs have it Rules set with ethtool -U (ioctl) Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 6/22

  7. pcap-filters, cBPF (e.g. for tcpdump) Facility from the libpcap library Takes an expression and turns it into a filter Output is legacy BPF (cBPF), attached to sockets in the kernel (or run in user space if not on Linux) Used by tcpdump (see tcpdump -i eth0 -d <expr> ) Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 7/22

  8. Filtering hooks Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 8/22 Userspace BPF on socket Net fi lter ingress Net fi lter egress (PREROUTING, INPUT) (OUTPUT, POSTROUTING) Kernel stack TC ingress TC egress Kernel Driver Hardware fi lters (set up with ethtool) Hardware (NIC)

  9. Many rule syntaxes Example rule: Drop incoming IP(v4) HTTP packets # iptables -A INPUT -i eth0 \ -p tcp --dport 80 -j drop # nft add rule ip filter input iif eth0 \ tcp dport 80 drop # tcpdump -i eth0 \ ip and tcp dst port 80 # tc filter add dev eth0 ingress flower \ ip_proto tcp dst_port 80 action drop # ethtool -U eth0 \ flow-type tcp4 dst-port 80 action -1 Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 9/22

  10. Many other ways to filter packets The list is not exhaustive Other frameworks are available (many of them out of kernel space) Software switches: Open vSwitch, etc. User space processing: DPDK (rte-flows), firewall apps, etc. P4 as another way to implement switches/filters, compile to target … Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 10/22

  11. Enter eBPF Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 11/22

  12. Introduction to eBPF Generic, efficient, secure in-kernel (Linux) virtual machine Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF In the rest of the presentation: “BPF” means “eBPF” Specific features: Maps, tail calls, helper functions 12/22 Event-based programs injected, verified and attached in the kernel Tracing/Monitoring Sockets TC Kprobe/Uprobe (traf fi c control) Networking XDP Tracepoint (network driver) eBPF Lightweight Tunnel Perf Event Encapsulation Flow Dissector Others to come? Infrared Cgroups Remote Control

  13. BPF hooks for network packet processing Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 13/22 Userspace BPF on socket Net fi lter ingress Net fi lter egress (PREROUTING, INPUT) (OUTPUT, POSTROUTING) Kernel stack TC ingress TC egress BPF as TC fi lter BPF XDP (“generic”) Kernel BPF XDP (driver support) Driver BPF Hardware fi lters (TC/XDP o ffl oad) (set up with ethtool) Hardware (NIC) Agilio SmartNIC

  14. What BPF brings to network filtering BPF is POWER! Programmability (change network processing at runtime) In-kernel verifier: safety, security of the programs JIT (Just-in-time) compiler available for main architectures: speed! Low-level (driver hooks): speed!! Hardware offload: speed!!! Also: Headaches, long nights spent rewriting the filters Additional pain to pass the verifier But keep in mind: BPF is self-contained, well defined, flexible Maybe a good intermediate representation to represent filters? Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 14/22

  15. Convergence of the models Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 15/22

  16. Why unifying? User side: Transparently reuse existing set of rules Benefit from the best of each world: flexibility, ease of use, performance Developer side: Easier to work on a common intermediate representation rather than on a variety of distinct back-ends Better uncoupling of the front- and back-ends Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 16/22

  17. flow_rule infrastructure Work in progress from Pablo Neira Ayuso—No BPF in this one Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF Stop exposing TC front-end details to drivers (easier to add features to TC) Unified IR passed to the driver: avoid having one parser for each ACL front-end Motivation: 17/22 Intermediate representation for ACL hardware offloads Based on Linux flow dissector infrastructure and TC actions Can be used by different front-ends such as HW filters, TC, Netfilter Hardware fi lters TC Net fi lter (via ioctl) (via Netlink) (via Netlink) Userspace Translates native interface representation to fl ow_rule IR fl ow_rule IR Kernel front end Parses fl ow_rule IR Kernel to populate HW IR Hardware IR Driver O ffl oads fi lter as HW IR Hardware (NIC)

  18. bpfilter: BPF-based firewall bpfilter : new back-end for iptables in Linux, based on BPF Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF Improve performance (JIT, offloads) Reuse rules from iptables Motivation: 18/22 Also: proposal for nf_tables to BPF translation on top of bpfilter Rules are translated into a BPF program The iptables binary is left untouched user space, for rule translation Uses a special kernel module launching an ELF executable in a special thread in bp fi lter UMH iptables special thread Userspace translates inject rules rules to eBPF Net fi lter bp fi lter.ko subsystem module Kernel bp fi lter BPF hook

  19. libkefir: a library to convert ACLs to BPF programs Comes as a library, for inclusion in other projects Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF Sorry, not published yet! libkefir : KE rnel FI ltering R ules: Work in progress @ Netronome 19/22 And give BPF-compatible C source code to users, so they can hack it But do not try to handle all cases Turn simple ACL rules into hackable BPF programs Motivation similar to bpfilter: reuse rules, with improved performance ethtool rules Userspace TC fl ower rules libke fi r C source code iptables rules pcap-lib BPF bytecode expressions BPF program attached Kernel

  20. Wrapping up Various frameworks for packet filtering in Linux BPF is one of them, brings new perspectives in terms of programmability, performance, speed, speed and speed Convergence between different models is beginning to emerge: Easier handling of rules for driver developers (flow_rule IR proposal) Reuse of existing rules for users (bpfilter, libkefir) Better performance for those existing set of rules Also, consider: P4 as another approach for convergence—BPF is one target BPF used in other places: Open vSwitch datapath, DPDK eBPF as a heterogeneous processing ABI (LPC 2018) Usage of a DSL for producing BPF programs, but targeted at tracing the Linux kernel: bpftrace Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 20/22

  21. Thank you! Questions Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 21/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
Declare Your Linux Network State! with nmstate Edward Haas, Red Hat &lt; edwardh@redhat.com &gt;

Declare Your Linux Network State! with nmstate Edward Haas, Red Hat &lt; edwardh@redhat.com &gt;

Declare Your Linux Network State! with nmstate Edward Haas, Red Hat &lt; edwardh@redhat.com &gt; Till Maas, Red Hat &lt; till@redhat.com &gt; Linux kernel Hardware 3 Red Hat oVirt Ifcfg initscripts iproute2 ethtool Netlink Linux kernel

532 views • 37 slides
Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development 80x86 Sparc Alpha Some device drivers SCSI Controller Video Card Network Card Others that has ROM on board .. Compiler/Interpreter/Cross

282 views • 11 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
Voice Coding with Opus Koen Vos, Karsten Vandborg Srensen, Sren Skak Jensen, Jean-Marc Valin

Voice Coding with Opus Koen Vos, Karsten Vandborg Srensen, Sren Skak Jensen, Jean-Marc Valin

Voice Coding with Opus Koen Vos, Karsten Vandborg Srensen, Sren Skak Jensen, Jean-Marc Valin Two Opus presentations This talk: Voice Mode (Koen) Features Technology Listening test results Next talk: Audio Mode

501 views • 20 slides
Communication Systems RTP-QoS University of Freiburg Computer Science Computer Networks and

Communication Systems RTP-QoS University of Freiburg Computer Science Computer Networks and

Communication Systems RTP-QoS University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Organization I. Data and voice communication in IP networks II. Security issues in networking

883 views • 41 slides
End-to-end Methods for Traffic Shaping Detection, Performance Problem Diagnosis, Home Wireless

End-to-end Methods for Traffic Shaping Detection, Performance Problem Diagnosis, Home Wireless

End-to-end Methods for Traffic Shaping Detection, Performance Problem Diagnosis, Home Wireless Troubleshooting Partha Kanuparthy Joint work with Constantine Dovrolis AIMS 2011, CAIDA Friday, February 11, 2011 1 Three Tools ShaperProbe :

561 views • 38 slides
Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle

Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle

Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle Bjrgeengen University of Oslo / USIT November 11, 2010 Outline About resource sharing in storage devices Lab setup / job setup Experiment

538 views • 29 slides
Congestion Control Jean Walrand www.eecs.berkeley.edu/~ wlr Outline The Problem What is fair?

Congestion Control Jean Walrand www.eecs.berkeley.edu/~ wlr Outline The Problem What is fair?

Congestion Control Jean Walrand www.eecs.berkeley.edu/~ wlr Outline The Problem What is fair? Approaches Walrand 2 The Problem Flows share links: How to share the links bandwidth? Walrand 3 The Problem What should be the ideal

439 views • 26 slides
D&amp;R IP-SoC Days Shanghai Nikos Zervas CEO, CAST Inc. 1 Automotive IP Cores: Challenges

D&amp;R IP-SoC Days Shanghai Nikos Zervas CEO, CAST Inc. 1 Automotive IP Cores: Challenges

Automotive IP Cores: Challenges &amp; Solutions D&amp;R IP-SoC Days Shanghai Nikos Zervas CEO, CAST Inc. 1 Automotive IP Cores: Challenges &amp; Solutions Data Center on Wheels Cameras 20-40 MB/sec GPS ~50 KB/sec Sensors 1 - 3 MB/sec

626 views • 15 slides
Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

WNP-MPR-qos 1 Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-qos 2 Topics Scheduled for Today Quality of Service Characterization and models Case studies

818 views • 49 slides
An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT

An Architecture of a Network Controller for QoS Management in Home Networks with Lots of IoT Devices and Services Daisuke Kotani (Kyoto University) IoT Services in Home 2019/1/13 2 l So many use cases are proposed u Energy monitoring and

488 views • 19 slides

More recommend