At the core of fast network packet processing lies the ability to filter packets, or in other words, to apply a set of rules on packets, usually consisting of a pattern to match (L2 to L4 source and destination addresses and ports, protocols, etc.) and corresponding actions (redirect to a given queue, or drop the packet, etc.). Over the years, several filtering frameworks have been added to Linux. While at the lower level, ethtool can be used to configure N-tuple rules on the receive side for the hardware, the upper layers of the stack got equipped with rules for firewalling (Netfilter), traffic shaping (TC), or packet switching (Open vSwitch for example). In this presentation, Quentin Monnet reviewed the needs for those filtering frameworks and the particularities of each one. Then focuses on the changes brought by eBPF and XDP in this landscape: as BPF programs allow for very flexible processing and can be attached very low in the stack—at the driver level, or even run on the NIC itself—they offer filtering capabilities with no precedent in terms of performance and versatility in the kernel. Lastly, the third part explores potential leads in order to create bridges between the different rule formats and to make it easier for users to build their filtering eBPF programs.

1. FOSDEM’19 • Brussels, 2019-02-02
Unifying network filtering rules for the Linux kernel with eBPF
Quentin Monnet
<quentin.monnet@netronome.com>
@qeole

2. Outline
Several network filtering mechanisms in the Linux kernel
What are they, and what do they do?
How are they used?
Latest addition: eBPF
What does it bring to filter networking?
Increasing number of convergence leads between the different models
What are the objectives?
How can they be unified?
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 2/22

3. Some network filtering mechanisms in the Linux kernel
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 3/22

4. Netfilter (iptables/nf_tables)
Framework for packet filtering (firewall), NAT
Often the default choice for dropping flows
Several front-end components (ebtables, arptables, iptables, ip6tables,
nf_tables, conntrack)
Back-end: Netfilter
nf_tables successor to iptables: more flexible, more efficient
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 4/22

5. Traffic Control filters (tc, iproute2)
TC framework for Traffic Control in the kernel: traffic shaping, scheduling,
policing, dropping
“Queueing disciplines” (qdisc), possibly applied to “classes”
Filters are used to dispatch packets into the different classes
(Traffic control mostly applies to egress traffic, but filters also usable
for ingress)
Framework actually using a variety of filters:
• basic (ematch, “extended match”)
• flow
• flower
• u32
• [bpf]
• Specific filters: fw, route, rsvp, tcindex
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 5/22

6. Hardware filters (ethtool)
“Receive network flow classification”: Hardware filters
Main objective: flow steering, but able to drop flows
Needs hardware support, not all NICs have it
Rules set with ethtool -U (ioctl)
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 6/22

7. pcap-filters, cBPF (e.g. for tcpdump)
Facility from the libpcap library
Takes an expression and turns it into a filter
Output is legacy BPF (cBPF), attached to sockets in the kernel
(or run in user space if not on Linux)
Used by tcpdump (see tcpdump -i eth0 -d <expr>)
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 7/22

8. Filtering hooks
Kernel
Userspace
Hardware (NIC)
Driver
Kernel stack
TC ingress TC egress
Hardware filters
(set up with ethtool)
BPF
on socket
Netfilter egress
(OUTPUT, POSTROUTING)
Netfilter ingress
(PREROUTING, INPUT)
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 8/22

9. Many rule syntaxes
Example rule: Drop incoming IP(v4) HTTP packets
# iptables -A INPUT -i eth0
-p tcp --dport 80 -j drop
# nft add rule ip filter input iif eth0
tcp dport 80 drop
# tcpdump -i eth0
ip and tcp dst port 80
# tc filter add dev eth0 ingress flower
ip_proto tcp dst_port 80 action drop
# ethtool -U eth0
flow-type tcp4 dst-port 80 action -1
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 9/22

10. Many other ways to filter packets
The list is not exhaustive
Other frameworks are available (many of them out of kernel space)
Software switches: Open vSwitch, etc.
User space processing: DPDK (rte-flows), firewall apps, etc.
P4 as another way to implement switches/filters, compile to target
…
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 10/22

11. Enter eBPF
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 11/22

12. Introduction to eBPF
Generic, efficient, secure in-kernel (Linux) virtual machine
Event-based programs injected, verified and attached in the kernel
Lightweight Tunnel
Encapsulation
TC
(traffic control)
Cgroups
Perf Event
Tracepoint
XDP
(network driver)
Sockets
Kprobe/Uprobe
Others to come?
Networking
Tracing/Monitoring
Flow Dissector
Infrared
Remote Control
eBPF
Specific features: Maps, tail calls, helper functions
In the rest of the presentation: “BPF” means “eBPF”
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 12/22

13. BPF hooks for network packet processing
Kernel
Userspace
Hardware (NIC)
Driver
Kernel stack
TC ingress TC egress
Hardware filters
(set up with ethtool)
BPF
on socket
Netfilter egress
(OUTPUT, POSTROUTING)
Netfilter ingress
(PREROUTING, INPUT)
Agilio SmartNIC
BPF
(TC/XDP offload)
BPF XDP
(“generic”)
BPF XDP
(driver support)
BPF
as TC filter
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 13/22

14. What BPF brings to network filtering
BPF is POWER!
Programmability (change network processing at runtime)
In-kernel verifier: safety, security of the programs
JIT (Just-in-time) compiler available for main architectures: speed!
Low-level (driver hooks): speed!!
Hardware offload: speed!!!
Also:
Headaches, long nights spent rewriting the filters
Additional pain to pass the verifier
But keep in mind: BPF is self-contained, well defined, flexible
Maybe a good intermediate representation to represent filters?
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 14/22

15. Convergence of the models
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 15/22

16. Why unifying?
User side:
Transparently reuse existing set of rules
Benefit from the best of each world: flexibility, ease of use,
performance
Developer side:
Easier to work on a common intermediate representation rather than
on a variety of distinct back-ends
Better uncoupling of the front- and back-ends
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 16/22

17. flow_rule infrastructure
Work in progress from Pablo Neira Ayuso—No BPF in this one
Intermediate representation for ACL hardware offloads
Based on Linux flow dissector infrastructure and TC actions
Can be used by different front-ends such as HW filters, TC, Netfilter
Kernel
Userspace
Hardware (NIC)
Driver
Kernel front end
Hardware IR
flow_rule IR
TC
(via Netlink)
Hardware filters
(via ioctl)
Netfilter
(via Netlink)
Parses flow_rule IR
to populate HW IR
Translates native
interface representation
to flow_rule IR
Offloads filter
as HW IR
Motivation:
Unified IR passed to the driver: avoid having one parser for each ACL front-end
Stop exposing TC front-end details to drivers (easier to add features to TC)
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 17/22

18. bpfilter: BPF-based firewall
bpfilter: new back-end for iptables in Linux, based on BPF
The iptables binary is left untouched
Rules are translated into a BPF program
Uses a special kernel module launching an ELF executable in a special thread in
user space, for rule translation
Also: proposal for nf_tables to BPF translation on top of bpfilter
Kernel
Userspace
bpfilter UMH
special thread
bpfilter.ko
module
Netfilter
subsystem
bpfilter
BPF hook
iptables
inject rules
translates
rules to eBPF
Motivation:
Reuse rules from iptables
Improve performance (JIT, offloads)
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 18/22

19. libkefir: a library to convert ACLs to BPF programs
libkefir: KErnel FIltering Rules: Work in progress @ Netronome
Turn simple ACL rules into hackable BPF programs
Motivation similar to bpfilter: reuse rules, with improved performance
But do not try to handle all cases
And give BPF-compatible C source code to users, so they can hack it
Comes as a library, for inclusion in other projects
Kernel
Userspace
TC flower
rules
ethtool rules
pcap-lib
expressions
iptables rules
libkefir
BPF bytecode
BPF program
attached
C source code
Sorry, not published yet!
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 19/22

20. Wrapping up
Various frameworks for packet filtering in Linux
BPF is one of them, brings new perspectives in terms of programmability,
performance, speed, speed and speed
Convergence between different models is beginning to emerge:
Easier handling of rules for driver developers (flow_rule IR proposal)
Reuse of existing rules for users (bpfilter, libkefir)
Better performance for those existing set of rules
Also, consider:
P4 as another approach for convergence—BPF is one target
BPF used in other places: Open vSwitch datapath, DPDK
eBPF as a heterogeneous processing ABI (LPC 2018)
Usage of a DSL for producing BPF programs, but targeted at tracing the
Linux kernel: bpftrace
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 20/22

21. Thank you!
Questions
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 21/22

22. References
Additional resources:
Dive into BPF: a list of reading material
https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into-bpf/
Why is the kernel community replacing iptables with BPF?
https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
[PATCH net-next,v6 00/12] add flow_rule infrastructure
https://lwn.net/ml/netdev/20181214181205.28812-1-pablo%40netfilter.org/
BPF comes to firewalls
https://lwn.net/Articles/747551/
Bringing the Power of eBPF to Open vSwitch (William Tu et al., LPC 2018)
http://vger.kernel.org/lpc_net2018_talks/ovs-ebpf-lpc18-presentation.pdf
Using eBPF as a heterogeneous ABI (Jakub Kicinski, LPC 2018)
http://vger.kernel.org/lpc-bpf.html#session-8
DPDK documentation, Berkeley Packet Filter Library
http://doc.dpdk.org/guides/prog_guide/bpf_lib.html
Nothing yet on libkefir… Stay tuned!
Q. Monnet | Unifying network filtering rules for the Linux kernel with eBPF 22/22