|
|
Subscribe / Log in / New account

BPF comes to firewalls

BPF comes to firewalls

Posted Feb 20, 2018 4:35 UTC (Tue) by eahay (guest, #110720)
Parent article: BPF comes to firewalls

Iptables can delete or insert a single rule at a time...

to post comments

BPF comes to firewalls

Posted Feb 20, 2018 6:46 UTC (Tue) by kay (guest, #1362) [Link]

iptables command can ... but not the API

BPF comes to firewalls

Posted Feb 20, 2018 12:19 UTC (Tue) by bernat (subscriber, #51658) [Link] (1 responses)

It will download the whole ruleset from the kernel, modify it to add/remove the single rule and upload it again. When your ruleset becomes huge, adding/removing a single rule takes a significant time.

BPF comes to firewalls

Posted Feb 24, 2018 20:07 UTC (Sat) by kleptog (subscriber, #1183) [Link]

Well that explains things... I heard someone mumbling about how iptables updates can get lost and I couldn't see how, until now.

In any case, if we do firewall rules as BPF we end up with the same problem surely? The performance improvement would be that you can pass your firewall through an compiler/optimiser to make it more efficient, but as a side effect you end up with the same problem, namely, to update a single rule you need to replace the whole program. Only now you've added an optimise step in between.

Unless you change your API to transactional one where you can send updates and get a confirmation asynchronously and the backend is smart enough to avoid actually updating the kernel for every change.

BPF comes to firewalls

Posted Apr 19, 2018 2:26 UTC (Thu) by manhnt (guest, #123784) [Link] (2 responses)

Well, as kleptog mentioned, there are cases where iptables update can get lost some rules. I've met such cases. Does anyone know how to solve that properly? What I did was simply retrying until success, which may not be an optimum solution.

BPF comes to firewalls

Posted Aug 13, 2018 4:07 UTC (Mon) by fest3er (guest, #60379) [Link]

How many rules are you talking about? In some testing 4-6 years ago, I found that iptables could not handle more than about 20 000 rules at a time. Any more and some rules would be 'lost'. IPtables was happy to add 1 000 000 rules as long as I added them around 15 000 at a time (meaning a COMMIT every 15 000 or so). Adding so many rules wasn't real speedy, but it also wasn't outrageously slow.

BPF comes to firewalls

Posted Aug 13, 2018 16:37 UTC (Mon) by antiphase (subscriber, #111993) [Link]

Use ipset to create address lists instead of using individual per-address rules. It doesn't change the reload behaviour, but it will potentially hugely reduce the number of rules if you're matching in similar ways just with different addresses, and is also faster shifting packets as a bonus.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds