LWN: Comments on "BPF comes to firewalls"

BPF comes to firewalls

valentine — Fri, 26 Jul 2019 20:13:44 +0000

Hi all,
I've some small questions about the post.
- What is the relationship between BPF and eBPF?
- I still haven't understood how to work BP: are attached at the express data path (XDP) layer, so they are run from the network-interface drivers or not? If yes the NIC drivers must be rewritten?

BPF comes to firewalls

antiphase — Mon, 13 Aug 2018 16:37:01 +0000

Use ipset to create address lists instead of using individual per-address rules. It doesn't change the reload behaviour, but it will potentially hugely reduce the number of rules if you're matching in similar ways just with different addresses, and is also faster shifting packets as a bonus.

BPF comes to firewalls

fest3er — Mon, 13 Aug 2018 04:07:12 +0000

How many rules are you talking about? In some testing 4-6 years ago, I found that iptables could not handle more than about 20 000 rules at a time. Any more and some rules would be 'lost'. IPtables was happy to add 1 000 000 rules as long as I added them around 15 000 at a time (meaning a COMMIT every 15 000 or so). Adding so many rules wasn't real speedy, but it also wasn't outrageously slow.

BPF comes to firewalls

manhnt — Thu, 19 Apr 2018 02:26:07 +0000

Well, as kleptog mentioned, there are cases where iptables update can get lost some rules. I've met such cases. Does anyone know how to solve that properly? What I did was simply retrying until success, which may not be an optimum solution.

BPF comes to firewalls

jengelh — Thu, 01 Mar 2018 11:31:38 +0000

>For instance, nftables involves stringing together commands in a way that highly resembles a run-on sentence:
>
> nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452
>
>It's not immediately obvious how the syntax works and what words fit in where in the hierarchy.

This is where the iptables UI excels - the tokens for "options" and tokens for "values" never ever overlap, I am tempted to say *context-free*. The nft "tcp" instead could either mean "-p tcp" or "--tcp-flags ..." depending on where it's located, and what makes the bpf/ip/tc/nft syntax so terrible.

BPF comes to firewalls

kleptog — Sat, 24 Feb 2018 20:07:10 +0000

Well that explains things... I heard someone mumbling about how iptables updates can get lost and I couldn't see how, until now.

In any case, if we do firewall rules as BPF we end up with the same problem surely? The performance improvement would be that you can pass your firewall through an compiler/optimiser to make it more efficient, but as a side effect you end up with the same problem, namely, to update a single rule you need to replace the whole program. Only now you've added an optimise step in between.

Unless you change your API to transactional one where you can send updates and get a confirmation asynchronously and the backend is smart enough to avoid actually updating the kernel for every change.

BPF comes to firewalls

ofranja — Fri, 23 Feb 2018 23:01:57 +0000

> Developers should be careful, though; this could prove to be a slippery slope leading toward something that starts to look like a microkernel architecture.

Or, even further, an exokernel architecture.

In the original MIT exokernel research (~1995), a packet filter language w/JIT compiler is mentioned as a way to filter and delegate network traffic to userspace with minimal [1] kernel support (although not necessarily using these terms, but the general idea is the same).

[1] https://pdos.csail.mit.edu/archive/exo/exo-slides/sld011.htm

BPF comes to firewalls

pomac — Wed, 21 Feb 2018 13:26:59 +0000

I find this really interesting, I've wondered and tried to push a change to bpf for a while but =)

Anyway, for those that want to follow the threads in a easier manner:

https://marc.info/?l=linux-netdev&m=151905824829539&... - [PATCH RFC PoC 0/3] nftables meets bpf
https://marc.info/?l=netfilter-devel&m=15187884440366... - [PATCH RFC 0/4] net: add bpfilter

BPF comes to firewalls

florianfainelli — Wed, 21 Feb 2018 00:20:34 +0000

You would think it would, but this was actually a custom VM, Pablo just posted patches to do exactly that though:

https://www.mail-archive.com/netdev@vger.kernel.org/msg21...

BPF comes to firewalls

florianfainelli — Wed, 21 Feb 2018 00:15:31 +0000

Fortunately we now have extended netlink acks to give you a more meaningful error code...

BPF comes to firewalls

flussence — Tue, 20 Feb 2018 16:17:21 +0000

I've got a working (AFAIK) nftables setup. The end result looks pretty after months of tweaking, but I completely agree on how unnecessarily painful it was to get there. Spitting nothing but strerror(-ENOENT) at the user whenever any module is missing from the kernel is a nasty thing to do…

BPF comes to firewalls

josh — Tue, 20 Feb 2018 16:17:13 +0000

It was originally used for filtering of packets for tools like tcpdump, so that when you say "show me traffic on tcp port 80 to this IP" the kernel can very quickly select the data you want and feed it to you at wire speed.

BPF comes to firewalls

ringerc — Tue, 20 Feb 2018 15:25:11 +0000

Yeah, it's a lot like someone looked at the "tc" and "ip" commands and thought "what a great UI, lets do that".

BPF comes to firewalls

kooky — Tue, 20 Feb 2018 13:40:29 +0000

I thought nftables ruleset already used BPF?

I've been using nftables and find it just works now I've got the hang.

Tim

BPF comes to firewalls

iq-0 — Tue, 20 Feb 2018 12:56:10 +0000

I'm in favor of a jit-able packet filter that might partially be offloaded to hardware.

But the real challenges are often not the ruleset overhead, but are related to connection tracking, matching against advanced set datastructures and in the interaction with the rest of the network stack. I feel like here is a basic conflict between calling kernel functions to get better access to advanced algorithms and datastructures and the basic JIT and offloading story of bpfilter.

And didn't BPF programs have a size constraint? Or is that something that can be worked around using BPF_MAP_TYPE_PROG_ARRAY?

BPF comes to firewalls

bernat — Tue, 20 Feb 2018 12:19:19 +0000

It will download the whole ruleset from the kernel, modify it to add/remove the single rule and upload it again. When your ruleset becomes huge, adding/removing a single rule takes a significant time.

BPF comes to firewalls

vadim — Tue, 20 Feb 2018 07:51:53 +0000

nftables is a quite nice idea. I think the problem with it was that they were slow at implementing the last few features that were actually quite important.

For instance, nftables can do MSS clamping only since kernel 4.14. This was released this November. nftables has been around since 2014, like this article says. MSS clamping is a feature in wide use for DSL and fiber setups, and this is important precisely to the kinds of people that want to run their own firewall.

IMO, the other problem with it is that the documentation is still not great, and the syntax leaves a lot to be desired.

For instance, nftables involves stringing together commands in a way that highly resembles a run-on sentence:

    nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452

It's not immediately obvious how the syntax works and what words fit in where in the hierarchy. The way "ppp0" is not quoted or delimited in any way also makes it hard to tell apart commands from data, though this can be done as seen below. There's a C-ish form that looks a bit nicer, but then when you run into a command that starts with "nft add" it's not obvious how to put that into your config file, which looks like:

table ip filter {
	# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
	chain forward {
		iifname "lan0" oifname "wan0" accept
        }
}

Note how it is subtly different: we go from "ip filter" to "table ip filter", and from "forward" to "chain forward", and for someone not familiar with the syntax it's not really apparent that "oifname" in the first example is the point where you'd want to start copy/pasting.

I hope that besides the technical details, the makers of BPF also take care of producing a better syntax and good documentation.

BPF comes to firewalls

dgm — Tue, 20 Feb 2018 07:17:35 +0000

And the "B" stands for Berkely, where it originated. The Wikipedia article (https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) is a bit light on details, but you will find them in the original paper (http://www.tcpdump.org/papers/bpf-usenix93.pdf).

BPF comes to firewalls

epa — Tue, 20 Feb 2018 07:01:02 +0000

So what is the origin of BPF? I thought the PF stood for packet filter because it had originated as a way to compile firewall rules — but according to the article this is the first time it has been used there.

BPF comes to firewalls

kay — Tue, 20 Feb 2018 06:46:03 +0000

iptables command can ... but not the API

BPF comes to firewalls

valberg — Tue, 20 Feb 2018 06:42:27 +0000

Thanks, Jonathan, for another great article.

BPF comes to firewalls

eahay — Tue, 20 Feb 2018 04:35:01 +0000

Iptables can delete or insert a single rule at a time...