klionballs.blogg.se - Iptables netmap example

Iptables netmap example full#
Iptables netmap example code#
Iptables netmap example series#

The advantage of this simpler function is that we don’t need to manage a list of suspicious addresses. In my case, I’m going with something even simpler: a function that filters out all traffic except IPv6. What such network function does is to drop packets if they’re coming from a suspicious origin. The canonical example when introducing XDP is a DDoS filter. Let’s take a look at one example that uses most of these elements to program a simple network function. XDP_PASS, XDP_TX and XDP_REDIRECT are specific cases of a forwarding action, whereas XDP_ABORTED is actually treated as a packet drop.

XDP_ABORTED: indicates eBPF program error.

XDP_REDIRECT: redirects the packet to another NIC or CPU.

XDP_TX: forward or TX-bounce back-out same interface.

XDP_PASS: pass the packet to the normal network stack.

Are we going to drop it? Forward it? To control a packet’s processing logic, XDP provides a set of predefined actions:

We are also able to decide what to do with a packet. And thanks to eBPF Maps we have access to complex data structures for persistent data storage, like tables. We can also access to helper functions to parse packets, compute checksums, and other functionalities, at no cost (avoiding system call cost penalties). We can read them or modify them if we need it. XDP passes packets to our eBPF program which decides what to do with them.

Tunelling: read incoming packets, create a new packet, embed packet into new one and forward it.

NAT: read incoming packets, modify headers and forward packet.

Firewall: read incoming packets, compare them to a table of rules and execute an action: forward or drop.

Iptables netmap example series#

Linux network stack with XDPĮvery network function, no matter how complex it is, consists of a series of basic operations:

Iptables netmap example code#

Luckily, Linux already features a mechanism that allows user-space code execution within the kernel: the eBPF VM. This checkpoint should pass a packet to an user-space program that will decide what to do with it: drop it or let it continue through the normal path. However this idea could be generalized by adding a checkpoint in the Linux kernel network stack, preferably as soon as a packet is received in the NIC.

By dropping packets at the lowest point of the stack, the amount of traffic that reaches the kernel’s networking subsystem gets significantly reduced.Ĭloudflare’s solution used the Netmap toolkit to implement its partial kernel bypass (Source: Single Rx queue kernel bypass with Netmap). Some queues of the NIC are still attached to the kernel while others are attached to an user-space program that decides whether a packet should be dropped or not. Their solution consisted of implementing what they called a “partial kernel bypass”.

Iptables netmap example full#

Under those circumstances, a Linux box starts to be overflooded by IRQ interruptions until it becomes unusable.īecause Cloudflare wanted to keep the convenience of using iptables (and the rest of the kernel’s network stack), they couldn’t go with a solution that takes full control of the hardware, such as DPDK. In the event of a DDoS attack, the amount of spoofed traffic can be up to 3 Mpps. Cloudflare leverages heavily on iptables, which according to their own metrics is able to handle 1 Mpps on a decent server (Source: Why we use the Linux kernel’s TCP stack).

The design of XDP has its roots in a DDoS attack mitigation solution presented by Cloudflare at Netdev 1.1. In this new blog post I try to go deeper into XDP. However, I didn’t get much into the details on how XDP works. On the XDP side, I focused only on the motivations behind this new technology, the reasons why rearchitecting the Linux kernel networking layer to enable faster packet processing. In the previous article I briefly introduced XDP ( eXpress Data Path) and eBPF, the multipurpose in-kernel virtual machine.