Ship your firewall rules with your application using eBPF

silav delalê,

this week’s paper is a classic again: How to use eBPF to enhance network package filtering in Linux. The authors discuss two use cases for eBPF and also provide example code, so you can check out what exactly they did and how.

Quite a nice idea to ship your firewall rules with your application, e.g. directly do DoS prevention against your home-backed network protocol (and we all love building them from time to time) and still keep high performance by running the code in the Kernel (that is where eBPF differs, you can run your code directly in the kernel, no loops and only ~4kb program size though)

The paper gave an overall nice intro into eBPF and use cases, so definitely check it out!

Software exists to create business value

I am Simon Frey, the author of the Weekly CS Paper Newsletter. And I have great news: You can work with me

As CTO as a Service, I will help you choose the right technology for your company, build up your team and be a deeply technical sparring partner for your product development strategy.

Checkout my website simon-frey.com to learn more or directly contact me via the button below.

Let’s work together!

Abstract:

Firewall capabilities of operating systems are traditionally provided by inflexible filter routines or hooks in the kernel. These require privileged access to be configured and are
not easily extensible for custom low-level actions. Since Linux 3.0, the Berkeley Packet Filter (BPF) allows user-written extensions in the kernel processing path. The successor, extended BPF (eBPF), improves flexibility and is realized via a virtual machine featuring
both a just-in-time (JIT) compiler and an interpreter running in the kernel. It executes custom eBPF programs supplied by the user, effectively moving kernel functionality into user space. We present two case studies on the usage of Linux eBPF. First, we analyze the performance of the eXpress Data Path (XDP). XDP uses eBPF to process ingress traffic before the allocation of kernel data structures, which comes along with performance benefits. In the second case study, eBPF is used to install application-specific packet filtering configurations acting on the socket level. Our case studies focus on performance aspects and discuss benefits and drawbacks.

Download Link:

https://www.net.in.tum.de/fileadmin/bibtex/publications/papers/ITC30-Packet-Filtering-eBPF-XDP.pdf

Additional Links:

• iptables vs nftables: What’s the Difference?
• Go library that provides utilities for loading, compiling, and debugging eBPF programs
• What is an MTU (Maximum transmission unit)