From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Willem de Bruijn <willemb@google.com>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH next] iptables: add xt_bpf match
Date: Wed, 9 Jan 2013 10:52:20 +0100 [thread overview]
Message-ID: <20130109095220.GA11011@1984> (raw)
In-Reply-To: <CA+FuTSe-t0Cougo5_7hec6obgxon=8VdcreEB4_hJB5w881bYg@mail.gmail.com>
Hi Willem,
On Tue, Jan 08, 2013 at 08:58:37PM -0500, Willem de Bruijn wrote:
> On Mon, Jan 7, 2013 at 10:21 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Hi Willem,
> >
> > On Sun, Dec 09, 2012 at 04:52:58PM -0500, Willem de Bruijn wrote:
> >> Support arbitrary linux socket filter (BPF) programs as iptables
> >> match rules. This allows for very expressive filters, and on
> >> platforms with BPF JIT appears competitive with traditional hardcoded
> >> iptables rules.
> >>
> >> At least, on an x86_64 that achieves 40K netperf TCP_STREAM without
> >> any iptables rules (40 GBps),
> >>
> >> inserting 100x this bpf rule gives 28K
> >>
> >> ./iptables -A OUTPUT -m bpf --bytecode '6,40 0 0 14, 21 0 3 2048,48 0 0 25,21 0 1 20,6 0 0 96,6 0 0 0,' -j
> >>
> >> (as generated by tcpdump -i any -ddd ip proto 20 | tr '\n' ',')
> >>
> >> inserting 100x this u32 rule gives 21K
> >>
> >> ./iptables -A OUTPUT -m u32 --u32 '6&0xFF=0x20' -j DROP
> >>
> >> The two are logically equivalent, as far as I can tell. Let me know
> >> if my test methodology is flawed in some way. Even in cases where
> >> slower, the filter adds functionality currently lacking in iptables,
> >> such as access to sk_buff fields like rxhash and queue_mapping.
> >>
> >> Signed-off-by: Willem de Bruijn <willemb@google.com>
> >> ---
> >> include/linux/netfilter/xt_bpf.h | 17 +++++++
> >> net/netfilter/Kconfig | 9 ++++
> >> net/netfilter/Makefile | 1 +
> >> net/netfilter/x_tables.c | 5 +-
> >> net/netfilter/xt_bpf.c | 86 ++++++++++++++++++++++++++++++++++++++
> >> 5 files changed, 116 insertions(+), 2 deletions(-)
> >> create mode 100644 include/linux/netfilter/xt_bpf.h
> >> create mode 100644 net/netfilter/xt_bpf.c
> >>
> >> diff --git a/include/linux/netfilter/xt_bpf.h b/include/linux/netfilter/xt_bpf.h
> >> new file mode 100644
> >> index 0000000..23502c0
> >> --- /dev/null
> >> +++ b/include/linux/netfilter/xt_bpf.h
> >> @@ -0,0 +1,17 @@
> >> +#ifndef _XT_BPF_H
> >> +#define _XT_BPF_H
> >> +
> >> +#include <linux/filter.h>
> >> +#include <linux/types.h>
> >> +
> >> +struct xt_bpf_info {
> >> + __u16 bpf_program_num_elem;
> >> +
> >> + /* only used in kernel */
> >> + struct sk_filter *filter __attribute__((aligned(8)));
> >
> > I see. You set match->userspacesize to zero in libxt_bpf to skip the
> > comparison of that internal struct sk_filter *filter.
> >
> >> +
> >> + /* variable size, based on program_num_elem */
> >> + struct sock_filter bpf_program[0];
> >
> > While testing this I noticed:
> >
> > iptables -I OUTPUT -m bpf --bytecode \
> > '6,40 0 0 14, 21 0 3 2048,48 0 0 25,21 0 1 20,6 0 0 96,6 0 0 0' -j ACCEPT
> >
> > Note that this works but it should not.
> >
> > iptables -D OUTPUT -m bpf --bytecode \
> > '6,40 0 0 14, 21 0 3 2048,48 0 0 25,21 0 1 20,6 0 0 96,1 0 0 0' -j ACCEPT
> > ^
> > Mind that 1, it's a different filter, but it deletes the previous
> > filter without problems here.
> >
> > A quick look at make_delete_mask() in iptables tells me that the
> > changes you made to userspace to allow variable size matches are not
> > enough to generate a sane mask (which is fundamental while looking for
> > a matching rule during the deletion).
>
> Thanks for finding this, Pablo. I completely forgot to check that.
>
> I've never looked at that deletion code before. Will read it and
> hopefully propose a simple fix in a few days. An earlier version of
> the patch used a statically sized struct, by the way, like xt_string
> does (XT_STRING_MAX_PATTERN_SIZE). If it is easier to
> incorporate, we can always revert to that.
I prefer if this sticks to static size by now. The problem is that
BPF_MAXINSNS is probably too much to allocate per rule. So you'll have
to limit this to some reasonable amount of lines in the filter.
Please, also check that iptables-save and iptables-restore work fine,
there is also some problem with the existing code.
Thanks.
next prev parent reply other threads:[~2013-01-09 9:52 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-05 19:22 [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 19:22 ` [PATCH 1/2] netfilter: add xt_priority xtables match Willem de Bruijn
2012-12-08 0:04 ` [PATCH] [RFC] netfilter: add xt_skbuff " Willem de Bruijn
2012-12-08 3:23 ` Pablo Neira Ayuso
2012-12-09 20:24 ` Willem de Bruijn
2012-12-09 20:28 ` [PATCH] " Willem de Bruijn
2012-12-05 19:22 ` [PATCH 2/2] netfilter: add xt_bpf " Willem de Bruijn
2012-12-05 19:48 ` Pablo Neira Ayuso
2012-12-05 20:10 ` Willem de Bruijn
2012-12-07 13:16 ` Pablo Neira Ayuso
2012-12-07 16:56 ` Willem de Bruijn
2012-12-08 3:31 ` Pablo Neira Ayuso
2012-12-08 16:02 ` Daniel Borkmann
2012-12-09 21:52 ` [PATCH next] iptables: add xt_bpf match Willem de Bruijn
2013-01-08 3:21 ` Pablo Neira Ayuso
2013-01-09 1:58 ` Willem de Bruijn
2013-01-09 9:52 ` Pablo Neira Ayuso [this message]
2013-01-10 0:08 ` Willem de Bruijn
2013-01-10 0:08 ` [PATCH next v2] " Willem de Bruijn
2013-01-10 0:15 ` [PATCH next v3] " Willem de Bruijn
2013-01-17 23:53 ` Pablo Neira Ayuso
2013-01-18 16:48 ` Willem de Bruijn
2013-01-18 17:17 ` [PATCH next] " Willem de Bruijn
2013-01-21 11:28 ` Pablo Neira Ayuso
2013-01-21 11:33 ` Pablo Neira Ayuso
2013-01-21 11:42 ` Florian Westphal
2013-01-21 12:03 ` Pablo Neira Ayuso
2013-01-21 16:02 ` Willem de Bruijn
2013-01-21 13:44 ` [PATCH next v3] " Pablo Neira Ayuso
2013-01-22 8:46 ` Florian Westphal
2013-01-22 9:46 ` Jozsef Kadlecsik
2013-01-22 10:03 ` Maciej Żenczykowski
2013-01-22 11:11 ` Pablo Neira Ayuso
2013-01-23 15:59 ` Willem de Bruijn
2013-01-23 16:21 ` Pablo Neira Ayuso
2013-01-23 16:38 ` Willem de Bruijn
2013-01-23 18:56 ` Pablo Neira Ayuso
2013-02-18 3:44 ` [PATCH] utils: bpf_compile Willem de Bruijn
2013-02-20 10:38 ` Daniel Borkmann
2013-02-21 4:35 ` Willem de Bruijn
2013-02-21 13:43 ` Daniel Borkmann
2013-03-12 15:44 ` [PATCH next] " Willem de Bruijn
2013-04-01 22:20 ` Pablo Neira Ayuso
2013-04-03 15:32 ` Willem de Bruijn
2013-04-04 9:34 ` Pablo Neira Ayuso
2013-02-18 3:52 ` [PATCH next v3] iptables: add xt_bpf match Willem de Bruijn
2013-02-24 2:15 ` Maciej Żenczykowski
2013-02-27 20:39 ` Willem de Bruijn
2012-12-05 19:28 ` [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 20:00 ` Jan Engelhardt
2012-12-05 21:45 ` Willem de Bruijn
2012-12-05 21:50 ` Willem de Bruijn
2012-12-05 22:35 ` Jan Engelhardt
2012-12-06 5:22 ` Pablo Neira Ayuso
2012-12-06 21:12 ` Willem de Bruijn
2012-12-07 7:22 ` Pablo Neira Ayuso
2012-12-07 13:20 ` Pablo Neira Ayuso
2012-12-07 17:26 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130109095220.GA11011@1984 \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.