Bpfilter Development

Bpfilter Development

[Christian Deacon]

Hey everyone,


I apologize if this is the incorrect place to address this. I couldn't 
find any mailing list for Bpfilter specifically. If there is a better 
place to address this, suggestions are welcomed and appreciated!


I was wondering if Bpfilter is still under development or if the project 
development is at a halt. I am planning out my next major project that 
will be responsible for forwarding traffic and blocking (D)DoS attacks 
based off of filtering rules. As of right now, I'm trying to decide 
whether to use Bpfilter or XDP-native for blocking malicious traffic. 
With the project's current layout, I feel it would be easier using 
something like Bpfilter for this. However, I'm not sure when this will 
be completely developed to the point it'd be usable with my application. 
If this project is under development, is there any ETA on when it will 
be officially supported and in a usable state for most applications 
(specifically for dropping malicious traffic)?


One last question I had is if there were any estimates on how fast 
Bpfilter would be compared to XDP-native when dropping malicious 
packets. I'd assume they would see similar performance, but I'm not 
entirely sure.


Any help is highly appreciated and thank you for your time!

Re: Bpfilter Development

[Toke Høiland-Jørgensen]

Christian Deacon <gamemann@gflclan.com> writes:

> Hey everyone,
>
>
> I apologize if this is the incorrect place to address this. I couldn't 
> find any mailing list for Bpfilter specifically. If there is a better 
> place to address this, suggestions are welcomed and appreciated!
>
>
> I was wondering if Bpfilter is still under development or if the project 
> development is at a halt. I am planning out my next major project that 
> will be responsible for forwarding traffic and blocking (D)DoS attacks 
> based off of filtering rules. As of right now, I'm trying to decide 
> whether to use Bpfilter or XDP-native for blocking malicious traffic. 
> With the project's current layout, I feel it would be easier using 
> something like Bpfilter for this. However, I'm not sure when this will 
> be completely developed to the point it'd be usable with my application. 
> If this project is under development, is there any ETA on when it will 
> be officially supported and in a usable state for most applications 
> (specifically for dropping malicious traffic)?

As a general rule I think you will find that there are very few upstream
developers who will commit to any ETA other than "when it's done". As
for bpfilter specifically, I am not aware of anyone actively working on
it at all...

> One last question I had is if there were any estimates on how fast 
> Bpfilter would be compared to XDP-native when dropping malicious 
> packets. I'd assume they would see similar performance, but I'm not 
> entirely sure.

I would expect that XDP would be significantly faster (as long as you
are using hardware with native XDP support in the driver). For DDOS
filtering specifically, I think it would be a no-brainer to just go with
XDP.

Feel free to use xdp-filter as a starting point:

https://github.com/xdp-project/xdp-tools/tree/master/xdp-filter

It's pretty dumb as far as expressing the filtering rules themselves are
concerned, but it does demonstrate how you might structure such a
program, including how to only load the BPF code needed to support the
active filtering rules. Pull requests always welcome to improve it as
well, of course :)

-Toke

Re: Bpfilter Development

[Christian Deacon]

Hey Toke,


Thank you for your response!


Regarding the ETA rule, I will keep that noted in the future.


Thank you for the information regarding Bpfilter as well. It appears the 
development towards this has stopped at least temporarily. We will be 
looking into using XDP-native in this case! I will also take a look at 
the XDP-filter project you linked to see how everything is done, etc.


Thanks again!


On 4/21/2020 6:09 AM, Toke Høiland-Jørgensen wrote:
> Christian Deacon <gamemann@gflclan.com> writes:
>
>> Hey everyone,
>>
>>
>> I apologize if this is the incorrect place to address this. I couldn't
>> find any mailing list for Bpfilter specifically. If there is a better
>> place to address this, suggestions are welcomed and appreciated!
>>
>>
>> I was wondering if Bpfilter is still under development or if the project
>> development is at a halt. I am planning out my next major project that
>> will be responsible for forwarding traffic and blocking (D)DoS attacks
>> based off of filtering rules. As of right now, I'm trying to decide
>> whether to use Bpfilter or XDP-native for blocking malicious traffic.
>> With the project's current layout, I feel it would be easier using
>> something like Bpfilter for this. However, I'm not sure when this will
>> be completely developed to the point it'd be usable with my application.
>> If this project is under development, is there any ETA on when it will
>> be officially supported and in a usable state for most applications
>> (specifically for dropping malicious traffic)?
> As a general rule I think you will find that there are very few upstream
> developers who will commit to any ETA other than "when it's done". As
> for bpfilter specifically, I am not aware of anyone actively working on
> it at all...
>
>> One last question I had is if there were any estimates on how fast
>> Bpfilter would be compared to XDP-native when dropping malicious
>> packets. I'd assume they would see similar performance, but I'm not
>> entirely sure.
> I would expect that XDP would be significantly faster (as long as you
> are using hardware with native XDP support in the driver). For DDOS
> filtering specifically, I think it would be a no-brainer to just go with
> XDP.
>
> Feel free to use xdp-filter as a starting point:
>
> https://github.com/xdp-project/xdp-tools/tree/master/xdp-filter
>
> It's pretty dumb as far as expressing the filtering rules themselves are
> concerned, but it does demonstrate how you might structure such a
> program, including how to only load the BPF code needed to support the
> active filtering rules. Pull requests always welcome to improve it as
> well, of course :)
>
> -Toke
>

Re: Bpfilter Development

[Toke Høiland-Jørgensen]

Christian Deacon <gamemann@gflclan.com> writes:

> Hey Toke,
>
>
> Thank you for your response!
>
>
> Regarding the ETA rule, I will keep that noted in the future.
>
>
> Thank you for the information regarding Bpfilter as well. It appears the 
> development towards this has stopped at least temporarily. We will be 
> looking into using XDP-native in this case! I will also take a look at 
> the XDP-filter project you linked to see how everything is done, etc.
>
>
> Thanks again!

Cool. You're welcome :)

-Toke