All of lore.kernel.org
 help / color / mirror / Atom feed
* egress packet filtering
@ 2018-04-27 13:31 Bobby Powers
  2018-04-27 13:36 ` Edward Cree
  0 siblings, 1 reply; 6+ messages in thread
From: Bobby Powers @ 2018-04-27 13:31 UTC (permalink / raw)
  To: xdp-newbies

Hi folks!

I've been reading about eBPF and XDP, and I _think_ that XDP can only
filter incoming (ingress) packets on a machine, not outgoing packets.
Is that right?  In particular I've been looking at:

https://jvns.ca/blog/2017/04/07/xdp-bpf-tutorial/
https://www.netdevconf.org/2.1/slides/apr7/gospodarek-Netdev2.1-XDP-for-the-Rest-of-Us_Final.pdf
https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf

And What I Really Want To Do is create an eBPF filter that will
selectively drop outgoing packets on a particular TCP stream.  The
idea is to simulate underlying network/firewall misconfigurations so I
can observe the effect on higher-level software (like an HTTP client,
a load balancer, and an HTTP server).  I think I can accomplish this
with `tc` and the `cls_bpf` and `act_bpf` modules, as documented here:

http://man7.org/linux/man-pages/man8/tc-bpf.8.html

Does that sound about right?  Am I right in understanding that the
main difference between using a BPF classifier/action and XDP filter
is that performance of XDP filters is higher (because there is some
amount of integration with the NIC/driver), and they only process
ingress traffic?

Thanks for the help!

yours,
Bobby

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: egress packet filtering
  2018-04-27 13:31 egress packet filtering Bobby Powers
@ 2018-04-27 13:36 ` Edward Cree
  2018-04-27 13:41   ` Bobby Powers
  0 siblings, 1 reply; 6+ messages in thread
From: Edward Cree @ 2018-04-27 13:36 UTC (permalink / raw)
  To: Bobby Powers, xdp-newbies

On 27/04/18 14:31, Bobby Powers wrote:
> Does that sound about right?  Am I right in understanding that the
> main difference between using a BPF classifier/action and XDP filter
> is that performance of XDP filters is higher (because there is some
> amount of integration with the NIC/driver), and they only process
> ingress traffic?
The higher performance of XDP is because the processing, being done in
 the driver, happens earlier in the RX path (thus avoiding the bulk of
 network stack processing for packets that e.g. are only going to be
 dropped anyway).
But on TX, the analogous driver code would be the _last_ thing in the
 path, rather than the first, so in such a case the `tc` approach
 should probably perform better than an XDP analogue.

Apart from that, your understanding appears to be correct.

HTH,
-Ed

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: egress packet filtering
  2018-04-27 13:36 ` Edward Cree
@ 2018-04-27 13:41   ` Bobby Powers
  2018-04-27 13:54     ` Daniel Borkmann
  2018-04-27 13:55     ` Edward Cree
  0 siblings, 2 replies; 6+ messages in thread
From: Bobby Powers @ 2018-04-27 13:41 UTC (permalink / raw)
  To: Edward Cree; +Cc: xdp-newbies

On Fri, Apr 27, 2018 at 9:36 AM, Edward Cree <ecree@solarflare.com> wrote:
> The higher performance of XDP is because the processing, being done in
>  the driver, happens earlier in the RX path (thus avoiding the bulk of
>  network stack processing for packets that e.g. are only going to be
>  dropped anyway).
> But on TX, the analogous driver code would be the _last_ thing in the
>  path, rather than the first, so in such a case the `tc` approach
>  should probably perform better than an XDP analogue.

Thanks, that is super useful for my mental model!

Does that mean it is possible (if slow) to use an XDP filter for TX?
I attached a simple one based on the DDOS filter from here:

https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf

that just debug logged IPs + ports, and I only seemed to see incoming
(and not outgoing) packets in the logs.  Is there a different/extra
flag to pass to have an XDP filter run on TX?


yours,
Bobby

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: egress packet filtering
  2018-04-27 13:41   ` Bobby Powers
@ 2018-04-27 13:54     ` Daniel Borkmann
  2018-04-27 13:55     ` Edward Cree
  1 sibling, 0 replies; 6+ messages in thread
From: Daniel Borkmann @ 2018-04-27 13:54 UTC (permalink / raw)
  To: Bobby Powers, Edward Cree; +Cc: xdp-newbies

On 04/27/2018 03:41 PM, Bobby Powers wrote:
> On Fri, Apr 27, 2018 at 9:36 AM, Edward Cree <ecree@solarflare.com> wrote:
>> The higher performance of XDP is because the processing, being done in
>>  the driver, happens earlier in the RX path (thus avoiding the bulk of
>>  network stack processing for packets that e.g. are only going to be
>>  dropped anyway).
>> But on TX, the analogous driver code would be the _last_ thing in the
>>  path, rather than the first, so in such a case the `tc` approach
>>  should probably perform better than an XDP analogue.
> 
> Thanks, that is super useful for my mental model!
> 
> Does that mean it is possible (if slow) to use an XDP filter for TX?
> I attached a simple one based on the DDOS filter from here:
> 
> https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf
> 
> that just debug logged IPs + ports, and I only seemed to see incoming
> (and not outgoing) packets in the logs.  Is there a different/extra
> flag to pass to have an XDP filter run on TX?

Check out the extensive doc at http://cilium.readthedocs.io/en/latest/bpf/
there are XDP and tc program types described besides many other things.
What you propose to attach BPF to tc's clsact egress hook would be most
suitable for what you describe.

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: egress packet filtering
  2018-04-27 13:41   ` Bobby Powers
  2018-04-27 13:54     ` Daniel Borkmann
@ 2018-04-27 13:55     ` Edward Cree
  2018-04-27 14:00       ` Bobby Powers
  1 sibling, 1 reply; 6+ messages in thread
From: Edward Cree @ 2018-04-27 13:55 UTC (permalink / raw)
  To: Bobby Powers; +Cc: xdp-newbies

On 27/04/18 14:41, Bobby Powers wrote:
> Does that mean it is possible (if slow) to use an XDP filter for TX?
No, there is no current support for running XDP on TX.  My previous
 email was an attempt to explain why.

-Ed

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: egress packet filtering
  2018-04-27 13:55     ` Edward Cree
@ 2018-04-27 14:00       ` Bobby Powers
  0 siblings, 0 replies; 6+ messages in thread
From: Bobby Powers @ 2018-04-27 14:00 UTC (permalink / raw)
  To: Edward Cree; +Cc: xdp-newbies

On Fri, Apr 27, 2018 at 9:55 AM, Edward Cree <ecree@solarflare.com> wrote:
> No, there is no current support for running XDP on TX.  My previous
>  email was an attempt to explain why.

Got it, thanks!  Was attempting to discern between "it isn't a good
idea" vs. "it isn't currently possible".

yours,
Bobby

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-04-27 14:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-27 13:31 egress packet filtering Bobby Powers
2018-04-27 13:36 ` Edward Cree
2018-04-27 13:41   ` Bobby Powers
2018-04-27 13:54     ` Daniel Borkmann
2018-04-27 13:55     ` Edward Cree
2018-04-27 14:00       ` Bobby Powers

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.