Securing Linux with a faster and scalable iptables

Miano, Sebastiano; Bertrone, Matteo; Risso, Fulvio; Bernal, Mauricio Vasquez; Lu, Yunsong; Pi, Jianwen

doi:10.1145/3371927.3371929

“…The NAT is an eBPF re-implementation of the corresponding Linux Netfilter application, configured with a single two-way SNAT/masquerading rule: the source IP of every packet is replaced with the IP of the outgoing NAT port and a separate L4 source port is allocated for each new flow. BPF-iptables is an eBPF/XDP clone [67] of the well-known Linux iptables framework, configured with 5-tuple rules generated by Classbench [93]. We used the Classbench trace generator [92] to generate packets matching the created rule set using a Pareto cumulative density function to control the locality of reference.…”

Section: Discussionmentioning

confidence: 99%

Domain specific run time optimization for software data planes

Miano

¹

,

Sanaee

²

,

Risso

³

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Self Cite

View full text Add to dashboard Cite

State-of-the-art approaches to design, develop and optimize software packet-processing programs are based on static compilation: the compiler's input is a description of the forwarding plane semantics and the output is a binary that can accommodate any control plane configuration or input traffic.In this paper, we demonstrate that tracking control plane actions and packet-level traffic dynamics at run time opens up new opportunities for code specialization. We present Morpheus, a system working alongside static compilers that continuously optimizes the targeted networking code. We introduce a number of new techniques, from static code analysis to adaptive code instrumentation, and we implement a toolbox of domain specific optimizations that are not restricted to a specific data plane framework or programming language. We apply Morpheus to several eBPF and DPDK programs including Katran, Facebook's production-grade load balancer. We compare Morpheus against state-of-the-art optimization frameworks and show that it can bring up to 2x throughput improvement, while halving the 99th percentile latency. CCS CONCEPTS• Networks → Middle boxes / network appliances; Data center networks; End nodes; • Software and its engineering → Dynamic compilers; Just-in-time compilers.

show abstract

“…The NAT is an eBPF re-implementation of the corresponding Linux Netfilter application, configured with a single two-way SNAT/ masquerading rule: the source IP of every packet is replaced with the IP of the outgoing NAT port and a separate L4 source port is allocated for each new flow. BPF-iptables is an eBPF/XDP clone [60] of the well-known Linux iptables framework, configured with 500 wildcard 5-tuple rules generated by Classbench [85]. Finally, Katran [40] was configured as a web-frontend, with 10 TCP services/VIPs and 100 backend servers for each VIP.…”

Section: Discussionmentioning

confidence: 99%

Dynamic Recompilation of Software Network Services with Morpheus

Miano,

Sanaee,

Risso

et al. 2021

Preprint

Self Cite

0

View full text Add to dashboard Cite

State-of-the-art approaches to design, develop and optimize software packet-processing programs are based on static compilation: the compiler's input is a description of the forwarding plane semantics and the output is a binary that can accommodate any control plane configuration or input traffic.In this paper, we demonstrate that tracking control plane actions and packet-level traffic dynamics at run time opens up new opportunities for code specialization. We present Morpheus, a system working alongside static compilers that continuously optimizes the targeted networking code. We introduce a number of new techniques, from static code analysis to adaptive code instrumentation, and we implement a toolbox of domain specific optimizations that are not restricted to a specific data plane framework or programming language. We apply Morpheus to several eBPF and DPDK programs including Katran, Facebook's production-grade load balancer. We compare Morpheus against state-of-the-art optimization frameworks and show that it can bring up to 2x throughput improvement, while halving the 99th percentile latency.

show abstract

“…Packet classifiers are often accompanied by caching systems that provide some adjustability to traffic. Due to its simplicity, a linear lookup structure is commonly applied in practice, e.g., in the default firewall suite of the Linux operating system kernel called iptables [21], the OpenFlow reference switch [24], and in many QoS classifiers.…”

Section: Related Workmentioning

confidence: 99%

Self-Adjusting Packet Classification

Pacut¹,

Vanerio²,

Addanki³

et al. 2021

Preprint

0

View full text Add to dashboard Cite

This paper is motivated by the vision of more efficient packet classification mechanisms that self-optimize in a demand-aware manner. At the heart of our approach lies a self-adjusting linear list data structure, where unlike in the classic data structure, there are dependencies, and some items must be in front of the others; for example, to correctly classify packets by rules arranged in a linked list, each rule must be in front of lower priority rules that overlap with it. After each access we can rearrange the list, similarly to Move-To-Front, but dependencies need to be respected.We present a 4-competitive online rearrangement algorithm, whose cost is at most four times worse than the optimal offline algorithm; no deterministic algorithm can be better than 3-competitive. The algorithm is simple and attractive, especially for memory-limited systems, as it does not require any additional memory (e.g., neither timestamps nor frequency statistics). Our approach can simply be deployed as a drop-in replacement for a static datastructure, potentially benefitting many existing networks.We evaluate our self-adjusting list packet classifier on realistic ruleset and traffic instances. We find that our classifier performs similarly to a static list for low-locality traffic, but significantly outperforms Efficuts (by a factor 7x), CutSplit (3.6x), and the static list (14x) for high locality and small rulesets. Memory consumption is 10x lower on average compared to Efficuts and CutSplit.

show abstract

Securing Linux with a faster and scalable iptables

Cited by 36 publications

References 10 publications

Domain specific run time optimization for software data planes

Domain specific run time optimization for software data planes

Dynamic Recompilation of Software Network Services with Morpheus

Self-Adjusting Packet Classification

Contact Info

Product

Resources

About