Kernel TLV, profile picture
Uploaded byKernel TLV
PDF, PPTX3,163 views

Building Network Functions with eBPF & BCC

The document discusses the development and applications of eBPF (Extended Berkeley Packet Filter) and BCC (BPF Compiler Collection), highlighting their use in networking functions, packet filtering, and system call filtering. It details enhancements in Linux, including JIT compilation, various hooking points, and the ability to build complex eBPF programs using predefined functions and data structures. The document also provides examples of practical applications such as custom statistics and network load balancing.

Software
In this document
Powered by AI
See More

Introduction of Shmulik Ladkani's work on BPF & eBPF with an agenda including theory and practice.

Overview of BPF, its architecture, capabilities for user-level packet capture, and applications like Libpcap.

Details on Linux enhancements such as packet metadata access, JIT compilation, and Seccomp BPF.

eBPF introduces powerful features including tracing and profiling capabilities, with enhanced program operations. Applications of eBPF in network security, statistics, and monitoring; detailed description of eBPF maps.

Overview of various program types available in eBPF and the helper functions that can be called.

Introduction to BPF Compiler Collection (BCC) and its role in simplifying the use of eBPF.

Showcasing custom statistics, filtering, and a network load balancer as practical applications of eBPF.

Further topics of interest in eBPF, such as bpfilter, Open vSwitch, XDP, and thanks to the audience.

Embed presentation

Download as PDF, PPTX
Shmulik Ladkani, 2018 Building Network Functions with eBPF & BCC This work is licensed under a Creative Commons Attribution 4.0 International License.
Agenda ● Intro ● Theory ○ Classical BPF ○ eBPF ○ BCC ● Practice ○ Examples and demo
Berkeley Packet Filter
Berkeley Packet Filter New Architecture for User-level Packet Capture ● McCanne/Jacobson 1993 ● Standardized API ● Performant
Berkeley Packet Filter ● Allows user program to attach a filter onto a socket ● Available on most *nix systems
Design ● Abstract-machine architecture ○ Registers, memory, addressing modes… ○ Instruction set (load, store, branch, ALU…) ● In-kernel interpreter Example program: assembly / machine instructions (000) ldh [12] { 0x28, 0, 0, 0x0000000c }, (001) jeq #0x800 jt 2 jf 5 { 0x15, 0, 3, 0x00000800 }, (002) ldb [23] { 0x30, 0, 0, 0x00000017 }, (003) jeq #0x6 jt 4 jf 5 { 0x15, 0, 1, 0x00000006 }, (004) ret #262144 { 0x6, 0, 0, 0x00040000 }, (005) ret #0 { 0x6, 0, 0, 0x00000000 },
Modus Operandi struct sock_filter code[] = { /* ... machine instructions ... */ }; struct sock_fprog bpf = { .filter = code, .len = ARRAY_SIZE(code), }; sock = socket(...); setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
Applications ● Libpcap ○ Tcpdump, Wireshark, Nmap... ● DHCP stacks ● WPA 802.1x stacks ● Android 464XLAT ● android.net.NetworkUtils ● Custom user-space protocol stacks
Linux Enhancements Packet Metadata Access Extension Description len skb->len proto skb->protocol type skb->pkt_type ifidx skb->dev->ifindex hatype skb->dev->type mark skb->mark rxhash skb->hash vlan_tci skb_vlan_tag_get(skb) vlan_avail skb_vlan_tag_present(skb) vlan_tpid skb->vlan_proto nla Netlink attribute of type X with offset A nlan Nested Netlink attribute of type X with offset A
Linux Enhancements Just-In-Time Compiler ● Converts BPF instructions directly into native code ● As of v3.0 (x86_64) ○ SPARC, PowerPC, ARM, ARM64, MIPS, s390 followed
Linux Enhancements Hooking Points ● IPTables xt_bpf ○ Competitive with traditional u32 match ○ As of v3.9 ○ iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT ● TC cls_bpf ○ Alternative to ematch / u32 classification ○ As of v3.13 ○ tc filter add dev em1 parent 1: bpf bytecode '1,6 0 0 4294967295,' flowid 1:1 tc filter add dev em1 parent 1: bpf bytecode-file /var/bpf/tcp-syn flowid 1:1
Linux Enhancements Seccomp BPF ● Filters system calls using a BPF filter ○ Operates on syscall number and syscall arguments ○ As of v3.5 ○ ● Used by Chrome, Firefox, OpenSSH, Android… static struct filter = { /* ... */ // load syscall number BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), // only allow ‘read’ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) }; /* ... */ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filterprog);
Summary ● Fixed filter program ● Few injection points ● Two domains ○ Packet filtering ○ Syscall filtering ● Functional, stateless ● Kernel data is immutable ● No kernel interaction User-program injected into kernel to control behavior
Extended BPF
eBPF ● Abstract-machine engine running injected user programs ● On steroids ○ New domain (tracing/profiling) ○ Numerous hooking points ○ LLVM backend ○ Actions (mutates data) ○ Data-structures (“maps”) ○ Kernel callable helper functions
Applications (network) ● Network Security (DDoS, IDS, IPS …) ● Load Balancers ● Custom Statistics ● Monitoring ● Container Networking ● Custom Forwarding Stacks ● Network Functions
● Write ○ Restricted C ● Compile ○ clang & llc ● Load ○ bpf(BPF_PROG_LOAD, ...) ● Attach ○ Subsystem dependent Modus Operandi
struct bpf_map_def SEC("maps") my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = sizeof(long), .max_entries = 256, }; SEC("socket1") int bpf_prog1(struct __sk_buff *skb) { int index = load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)); long *value; if (skb->pkt_type != PACKET_OUTGOING) return 0; value = bpf_map_lookup_elem(&my_map, &index); if (value) __sync_fetch_and_add(value, skb->len); return 0; } samples/bpf/sockex1_kern.c
load_bpf_file(filename); // assigns prog_fd, map_fd sock = open_raw_sock("lo"); setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, prog_fd, sizeof(prog_fd[0])); f = popen("ping -c5 localhost", "r"); for (i = 0; i < 5; i++) { long long tcp_cnt, udp_cnt, icmp_cnt; key = IPPROTO_TCP; bpf_map_lookup_elem(map_fd[0], &key, &tcp_cnt); key = IPPROTO_UDP; bpf_map_lookup_elem(map_fd[0], &key, &udp_cnt); key = IPPROTO_ICMP; bpf_map_lookup_elem(map_fd[0], &key, &icmp_cnt); printf("TCP %lld UDP %lld ICMP %lld bytesn", tcp_cnt, udp_cnt, icmp_cnt); sleep(1); } samples/bpf/sockex1_user.c
eBPF Maps ● Key-value store ○ Keeps program state ○ Accessible from the eBPF program ○ Accessible from userspace ● Allows context aware behavior ● Numerous data structures BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_LRU_HASH BPF_MAP_TYPE_LPM_TRIE more ...
Determines: context, whence, access rights BPF_PROG_TYPE_SOCKET_FILTER packet filter BPF_PROG_TYPE_SCHED_CLS tc classifier BPF_PROG_TYPE_SCHED_ACT tc action BPF_PROG_TYPE_LWT_* lightweight tunnel filter BPF_PROG_TYPE_KPROBE kprobe filter BPF_PROG_TYPE_TRACEPOINT tracepoint filter BPF_PROG_TYPE_PERF_EVENT perf event filter BPF_PROG_TYPE_XDP packet filter from XDP BPF_PROG_TYPE_CGROUP_SKB packet filter for control groups BPF_PROG_TYPE_CGROUP_SOCK same, allowed to modify socket options Program Types
Helper Functions ● eBPF program may call a predefined set of functions ● Differs by program type ● Examples: BPF_FUNC_skb_load_bytes BPF_FUNC_csum_diff BPF_FUNC_skb_get_tunnel_key BPF_FUNC_get_hash_recalc ... BPF_FUNC_skb_store_bytes BPF_FUNC_skb_pull_data BPF_FUNC_l3_csum_replace BPF_FUNC_l4_csum_replace BPF_FUNC_redirect BPF_FUNC_clone_redirect BPF_FUNC_skb_vlan_push BPF_FUNC_skb_vlan_pop BPF_FUNC_skb_change_proto BPF_FUNC_skb_set_tunnel_key ...
BCC
BPF Compiler Collection ● Toolkit for creating and using eBPF ● Makes eBPF programs easier to write ○ Kernel instrumentation in C ○ Frontends in Python and Lua ● Numerous examples ● Documentation and tutorials
Example #1 Custom Statistics Histogram of packets by their size
Example #2 Custom Filtering Drop egress ARP Requests for specific Target Addresses
Example #3 Custom Network Function Network Load Balancer
Example #3 - Topology Server1 VIP 192.0.2.50 10.50.1.9 Server2 VIP 192.0.2.50 10.50.2.9 Test Machine 10.33.33.10 10.33.33.11 10.33.33.12 10.33.33.13 10.33.33.14 Load Balancer 192.0.2.50 dev multigre0 Set GRE tunnel destination by flow hash Src: 10.33.33.10 Dst: 192.0.2.50 Src: 10.50.1.1 Dst: 10.50.1.9 Src: 10.33.33.10 Dst: 192.0.2.50
Further Topics ● bpfilter ● Open vSwitch eBPF datapath ● XDP ● Hardware Offloads ● Tracing / Profiling
Thank You!

More Related Content

PDF
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
PDF
netfilter and iptables
byKernel TLV
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
Security Monitoring with eBPF
byAlex Maestretti
 
PDF
BPF: Tracing and more
byBrendan Gregg
 
PDF
Faster packet processing in Linux: XDP
byDaniel T. Lee
 
PDF
UM2019 Extended BPF: A New Type of Software
byBrendan Gregg
 
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
netfilter and iptables
byKernel TLV
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
Linux Networking Explained
byThomas Graf
 
Security Monitoring with eBPF
byAlex Maestretti
 
BPF: Tracing and more
byBrendan Gregg
 
Faster packet processing in Linux: XDP
byDaniel T. Lee
 
UM2019 Extended BPF: A New Type of Software
byBrendan Gregg
 

What's hot

PDF
Kubernetes Networking
byCJ Cullen
 
PDF
Scapyで作る・解析するパケット
byTakaaki Hoyo
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PPTX
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
PDF
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
PDF
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
Linux BPF Superpowers
byBrendan Gregg
 
PDF
Embedded linux network device driver development
byAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
PDF
Fun with Network Interfaces
byKernel TLV
 
PPTX
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
PDF
The linux networking architecture
byhugo lu
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
PPTX
コンテナネットワーキング(CNI)最前線
byMotonori Shindo
 
PPTX
eBPF Basics
byMichael Kehoe
 
PDF
How Linux Processes Your Network Packet - Elazar Leibovich
byDevOpsDays Tel Aviv
 
PDF
High-Performance Networking Using eBPF, XDP, and io_uring
byScyllaDB
 
PPTX
Linux Network Stack
byAdrien Mahieux
 
PPTX
Understanding DPDK
byDenys Haryachyy
 
Kubernetes Networking
byCJ Cullen
 
Scapyで作る・解析するパケット
byTakaaki Hoyo
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
BPF Internals (eBPF)
byBrendan Gregg
 
Linux BPF Superpowers
byBrendan Gregg
 
Embedded linux network device driver development
byAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Fun with Network Interfaces
byKernel TLV
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
The linux networking architecture
byhugo lu
 
eBPF maps 101
bySUSE Labs Taipei
 
コンテナネットワーキング(CNI)最前線
byMotonori Shindo
 
eBPF Basics
byMichael Kehoe
 
How Linux Processes Your Network Packet - Elazar Leibovich
byDevOpsDays Tel Aviv
 
High-Performance Networking Using eBPF, XDP, and io_uring
byScyllaDB
 
Linux Network Stack
byAdrien Mahieux
 
Understanding DPDK
byDenys Haryachyy
 

Similar to Building Network Functions with eBPF & BCC

PPTX
Berkeley Packet Filters
byKernel TLV
 
PDF
Introduction to eBPF and XDP
bylcplcp1
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
PPTX
Understanding eBPF in a Hurry!
byRay Jenkins
 
PDF
DEF CON 27 - JEFF DILEO - evil e bpf in depth
byFelipe Prado
 
PPTX
eBPF Workshop
byMichael Kehoe
 
PDF
Introduction to eBPF
byRogerColl2
 
PDF
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
PDF
BPF - All your packets belong to me
by_xhr_
 
PDF
eBPF Tooling and Debugging Infrastructure
byNetronome
 
PDF
Meetup 2009
byHuaiEnTseng
 
PPTX
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
PDF
Socket Programming- Data Link Access
byLJ PROJECTS
 
PDF
Introduction of eBPF - 時下最夯的Linux Technology
byJace Liang
 
PPTX
Making our networking stack truly extensible
byOlivier Bonaventure
 
PDF
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
PDF
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
PDF
Andrea Righi - Spying on the Linux kernel for fun and profit
bylinuxlab_conf
 
PDF
eBPF/XDP
byNetronome
 
Berkeley Packet Filters
byKernel TLV
 
Introduction to eBPF and XDP
bylcplcp1
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
Understanding eBPF in a Hurry!
byRay Jenkins
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
byFelipe Prado
 
eBPF Workshop
byMichael Kehoe
 
Introduction to eBPF
byRogerColl2
 
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
BPF - All your packets belong to me
by_xhr_
 
eBPF Tooling and Debugging Infrastructure
byNetronome
 
Meetup 2009
byHuaiEnTseng
 
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
Socket Programming- Data Link Access
byLJ PROJECTS
 
Introduction of eBPF - 時下最夯的Linux Technology
byJace Liang
 
Making our networking stack truly extensible
byOlivier Bonaventure
 
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
Andrea Righi - Spying on the Linux kernel for fun and profit
bylinuxlab_conf
 
eBPF/XDP
byNetronome
 

More from Kernel TLV

PDF
DPDK In Depth
byKernel TLV
 
PDF
SGX Trusted Execution Environment
byKernel TLV
 
PDF
Fun with FUSE
byKernel TLV
 
PPTX
Kernel Proc Connector and Containers
byKernel TLV
 
PPTX
Bypassing ASLR Exploiting CVE 2015-7545
byKernel TLV
 
PDF
Present Absence of Linux Filesystem Security
byKernel TLV
 
PDF
OpenWrt From Top to Bottom
byKernel TLV
 
PDF
Make Your Containers Faster: Linux Container Performance Tools
byKernel TLV
 
PDF
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
byKernel TLV
 
PDF
File Systems: Why, How and Where
byKernel TLV
 
PDF
KernelTLV Speaker Guidelines
byKernel TLV
 
PDF
Userfaultfd: Current Features, Limitations and Future Development
byKernel TLV
 
PDF
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
PDF
Linux Kernel Cryptographic API and Use Cases
byKernel TLV
 
PPTX
DMA Survival Guide
byKernel TLV
 
PPSX
FD.IO Vector Packet Processing
byKernel TLV
 
PPTX
WiFi and the Beast
byKernel TLV
 
PPTX
Introduction to DPDK
byKernel TLV
 
PDF
FreeBSD and Drivers
byKernel TLV
 
PDF
Specializing the Data Path - Hooking into the Linux Network Stack
byKernel TLV
 
DPDK In Depth
byKernel TLV
 
SGX Trusted Execution Environment
byKernel TLV
 
Fun with FUSE
byKernel TLV
 
Kernel Proc Connector and Containers
byKernel TLV
 
Bypassing ASLR Exploiting CVE 2015-7545
byKernel TLV
 
Present Absence of Linux Filesystem Security
byKernel TLV
 
OpenWrt From Top to Bottom
byKernel TLV
 
Make Your Containers Faster: Linux Container Performance Tools
byKernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
byKernel TLV
 
File Systems: Why, How and Where
byKernel TLV
 
KernelTLV Speaker Guidelines
byKernel TLV
 
Userfaultfd: Current Features, Limitations and Future Development
byKernel TLV
 
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
Linux Kernel Cryptographic API and Use Cases
byKernel TLV
 
DMA Survival Guide
byKernel TLV
 
FD.IO Vector Packet Processing
byKernel TLV
 
WiFi and the Beast
byKernel TLV
 
Introduction to DPDK
byKernel TLV
 
FreeBSD and Drivers
byKernel TLV
 
Specializing the Data Path - Hooking into the Linux Network Stack
byKernel TLV
 

Recently uploaded

PDF
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
PDF
Coding Assessment Tools .pdf
byCodexpro
 
PPTX
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
PDF
Unit-II Asymptotic Notations and Basic Efficiency Classes (DAA) BCA SEP SEM-III
byKuvempu University
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PPTX
AI Agent Overview - Why we need AI Agent
byAlokGope
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PPTX
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
PDF
Top 5 Security Essentials for Modern API Development
byFicode Technologies Limited
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PPTX
Adobe Marketo Engage Champion Deep Dive: Building Your AI-Ready Foundation: D...
bybbedford2
 
PDF
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
PDF
Custom Software Development Company in Delhi
byMilleniance Softnet Private Limited
 
PDF
C Unit-II: Input and Output, Operators, Control Structures/Statements
byKuvempu University
 
PPTX
Latest Trends of ERP Software Solutions in India 2026
byConacent Consulting
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PDF
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
Coding Assessment Tools .pdf
byCodexpro
 
Python-Functions-A-Comprehensive-Overview.pptx
byMuhammad Fahad Bashir
 
Unit-II Asymptotic Notations and Basic Efficiency Classes (DAA) BCA SEP SEM-III
byKuvempu University
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
AI Agent Overview - Why we need AI Agent
byAlokGope
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
Top 5 Security Essentials for Modern API Development
byFicode Technologies Limited
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
Adobe Marketo Engage Champion Deep Dive: Building Your AI-Ready Foundation: D...
bybbedford2
 
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
Custom Software Development Company in Delhi
byMilleniance Softnet Private Limited
 
C Unit-II: Input and Output, Operators, Control Structures/Statements
byKuvempu University
 
Latest Trends of ERP Software Solutions in India 2026
byConacent Consulting
 
Custom chat gpt integration services.pptx
byChetu
 
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 

Building Network Functions with eBPF & BCC

  • 1.
    Shmulik Ladkani, 2018 BuildingNetwork Functions with eBPF & BCC This work is licensed under a Creative Commons Attribution 4.0 International License.
  • 2.
    Agenda ● Intro ● Theory ○Classical BPF ○ eBPF ○ BCC ● Practice ○ Examples and demo
  • 5.
  • 6.
    Berkeley Packet Filter NewArchitecture for User-level Packet Capture ● McCanne/Jacobson 1993 ● Standardized API ● Performant
  • 7.
    Berkeley Packet Filter ●Allows user program to attach a filter onto a socket ● Available on most *nix systems
  • 8.
    Design ● Abstract-machine architecture ○Registers, memory, addressing modes… ○ Instruction set (load, store, branch, ALU…) ● In-kernel interpreter Example program: assembly / machine instructions (000) ldh [12] { 0x28, 0, 0, 0x0000000c }, (001) jeq #0x800 jt 2 jf 5 { 0x15, 0, 3, 0x00000800 }, (002) ldb [23] { 0x30, 0, 0, 0x00000017 }, (003) jeq #0x6 jt 4 jf 5 { 0x15, 0, 1, 0x00000006 }, (004) ret #262144 { 0x6, 0, 0, 0x00040000 }, (005) ret #0 { 0x6, 0, 0, 0x00000000 },
  • 9.
    Modus Operandi struct sock_filtercode[] = { /* ... machine instructions ... */ }; struct sock_fprog bpf = { .filter = code, .len = ARRAY_SIZE(code), }; sock = socket(...); setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
  • 10.
    Applications ● Libpcap ○ Tcpdump,Wireshark, Nmap... ● DHCP stacks ● WPA 802.1x stacks ● Android 464XLAT ● android.net.NetworkUtils ● Custom user-space protocol stacks
  • 11.
    Linux Enhancements Packet MetadataAccess Extension Description len skb->len proto skb->protocol type skb->pkt_type ifidx skb->dev->ifindex hatype skb->dev->type mark skb->mark rxhash skb->hash vlan_tci skb_vlan_tag_get(skb) vlan_avail skb_vlan_tag_present(skb) vlan_tpid skb->vlan_proto nla Netlink attribute of type X with offset A nlan Nested Netlink attribute of type X with offset A
  • 12.
    Linux Enhancements Just-In-Time Compiler ●Converts BPF instructions directly into native code ● As of v3.0 (x86_64) ○ SPARC, PowerPC, ARM, ARM64, MIPS, s390 followed
  • 13.
    Linux Enhancements Hooking Points ●IPTables xt_bpf ○ Competitive with traditional u32 match ○ As of v3.9 ○ iptables -A OUTPUT -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' -j ACCEPT ● TC cls_bpf ○ Alternative to ematch / u32 classification ○ As of v3.13 ○ tc filter add dev em1 parent 1: bpf bytecode '1,6 0 0 4294967295,' flowid 1:1 tc filter add dev em1 parent 1: bpf bytecode-file /var/bpf/tcp-syn flowid 1:1
  • 14.
    Linux Enhancements Seccomp BPF ●Filters system calls using a BPF filter ○ Operates on syscall number and syscall arguments ○ As of v3.5 ○ ● Used by Chrome, Firefox, OpenSSH, Android… static struct filter = { /* ... */ // load syscall number BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), // only allow ‘read’ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 0, 1), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) }; /* ... */ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filterprog);
  • 15.
    Summary ● Fixed filterprogram ● Few injection points ● Two domains ○ Packet filtering ○ Syscall filtering ● Functional, stateless ● Kernel data is immutable ● No kernel interaction User-program injected into kernel to control behavior
  • 16.
  • 17.
    eBPF ● Abstract-machine enginerunning injected user programs ● On steroids ○ New domain (tracing/profiling) ○ Numerous hooking points ○ LLVM backend ○ Actions (mutates data) ○ Data-structures (“maps”) ○ Kernel callable helper functions
  • 18.
    Applications (network) ● NetworkSecurity (DDoS, IDS, IPS …) ● Load Balancers ● Custom Statistics ● Monitoring ● Container Networking ● Custom Forwarding Stacks ● Network Functions
  • 19.
    ● Write ○ RestrictedC ● Compile ○ clang & llc ● Load ○ bpf(BPF_PROG_LOAD, ...) ● Attach ○ Subsystem dependent Modus Operandi
  • 20.
    struct bpf_map_def SEC("maps")my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = sizeof(long), .max_entries = 256, }; SEC("socket1") int bpf_prog1(struct __sk_buff *skb) { int index = load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)); long *value; if (skb->pkt_type != PACKET_OUTGOING) return 0; value = bpf_map_lookup_elem(&my_map, &index); if (value) __sync_fetch_and_add(value, skb->len); return 0; } samples/bpf/sockex1_kern.c
  • 21.
    load_bpf_file(filename); // assignsprog_fd, map_fd sock = open_raw_sock("lo"); setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, prog_fd, sizeof(prog_fd[0])); f = popen("ping -c5 localhost", "r"); for (i = 0; i < 5; i++) { long long tcp_cnt, udp_cnt, icmp_cnt; key = IPPROTO_TCP; bpf_map_lookup_elem(map_fd[0], &key, &tcp_cnt); key = IPPROTO_UDP; bpf_map_lookup_elem(map_fd[0], &key, &udp_cnt); key = IPPROTO_ICMP; bpf_map_lookup_elem(map_fd[0], &key, &icmp_cnt); printf("TCP %lld UDP %lld ICMP %lld bytesn", tcp_cnt, udp_cnt, icmp_cnt); sleep(1); } samples/bpf/sockex1_user.c
  • 22.
    eBPF Maps ● Key-valuestore ○ Keeps program state ○ Accessible from the eBPF program ○ Accessible from userspace ● Allows context aware behavior ● Numerous data structures BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_LRU_HASH BPF_MAP_TYPE_LPM_TRIE more ...
  • 23.
    Determines: context, whence,access rights BPF_PROG_TYPE_SOCKET_FILTER packet filter BPF_PROG_TYPE_SCHED_CLS tc classifier BPF_PROG_TYPE_SCHED_ACT tc action BPF_PROG_TYPE_LWT_* lightweight tunnel filter BPF_PROG_TYPE_KPROBE kprobe filter BPF_PROG_TYPE_TRACEPOINT tracepoint filter BPF_PROG_TYPE_PERF_EVENT perf event filter BPF_PROG_TYPE_XDP packet filter from XDP BPF_PROG_TYPE_CGROUP_SKB packet filter for control groups BPF_PROG_TYPE_CGROUP_SOCK same, allowed to modify socket options Program Types
  • 24.
    Helper Functions ● eBPFprogram may call a predefined set of functions ● Differs by program type ● Examples: BPF_FUNC_skb_load_bytes BPF_FUNC_csum_diff BPF_FUNC_skb_get_tunnel_key BPF_FUNC_get_hash_recalc ... BPF_FUNC_skb_store_bytes BPF_FUNC_skb_pull_data BPF_FUNC_l3_csum_replace BPF_FUNC_l4_csum_replace BPF_FUNC_redirect BPF_FUNC_clone_redirect BPF_FUNC_skb_vlan_push BPF_FUNC_skb_vlan_pop BPF_FUNC_skb_change_proto BPF_FUNC_skb_set_tunnel_key ...
  • 25.
  • 26.
    BPF Compiler Collection ●Toolkit for creating and using eBPF ● Makes eBPF programs easier to write ○ Kernel instrumentation in C ○ Frontends in Python and Lua ● Numerous examples ● Documentation and tutorials
  • 27.
  • 28.
    Example #2 Custom Filtering Dropegress ARP Requests for specific Target Addresses
  • 29.
    Example #3 Custom NetworkFunction Network Load Balancer
  • 30.
    Example #3 -Topology Server1 VIP 192.0.2.50 10.50.1.9 Server2 VIP 192.0.2.50 10.50.2.9 Test Machine 10.33.33.10 10.33.33.11 10.33.33.12 10.33.33.13 10.33.33.14 Load Balancer 192.0.2.50 dev multigre0 Set GRE tunnel destination by flow hash Src: 10.33.33.10 Dst: 192.0.2.50 Src: 10.50.1.1 Dst: 10.50.1.9 Src: 10.33.33.10 Dst: 192.0.2.50
  • 31.
    Further Topics ● bpfilter ●Open vSwitch eBPF datapath ● XDP ● Hardware Offloads ● Tracing / Profiling
  • 32.