Toward an eBPF-based clone of iptables

Jul 11, 2018 11:30 AM — 12:30 PM

Recently, there have been discussions in the Linux networking community for the replacement of iptables with an eBPF-based approach. So far, the submitted work and ensuing discussions have been focused on the performance impact of the equation - which favor the eBPF approach. An approach to replace iptables with an eBPF backend without disrupting the user control has also been demonstrated. This talk builds on the above context and proceeds by presenting additional challenges that we feel need to be addressed so as to obtain a fully-compatible clone of iptables, i.e., to enable the eBPF-iptables tool to accept traditional iptables commands, which are emulated through the proper set of eBPF programs. Main challenges here are:

  1. how to preserve the semantic of iptables rules, given the different location of netfilter and eBPF hook points;
  2. how to support (or at least cooperate) with possible NATting rules;
  3. the selection of a matching algorithm that can outperform current implementation (linear search), but that is feasible by exploiting one of the eBPF maps available in the kernel. The new eBPF-iptables will allow users to benefit from the performance improvement and not having to worry about the operational impact of continuing to use the iptables control interface.