4

I've just read in these answers about two options for developing packet filters in linux.

The first is using iptables and netfilter, probably with NFQUEUE and libnetfilter_queue library.

The second is by using BPF (Berkeley Packet Filter), that seems in a quick reading to have similar capabilities for filtering purposes.

So, which of these alternatives is a better way to create a packet filter? What are the differences? My software is going to run as a gateway proxy, or "man-in-the-middle" that should receive a packet from one computer (with destination address to another one, not the filter's local address), and send it out after some filtering.

Thanks a lot!

Community
  • 1
  • 1
Reflection
  • 1,936
  • 3
  • 21
  • 39
  • I probably will go with *netfilter/iptables* since from an arquitectural point of view I think is better than B/PF. For just point out an example, I like the translations order on netfilter with the {PRE|POST}ROUTING chains since they don't clash with firewall chains/rules, au contraire of BFP, which order is strange. – Diosney Nov 11 '14 at 22:15
  • Thanks. By the way, if i want to release an "out-of-the-box" software (that does not require os configuration like setting firewall rules, but only a simple kind of installation), isn't it better to use bpf? however, i need more information about the differences since it's not the main consideration – Reflection Nov 11 '14 at 22:20
  • Maybe, is true that it is simpler but that isn't always good. – Diosney Nov 12 '14 at 12:31
  • By the way, the development in BPF is also simple or just the architecture? – Reflection Nov 12 '14 at 12:34

1 Answers1

3

Though my understanding is limited to the theoretical, I've done some reading while debugging the Kubernetes networking implementation and can thus take a stab at answering this.

Broadly, both netfilter and eBPF (the successor to BPF) implement a virtual machine that execute some logic while processing packets. netfilter's implementation appears to strive for compatibility with iptables previous implementation, being essentially a more performant successor to iptables.

However, there are still performance problems when using iptables -- particularly when there are large sets of iptables rules. The way eBPF is structured can alleviate some of these performance problems; specifically:

  • eBPF can be offloaded to a "smart nic"
  • eBPF can be structured to lookup rules more efficiently

Though it was initially used for network processing, eBPF is also being used for kernel instrumentation (sysdig, iovisor). It has a far larger set of use cases, but because of this, is likely a much tougher learning curve.

So, in summary:

  • Use what you're familiar with, unless you hit perf problems then
  • Look at eBPF

Relevant:

Notes:

  • eBPF is the successor to cBPF, and has replaced it in the kernel
  • I refer to eBPF explicitly here out of habit
Andrew Howden
  • 197
  • 2
  • 11