└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # bpf-iptables
  2 | 
  3 | ## Introduction
  4 | 
  5 | `bpf-iptables` is an `eBPF` and `XDP` based firewall, providing same `iptables` syntax.
  6 | 
  7 | Thanks to efficient `matching algorithms`, `eBPF` and `XDP` driver level optimizations, is able to provide *high performances*.
  8 | No kernel modification are required, `bpf` comes at zero cost with recent Linux kernels.
  9 | 
 10 | ## Research papers
 11 | 
 12 | ### Securing Linux with a Faster and Scalable Iptables
 13 | *Draft, 1 December 2018*  
 14 | This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput outperforming other Linux-based firewalls particularly when a high number of rules is involved.
 15 | [PDF](https://mbertrone.github.io/documents/21-Securing_Linux_with_a_Faster_and_Scalable_Iptables.pdf)
 16 | 
 17 | ### Accelerating Linux Security with eBPF iptables
 18 | *ACM SIGCOMM 2018 Conference Posters and Demos, Budapest (H), 20-25 August 2018*  
 19 | This paper presents an eBPF-based prototype that emulates the iptables filtering semantic and exploits a more efficient matching algorithm, without requiring custom kernels or invasive software frameworks.
 20 | [PDF](https://mbertrone.github.io/documents/19-eBPF-Iptables-Demo.pdf)
 21 | 
 22 | ### Toward an eBPF-based clone of iptables
 23 | *Netdev 0x12, The Technical Conference on Linux Networking, Montréal (Canada), 11-13 July 2018*  
 24 | This paper reports the first results of a project that aims at creating a eBPF-based (partial) clone of iptables. This project assumes unmodified Linux kernel and guarantees the full compatibility with current iptables.
 25 | [PDF](https://mbertrone.github.io/documents/20-eBPF-Iptables-Netdev.pdf)
 26 | 
 27 | ## How to use?
 28 | 
 29 | `bpf-iptables` is part of `PolyCube` framework. We use `pcn-iptables` syntax (`pcn=PolyCubeNetwork`).
 30 | 
 31 | ### Docker
 32 | 
 33 | ```
 34 | # Pull docker image (PolyCube & pcn-iptables)
 35 | docker pull polycubenetwork/polycube:latest
 36 | 
 37 | # Run the Polycube Docker and launch polycubed (the polycube daemon) inside it.
 38 | # The Docker container is launched in the host networking stack (--network host),
 39 | # privileged mode (--privileged) is necessary to use eBPF features.
 40 | docker run  -it --rm --privileged --network host \
 41 | -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro \
 42 | polycubenetwork/polycube:latest /bin/bash -c 'polycubed -d && /bin/bash'
 43 | 
 44 | ```
 45 | 
 46 | Refer to Polycube Quickstart for bare metal install mode. [Quickstart](https://github.com/polycube-network/polycube/blob/master/Documentation/quickstart.rst#quick-start)
 47 | 
 48 | 
 49 | ```
 50 | # Initialize pcn-iptables
 51 | pcn-iptables-init
 52 | ```
 53 | 
 54 | ```
 55 | # pcn-iptables provides same iptables syntax. Please ref#er to iptables online docs for more info.
 56 | # Following are just few examples of available commands.
 57 | 
 58 | # E.g.
 59 | pcn-iptables -A INPUT -s 10.0.0.1 -j DROP # Append rule to INPUT chain
 60 | pcn-iptables -D INPUT -s 10.0.0.1 -j DROP # Delete rule from INPUT chain
 61 | pcn-iptables -I INPUT -s 10.0.0.2 -j DROP # Insert rule into INPUT chain
 62 | 
 63 | # Example of a complex rule
 64 | pcn-iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.2 -p tcp --sport 9090 --dport 80 --tcpflags SYN,ACK ACK -j DROP
 65 | 
 66 | # Example of a conntrack rule
 67 | pcn-iptables -A OUTPUT -m conntrack --ctstate=ESTABLISHED -j ACCEPT
 68 | 
 69 | # Show rules
 70 | pcn-iptables -S # dump rules
 71 | pcn-iptables -L INPUT # dump rules for INPUT chain
 72 | 
 73 | pcn-iptables -P FORWARD DROP # set default policy for FORWARD chain
 74 | 
 75 | ```
 76 | 
 77 | ```
 78 | # Stop and clean pcn-iptables
 79 | pcn-iptables-clean
 80 | ```
 81 | 
 82 | ## Q&A
 83 | Q:Can I still use `iptables`?  
 84 | A:Yes, iptables will not be affected.
 85 | 
 86 | Q:Advantages?  
 87 | A:Performance (especially with a large amount of rules); Low CPU utilization (especially with XDP mode)
 88 | 
 89 | Q:How to use XDP mode?  
 90 | A:run `pcn-iptables-init-xdp`
 91 | 
 92 | Q:Limitations of XDP mode?  
 93 | A:`pcn-itpables` will be atached only to XDP compatible interfaces.
 94 | 
 95 | 
 96 | ## Links
 97 | [pcn-iptables Source Code](https://github.com/polycube-network/polycube/tree/master/src/services/pcn-iptables)  
 98 | [pcn-iptables Documentation](https://github.com/polycube-network/polycube/blob/master/Documentation/components/iptables/pcn-iptables.rst)  
 99 | [PolyCube Network](https://github.com/polycube-network/polycube)
100 | 
101 | 
102 | ## Demo
103 | 
104 | [![asciicast](https://asciinema.org/a/234478.svg)](https://asciinema.org/a/234478)
105 | 
106 | ### Disclaimer
107 | 
108 | bpf-iptables is not related to bpfilter (https://lwn.net/Articles/747551/).  
109 | Right now bpf-iptables uses a different mechanism to intercept iptables rules.
110 | 


--------------------------------------------------------------------------------