Bpfilter (and user-mode blobs) for 4.18
The core motivation behind bpfilter is performance. An in-kernel, general-purpose packet filter must necessarily offer a wide range of features; any given site will probably only use a small subset of those features. The result is a lot of unused code and time spent checking for whether a given feature is in use, slowing the whole thing down. A packet-filtering configuration expressed as a BPF program, instead, contains only the code needed to implement the desired policy. Once that code is translated to native code by the just-in-time compiler, it should be both compact and fast. The networking developers hope that it will be fast enough to win back some of the users who have moved to proprietary user-space filtering implementations.
If bpfilter is to replace netfilter, though, it must provide ABI compatibility so that existing configurations continue to work. To that end, the bpfilter developers intend to implement the current netfilter configuration protocol; bpfilter will accept iptables rules and compile them to BPF transparently. That compilation is not a trivial task, though, and one that could present some security challenges, so the desire is to do it in user space, but under kernel control.
To make that possible, the initial proposal included a new type of kernel module. Rather than containing kernel code, it contained a normal ELF executable that would be run as a special type of kernel thread. Using the module mechanism allowed this code to be packaged and built with the rest of the kernel; user-mode modules could also be subjected to the same signing rules. There were a number of concerns about how these modules worked, though, which led to some significant changes this time around.
For example, the user-mode helper code is no longer packaged as a module.
It is, instead, a blob of code that is built into a normal kernel subsystem
(which may be built into the kernel image or packaged as a module). In the
sample code, the user-mode component is built as a separate program then,
in a process involving "quite a bit of objcopy and Makefile
magic
", it is turned into an ordinary object file that can be linked
into the bpfilter.ko kernel module.
Kernel code that wants to run a blob of code in user space will do so using the new helper code. That is done by calling:
int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
where data points to the code to be run, and len is the length of that code in bytes. The info structure is defined as:
struct umh_info {
struct file *pipe_to_umh;
struct file *pipe_from_umh;
pid_t pid;
};
Assuming the user-space process is successfully created, the kernel will place its process ID into pid. The kernel will also create a pair of pipes for communicating with the new process; they will be stored in pipe_to_umh (for writing) and pipe_from_umh (for reading). The code itself is copied into a tmpfs file and executed from there; that allows it to be paged if needed. If the built-in copy of the code is marked as "initdata" (and thus placed in a different section), the caller can free it once the helper is running.
Kernel code that creates this type of helper process must take care to clean it up when the time comes. The process ID can be used to kill the process, and the pipes need to be closed.
The bpfilter module itself, as found in 4.18, does not actually do much.
It creates the helper process and can pass a couple of no-op commands to
it, but there is no packet-filtering machinery in place yet. That code
exists (and has been posted recently) but
has evidently been held back
to give the user-mode helper mechanism a cycle to stabilize.
Bpfilter is thus starting small, but it may have a big impact in the end;
perhaps that's why Dave Miller said "let the madness begin
" as
he merged the code for 4.18.
The
replacement of netfilter, even if it happens as expected, will take years to
play out, but we may see a number of interesting uses of the new user-mode
helper mechanism before then. The kernel has just gained a way to easily
sandbox code that is carrying out complex tasks and which does not need to
be running in a privileged mode; it doesn't take much effort to think of
other settings where this ability could be used to isolate scary code.
Just be careful not to call the result a "microkernel" or people might get
upset.
| Index entries for this article | |
|---|---|
| Kernel | BPF |
| Kernel | Modules/ELF modules |
| Kernel | Networking/Packet filtering |
Posted May 30, 2018 18:01 UTC (Wed)
by Sesse (subscriber, #53779)
[Link] (4 responses)
Posted May 30, 2018 18:20 UTC (Wed)
by iabervon (subscriber, #722)
[Link] (3 responses)
Posted May 30, 2018 22:15 UTC (Wed)
by Sesse (subscriber, #53779)
[Link] (2 responses)
Posted May 31, 2018 8:34 UTC (Thu)
by gdamjan (subscriber, #33634)
[Link] (1 responses)
Posted May 31, 2018 10:41 UTC (Thu)
by Sesse (subscriber, #53779)
[Link]
Posted May 30, 2018 19:58 UTC (Wed)
by bendystraw (guest, #124653)
[Link] (8 responses)
Posted May 30, 2018 21:18 UTC (Wed)
by rahvin (guest, #16953)
[Link] (5 responses)
Posted May 30, 2018 22:06 UTC (Wed)
by ibukanov (subscriber, #3942)
[Link] (3 responses)
Posted May 31, 2018 8:04 UTC (Thu)
by epa (subscriber, #39769)
[Link] (2 responses)
Posted May 31, 2018 14:30 UTC (Thu)
by ehiggs (subscriber, #90713)
[Link] (1 responses)
https://en.wikipedia.org/wiki/Greenspun%27s_tenth_rule
> Any sufficiently complicated C or Fortran program contains an ad-hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp.
Related is Zawinski's rule of software:
https://en.wikipedia.org/wiki/Jamie_Zawinski#Principles
> Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.
Posted May 31, 2018 18:16 UTC (Thu)
by epa (subscriber, #39769)
[Link]
Posted May 31, 2018 15:34 UTC (Thu)
by atai (subscriber, #10977)
[Link]
Posted May 31, 2018 19:53 UTC (Thu)
by flussence (guest, #85566)
[Link] (1 responses)
Posted Jun 7, 2018 9:15 UTC (Thu)
by aktau (subscriber, #99005)
[Link]
Posted Jun 4, 2018 7:56 UTC (Mon)
by robert_s (subscriber, #42402)
[Link]
Posted Sep 5, 2018 15:43 UTC (Wed)
by gilbertoferreira43 (guest, #127049)
[Link] (1 responses)
How can I disable this damn thing?
Thanks
Posted Sep 6, 2018 5:05 UTC (Thu)
by lkundrak (subscriber, #43452)
[Link]
obviously
Posted Dec 9, 2019 14:03 UTC (Mon)
by sofardware (guest, #135967)
[Link]
I used Linux5.4.0,bpfilter and bpfilter_umh was installed and started,when iptables rule was created ok, but there is no xdp program for this rule with "bpf-tool p" commond,why ?
[root@localhost linux-5.4]# iptables -t filter -A INPUT -i lo -s 127.0.0.2/32 -d 127.0.0.1/32 -j DROP
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 16 packets, 1496 bytes)
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
Bpfilter (and user-mode blobs) for 4.18
[root@localhost linux-5.4]# lsmod |grep bpfilter
bpfilter 24576 0
[root@localhost linux-5.4]# ps -aux | grep umh
root 14830 0.0 0.0 4224 664 ? S 16:18 0:00 bpfilter_umh
[root@localhost linux-5.4]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 2057 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- lo * 127.0.0.2 127.0.0.1
pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destination
[root@localhost linux-5.4]# bpftool p
[root@localhost linux-5.4]#