FFPF: Fairly Fast Packet Filters
u
uspace
k
kspace
n
nspace
Herbert Bos
Willem de Bruijn
Trung Nguyen
Mihai Cristea
Georgios Portokalidis
Vrije Universiteit Amsterdam
Universiteit Leiden
http://ffpf.sourceforge.net/
Vrije Universiteit Amsterdam
Network Monitoring
●
Increasingly important
–
●
traffic characterisation, security
traffic engineering, SLAs, billing, etc.
Existing solutions:
–
designed for slow networks
or traffic engineering/QoS
–
not very flexible
We’re hurting because of
spread of SAPPHIRE in 30 minutes
●
–
hardware (bus, memory)
–
software (copies, context switches)
 demand for solution:
- scales to high link rates
- scales in no. of apps
- flexible
-process at lowest possible level
-minimise copying
-minimise context switching
-freedom at the bottom
generalised notion of flow
Flow: “a stream of packets that match arbitrary user criteria”
TCP SYN
UDP with
CodeRed
bytecount
eth0
HTTP
U
IP
TCP
RTSP
“contains worm”
UDP
RTP
 Flowgraph
UID 0
efficient
userspace
?
reduced copying and context switches
kernel
● sharing data
●
●
flowgraphs: sharing computations
?
x
“push filtering tasks as far down the processing
hierarchy as possible”
?
?
network card
reduce copying
●
FFPF avoids both ‘horizontal’ and ‘vertical’ copies
Application A
Application B
U
K
‘filter’
- no ‘vertical’ copies
- no ‘horizontal’ copies
within flow group
- more than ‘just filtering’
in kernel (e.g.,statistics)
Extensible
(device,eth0) | (device,eth1) -> (sampler,2) -> (FPL-2,”..”) | (BPF,”..”) -> (bytecount)
(device,eth0) -> (sampler,2) -> (BPF,”..”) -> (packetcount)
✔
modular framework
✔
language agnostic
✔
plug-in filters
Buffers
R
O
O
●
●
PacketBuf
–
circular buffer with N fixed-size slots
–
large enough to hold packet
O
O
IndexBuf
–
circular buffer with N slots
–
contains classification result + pointer
O
O
O
W
Buffers
O
O
●
●
PacketBuf
–
circular buffer with N fixed-size slots
–
large enough to hold packet
O
O
IndexBuf
–
circular buffer with N slots
–
contains classification result + pointer
O
R
O
O
W
Buffers
X
X
●
●
PacketBuf
–
circular buffer with N fixed-size slots
–
large enough to hold packet
X
X
IndexBuf
–
circular buffer with N slots
–
contains classification result + pointer
X
O
R
O
W
R1
O
Buffer management
 what to do if writer catches
up with slowest reader?
●
–
●
fast reader preference
–
application responsible for keeping up
●
●
O
O
O
O
can check that packets have been overwritten
different drop rates for different apps
O
O
overall speed determined by slowest reader
overwrite existing packets
O
O
drop new packets
(traditional way of dealing with this)
–
O
O
slow reader preference
–
O
O
O
O
O
W
R1
Languages
IF (PKT.IP_PROTO == PROTO_TCP)
THEN
// reg.0 = hash over flow fields
R[0] = Hash (14,12,1024)
●
FFPF is language neutral
●
Currently we support:
–
BPF
–
C
–
OKE Cyclone
–
FPL
// increment pkt counter at this
// location in MBuf
MEM[ R[0] ]++
FI
• simple to use
• compiles to optimised native code
• resource limited (e.g., restricted FOR loop)
• access to persistent storage (scratch memory)
• calls to external functions (e.g., fast C functions
or hardware assists)
• compiler for uspace, kspace, and nspace (ixp1200)
packet sources
●
currently three kinds implemented
-netfilter
-net_if_rx()
-IXP1200
uspace
●
kspace
implementation on IXPs: NIC-FIX
-bottom of the processing hierarchy
-eliminates mem & bus bottlenecks
nspace
Network Processors
“programmable NIC”
zero copy
copy once
on-demand copy
Performance results
pkt loss:
FFPF: < 0.5%
LSF: 2-3%
Performance results
pkt loss:
LSF:64-75%
FFPF: 10-15%
Performance
Copy St rat egies
100
reference
d rop
accept
90
processed (in %)
80
70
60
50
40
30
20
10
0
r eg ular copy
copy once
zer o copy
Summary
concept of ‘flow’  generalised
copying and context switching  minimised
processing in kernel/NIC  complex programs + ‘pipes’
FPL: FFPF Packet Languages  fast + flexible
persistent storage  flow-specific state
authorisation + third-party code any user
flow groups  applications sharing packet buffers
More Information
http://ffpf.sourceforge.net/
microbenchmarks