Jump to content
Калькуляторы

xt_bpf xt_bpf в 3.9

всем привет!

 

в linux-3.9 добавили аналог freebsd'шного ng_bpf - xt_bpf

 

At least, on an x86_64 that achieves 40K netperf TCP_STREAM without

any iptables rules (40 GBps),

 

inserting 100x this bpf rule gives 28K

 

./iptables -A OUTPUT -m bpf --bytecode '6,40 0 0 14, 21 0 3 2048,48 0 0 25,21 0 1 20,6 0 0 96,6 0 0 0,' -j

 

inserting 100x this u32 rule gives 21K

 

./iptables -A OUTPUT -m u32 --u32 '6&0xFF=0x20' -j DROP

 

компилятор байткода:

http://patchwork.ozlabs.org/patch/221140/

модуль для iptables:

http://patchwork.ozlabs.org/patch/215095/

 

Правда, можно обойтись без компилятора байткода и использовать для этих целей tcpdump:

 

modprobe ipip
tcpdump -i tunl0 -ddd 'udp' > udp.bpf
tcpdump -i tunl0 -ddd 'icmp' > icmp.bpf
iptables -A INPUT -m bpf --bytecode-file udp.bpf  -j LOG --log-prefix "udp: "
iptables -A INPUT -m bpf --bytecode-file icmp.bpf  -j LOG --log-prefix "icmp: "

 

в итоге:

 

[17450.201379] udp: IN=dsw0 OUT= MAC= SRC=192.168.99.1 DST=192.168.99.255 LEN=225 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=205 
[17450.201430] udp: IN=eth0 OUT= MAC= SRC=192.168.100.2 DST=192.168.100.255 LEN=226 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=206 
[17450.201477] udp: IN=virbr0 OUT= MAC= SRC=192.168.122.1 DST=192.168.122.255 LEN=226 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=206 
[17451.241597] udp: IN=eth0 OUT= MAC=00:15:17:14:c8:c3:00:30:4f:64:71:92:08:00 SRC=10.250.0.3 DST=192.168.100.2 LEN=507 TOS=0x00 PREC=0x00 TTL=60 ID=44930 PROTO=UDP SPT=5060 DPT=5060 LEN=487 
[17453.963938] udp: IN=eth0 OUT= MAC=00:15:17:14:c8:c3:00:30:4f:64:71:92:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=63634 PROTO=UDP SPT=53 DPT=8516 LEN=217 
[17460.203403] icmp: IN=eth0 OUT= MAC=00:15:17:14:c8:c3:00:30:4f:64:71:92:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18090 SEQ=1 
[17461.204093] icmp: IN=eth0 OUT= MAC=00:15:17:14:c8:c3:00:30:4f:64:71:92:08:00 SRC=192.168.100.1 DST=192.168.100.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18090 SEQ=2

Share this post


Link to post
Share on other sites

Ооо, ну это вообще круто. Надо будет защупать...

Спасибо за информацию.

 

как я понимаю, на некоторых платформах оно ещё делает jit в нативный код, если сказать sysctl -w net.core.bpf_jit_enable=1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.