Integrate Pflua #444
Integrate Pflua #444
Conversation
pflua is the packet LuaJIT-based filtering library from Igalia: - /~https://github.com/Igalia/pflua - https://wingolog.org/archives/2014/09/02/high-performance-packet-filtering-with-pflua - http://www.slideshare.net/igalia/highperformance-packet-filtering-with-pflua-fosdem-2015 - https://fosdem.org/2015/schedule/event/packet_filtering_pflua/
(cherry picked from commit a0f2830)
This module is simplified to only use pflua and not support libpcap. This frees Snabb Switch of an awkward runtime dependency on libpcap when this lib.pcap.filter module is used.
* src/Makefile: Add appropriate makefile rules. (cherry picked from commit 3f8233d)
Treat deps/*.vsn files as the "proof" that a submodule is correctly fetched and built with a specific version.
|
I haven't read the code but the way I understand this PR it's all about the config format and interpreting that into an internal format, right? The actual parsing of packets and matching towards filters remains the same? pcap expressions (aren't they called BPF?) are probably well suited for network people but are they really superior for machine interaction? I imagine another system having an internal representation, that probably looks quite a lot like the current config format of packet_filter, and then translating that into a BPF expression only for snabb to again interpret it. It's a bit like SQL. RDBMS were fitted with a query language that humans could write and there was a time when users, not developers or system administrators, actually interfaced with databases using SQL. But then we invented web2.0 and wrote pretty user interfaces that anyone, even novice users, could use. All of a sudden it's a machine generating SQL, the language invented for humans, and to make it easy for the programmers, ORMs were developed. So what is the job of the parser and planner in any RDBMS? To turn that pesky human-writeable format into something more suitable for a computer. Full circle. Newer databases, like Rethinkdb offers a different model, where there is never a format suitable for humans, instead you interface with it directly from your favourite language (see rethinkdb.com, although it's a bit off-topic ;). I'm all for a BPF style interface to ease human interaction but I'm not convinced it should be the only format. |
|
I think that we see things the same way, just that the text in my PR is a bit bombastic :) The meat of this change is to replace the syntax for end-users to configure packet filtering in the Instead of human users writing verbose configurations like this: we would write short ones like this: and that this change would have non-trivial implications for the rest of the code base that have to be worked out on this branch. I do take your point that we must not force developers to shoe-horn new problems into filter expressions. There also needs to be a fully general Lua API and we need to be making that more friendly to use over time e.g. with abstractions like Alex's datagram library. I have spent more than enough of my life writing code to translate abstract problems into elaborate btw: In the YANG universe are there some standard schemas for defining packet filters? (ACLs, etc?) That would be interesting to see as context. |
|
Ok, cool. Sounds like we are on the same page. Regarding YANG, there's a draft (99% of YANG models are drafts at this point) at least; https://tools.ietf.org/html/draft-huang-netmod-acl-01 |
|
On Sun, Apr 12, 2015 at 10:23 AM, Kristian Larsson <notifications@github.com
Note that this revision has expired in 2013 (though there are newer ones But check out: https://tools.ietf.org/html/draft-ietf-netmod-acl-modelSimon. |
|
It appears that the logic that installs pflua in the snabbswitch/src directory is missing? |
|
@alexandergall Yeah this branch is incomplete. I'll try to push a working version this week. (Let me know if you want this urgently and I will push a work in progress; only issue is that I have one small change to pflua itself that I need to work on what to do with.) |
|
No hurry. I should be working on other stuff anyway :) |
This is an implementation of the current packet filtering application using pflua. (cherry picked from commit f2041a7)
(cherry picked from commit fdab68a)
(cherry picked from commit 949ede8)
(cherry picked from commit 0a66ad6)
pcap_filter is the new name for the pflua-based packet filter. (packet_filter module is deleted.)
Define FFI pcap record types with anonymous structs instead of named ones. The names aren't globally unique anymore: pflua uses them too.
This app is simple: it filters packets using one pflua filter rule. Optionally it also uses conntrack for stateful tracking. The unit tests are weak: they are intended to detect breakages and unexpected changes in the behavior of pflua and conntrack, but not to actually test the correctness of those libraries (which are other units).
This implicitly switches the "snabbnfv traffic" program from its
original filtering configuration syntax:
ingress_filter = { rules = { { ethertype='ipv6',
protocol='tcp',
dest_port_min=24,
dest_port_max=25 } } }
To a new one:
ingress_filter = "ip6 and tcp dst portrange 24-25"
Reference configuration files are updated.
This change makes our submodule point to a pflua tree on the SnabbCo github account i.e. we have our own branch of pflua that we can directly merge changes that we need into and then sync with upstream separately.
snabbnfv-traffic now requires packet filtering rules to be specified as pcap-filter(7) expressions. Now neutron2snabb translates the Security Group ACL rules into such expressions.
|
The code is all there now but it is not properly tested yet.
I don't claim that filter expressions are the universal solution for all applications, but I do think that they are an upgrade from Security Groups and that translation is a reasonable way to stay compatible with Neutron. I especially like the fact that we can easily add new concepts, for example VLAN-aware filter rules for trunk ports, without waiting for OpenStack to reach consensus on an API. @eugeneia are you interested in helping to test and document this? :-) |
|
You probably know, but FYI support for vlan is one of the few remaining to-be-implemented operators in pflua. |
|
@lukego Yeah sure, on it!
|
|
@lukego The failure was due to a missing |
in port ranges to be 65535/0. Instead assume the smallest possible port range. E.g. If upper bound is 100 and lower bound is undefined assume lower bound to be 100 (= upper bound).
|
Encouraging news. I've tried pflua with my app and I see a significant performance boost. I run my test on interlaken with loadgen. There are 3 calls to the pcap.filter match() method in the decapsulation path (one in nd_light, one in a "dispatcher" that demuxes tunneled packets into the proper pseudowire based on src/dst and a match for the tunnel protocol). The profiler for a typical run shows this: 100% Compiled The packet-rate is around 2.6Mpps. The performance is dominated by the BPF matches, followed by the actual decapsulation (using AVX memmove). With pflua, I get The BPF overhead is a lot smaller and the packet-rate is up to ~3.3Mpps! I'll do more thorough tests, but this is looking very good. Cool! Oh, the packet rates without the profiler running are 3.0Mpps vs 4.2Mpps :) |
|
@alexandergall woohoo! 20% speedup in a real application simply by switching libpcap for pflua sounds promising indeed. Great work, pflua hackers! |
|
@eugeneia Thanks! I had indeed missed that :) |
|
The speedups are a pleasant surprise :) Note that we found a couple bugs recently affecting e.g. icmp6. The expander for "icmp6" had a bug whereby it expanded to the pflang equivalent of ip6[proto_offset] == ICMP, which had the side effect of asserting that the packet was ipv6 -- meaning "icmp6 or icmp" would never see the "icmp" side. It now expands to the equivalent of (ip6 and ip6[proto_offset] == ICMP). Anyway, details, but you might run into this bug and it's probably worth updating pflua. |
|
FWIW, Igalia/pflua#159 is fixed and extra support for dotted triples, dotted doubles, etc will land soon (Igalia/pflua#176). |
|
Groovy. Let's get some more experience with this code :). |
Move soaktest to own folder
This branch explores adopting pcap filter expressions to configure packet filtering in Snabb Switch. This is made easy by pflua, a small and embeddable pcap filter compiler based on LuaJIT.
The work outline for this branch is:
lib.pcap.filter(replacing libpcap)I am cherry-picking commits from #442 with the difference that I "burn the boats" by outright replacing the old packet filtering code.
This branch can only merge if the pflua alternative is okay for all of our existing use cases. This seems plausible: I do think that pcap-filter expressions make a fundamentally superior API that is simpler, more flexible, and more familiar to networking people (from using tcpdump).