Session

Introducing Ptables

Speakers

Jamal Hadi Salim
Nabil Bitar

Label

Nuts and Bolts

Session Type

Talk

Contents

Description

In this talk we are going to describe Ptables, an access control list (ACL)
control subsystem on Linux. 

Ptables is inspired by iptables as an ACL subsystem. Iptables is widely deployed and well understood from a management perspective but has performance challenges (see our submitted netdev 0x15 talk on  “Linux ACL Performance Analysis”[0]). The motivating idea behind Ptables is to overcome the iptables performance challenges while still maintaining
iptables management semantics for continuity. Ptables emulates iptables implicitly-prioritized rulesets (that are grouped using ipset and port ranges) with explicitly defined ruleset priorities. Ptables, as currently implemented, also optionally provides 5-tuple statefulness that may be extended in the future. 

There have been other efforts to replace iptables using eBPF (see: “Toward an eBPF-based clone of iptable”[1] and “Rethinking bpfilter and user-mode helpers”[2][3]). However, these efforts have not yet seen widespread adoption, perhaps due to complexity in their desire to be  fully-compatible clones of iptables i.e to enable eBPF tooling to accept traditional iptables commands which are then transformed at runtime to eBPF semantics. We, instead, opt to take a revolutionary approach to replacing iptables.

Ptables is a minimalistic ACL architecture. We adopt what we feel are sufficient features that iptables presents and nothing more. In its basic form Ptables implements rulesets based on the classical 5 tuples:
source/destination IP address, protocol identifier and source/destination transport port number where the source and destination IP addresses are grouped into CIDR tables (similar to ipset hash) and the source and destination transport ports could be ranges, lists or individual ports (similar to iptables multiports). Rulesets are applied on a group of network ports (one or more) in an ingress or egress direction. We also introduce an optional flow state cache which complements the rulesets. Our stateful cache, as influenced by our minimalist approach, is not as feature-rich as iptables conntracking - but we believe is sufficient.

Ptables is able to handle millions of rules grouped into thousands of ruleset priorities.
In the current version, caching is used to enhance performance in the presence of many rulesets. 

Our initial implementation is based on ebpf (works on both tc and XDP); however, our future plans are to integrate whatever other linux subsystem makes sense to achieve a specific ACL goal (e.g., TC in general, offloading when it makes sense, etc).

In this talk we will go into details of:
* motivation
* The design choices
* Implementation challenges with ebpf
* performance numbers
* future plans

Our intention is to opensource the Ptables code. 


References:
[0]https://netdevconf.info/0x15/session.html?talk-linux-ACL-performance-analysis
[1]https://netdevconf.info/0x12/session.html?toward-an-ebpf-based-clone-of-iptables
[2]https://lwn.net/Articles/822744/
[3]https://lore.kernel.org/bpf/c72bac57-84a0-ac4c-8bd8-08758715118e@fb.com/T/