Linux ACL Performance Analysis


Jamal Hadi Salim
Nabil Bitar


Nuts and Bolts

Session Type




Systems that utilize Linux Network Access Control Lists (ACLs) include bare metal compute platforms, virtualized compute platforms supporting virtual machines (VMs),  compute platforms with containerized applications, and VMs. 
ACLs may be enforced at the platform level, the workload level (VM or container), or application level.

This talk describes our work in evaluating the performance of different ACLs subsystems in the Linux kernel from both a control (for ACL programming) and datapath perspective for both  _Forwarding_ and _Host_ workloads.

In our work, the ACL subsystem is the target System Under Test(SUT).  We model the ACL rulesets with the following tuples:

i) groupings of interfaces/ports,
ii)groupings of src IPv4 CIDR addressess,
iii)grouping of dst IPv4 CIDR addresses,
v)groupings of src ports {lists, and ranges} and 
vi)groupings of dst ports   {lists, and ranges}

The following ACL subsystems(SUTs) were reviewed:
- Iptables(with and without conntracking),
- IPtables with IPSet(with and without conntracking),
- XDP/ebpf,
- tc/ebpf,
- tc/flower.

We will detail the effort we put into reducing the number of variables (e.g., turning off hyperthreading, etc) in order to focus the performance assessment on the ACL subsystem itself. We will also describe our effort to ensure that we run a fair comparison among the subsystems, mainly using the same testing methodology, testing environment, traffic patterns, and traffic generator.

Our analysis looks at:
Control path performance with a goal to see the overall system effect (example adding or deleting ACL rules while the kernel tables population varied). Data path performance under a variety of conditions (example different table sizes, worst case lookups etc). 

We collect performance data on multiple dimensions,
for example:
- data rate (bits/sec) and (packets/sec)
- flow connections/sec
- end to end Latency
- CPU utilization
- control path latency and transaction rate

In the case of ebpf, we wrote our own implementation of the ACL subsystem with a control plane that emulates iptables and IPsets.  The ebpf implementation, known  as "Ptables" will be discussed in the talk "Introducing Ptables" at Netdev conf 0x15.

Our contributions:

As far as we know, this is the first extensive study of Linux kernel ACLs for both forwarding and host workloads, comparing all the ACL subsystems listed earlier under the same conditions. We hope our experience will help others in the community to make decisions as to what approach to take under given circumstances. We wish to get community feedback and evolve the work further as well as make available the testing tools we created for this work.