1 / 27

FFPF: Fairly Fast Packet Filters

uspace. uspace. kspace. kspace. nspace. nspace. FFPF: Fairly Fast Packet Filters. Herbert Bos Vrije Universiteit Amsterdam herbertb @ cs.vu.nl http://ffpf.sourceforge.net. u. u. k. k. n. n. Network Monitoring.

reginacarroll
Download Presentation

FFPF: Fairly Fast Packet Filters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. uspace uspace kspace kspace nspace nspace FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit Amsterdam herbertb @ cs.vu.nl http://ffpf.sourceforge.net u u k k n n

  2. Network Monitoring -process at lowest possible level-minimise copying -minimise context switching -freedom at the bottom • We’re hurting because of • hardware (bus, memory) • software (copies, context switches)  demand for solution:-scales to high link rates - scales in no. of apps - flexible

  3. What is it? RTSP • single framework for monitoring that • uses all levels in the processing hierarchy • is language neutral • offers advanced processing in NIC • supports stateless and stateful filters • is backward compatible with pcap(while also supporting a much more powerful packet language) • helps users to build complex monitoring applications by ‘clicking components together’ “contains worm” HTTP RTP bytecount UDP TCP IP U

  4. - no ‘vertical’ copies - no ‘horizontal’ copies within flow group - more than ‘just filtering’ in kernel (e.g.,statistics) Application B ‘filter’ reduce copying • FFPF avoids both ‘horizontal’ and ‘vertical’ copies Application A U K

  5. W Buffers • PacketBuf • circular buffer with N slots • large enough to hold packet • IndexBuf • circular buffer with N slots • pointers to packets in PacketBuf R O O O O O O O

  6. Buffers • PacketBuf • circular buffer with N slots • large enough to hold packet • IndexBuf • circular buffer with N slots • pointers to packets in PacketBuf O O O O O O O W R

  7. Buffers • PacketBuf • circular buffer with N slots • large enough to hold packet • IndexBuf • circular buffer with N slots • pointers to packets in PacketBuf X X X X X O O W R

  8. R2 O O O O O O O O O O O O O O O O R1 W Buffer management  what to do if writer catches up with slowest reader? • slow reader preference • drop new packets (traditional way of dealing with this) • overall speed set by slowest reader • fast reader preference • overwrite existing packets • application responsible for keeping up • check whether packets have been overwritten • different drop rates for different apps

  9. How to use it? we build complex applications out of simple components

  10. Software structure applications FFPF toolkit MAPI FFPF userspace libpcap userspace-kernel boundary FFPF kernelspace host- NIC boundary FFPF ixp2xxx

  11. Extensible • modular framework • language agnostic • plug-in filters (device,expr=eth0) > (sampler, expr=2) > (BPF,expr=”..”) > (packetcount) [(device,expr=eth0) | (device,expr=eth1)] > (sampler,expr=2) > [(FPL-2,expr=”..”) | (BPF,expr=”..”)] > (bytecount)

  12. Example: GUI for creating flowgraphs

  13. simple GUI support

  14. simple GUI support

  15. simple GUI support

  16. mapping on hardware FFPF is responsible for mapping the flowgraph on the underlying hardware

  17. Instantiating flow graphs USERSPACE functions not available in kernel KERNEL 19

  18. Instantiating flow graphs USERSPACE functions available in kernel KERNEL 20

  19. Three flavours • Three flavours of packet processing on IXP & host • Regular • copy only when needed • may be slow depending on access pattern • Zero copy • never copy • may be slow depending on access pattern • Copy once • copy always 21

  20. Example 1: writing applications • int main(int argc, char** argv) { • void *opaque_handle; • intcount, returnval; • /** pass the string to the subsystem. It initializes and returns an opaque pointer */ • opaque_handle = ffpf_open(argv[1], strlen(argv[1])); • if(start_listener(asynchronous_listener, NULL)) • { • printf (WARNING,“spawn failed\n"); • ffpf_close (opaque_handle); return -1; • } • count = ffpf_process(FFPF_PROCESS_FOREVER); • stop_listener(1); • returnval = ffpf_close(opaque_handle); • printf(,"processed %d packets\n",count); • return returnval; • }

  21. Example 1: writing applications • void* asynchronous_listener(void* arg) { • int i; • while (!should_stop()) { • sleep(5); • for (i=0;i<export_len;i++) { • printf("flowgrabber %d: read %d, written%d\n", i, get_stats_read(exported[i]), get_stats_processed(exported[i])); • while ((pkt =get_packet_next(exported[i]))) { • dump_pkt(pkt); • } • } • } • return NULL; • }

  22. Example 2: FPL-2 • new pkt processing language: FPL-2 • for IXP, kernel and userspace • simple, efficient and flexible • simple example: filter all webtraffic • IF ( (PKT.IP_PROTO == PROTO_TCP) && (PKT.TCP_PORT == 80)) THEN RETURN 1; • more complex example: count pkts in all TCP flows • IF (PKT.IP_PROTO == PROTO_TCP) THEN R[0] = Hash[ 14, 12, 1024]; M[ R[0] ]++;FI

  23. FPL-2 • all common arithmetic and bitwise operations • all common logical ops • all common integer types • for packet • for buffer ( useful for keeping state!) • statements • Hash • External functions • to call hardware implementations • to call fast C implementations • If … then … else • For … break; … Rof • Return

  24. Example application: dynamic ports 1. // R[0] stores no. of dynports found (initially 0) 2. IF (PKT.IP_PROTO==PROTO_TCP) THEN 3. IF (PKT.TCP_DPORT==554) THEN 4. M[R[0]]=EXTERN("GetDynTCPDPortFromRTSP",0,0); 5. R[0]++; 6. ELSE // compare pkt’s dst port to all ports in array – if match, return pkt 7. FOR (R[1]=0; R[1] < R[0]; R[1]++) 8. IF (PKT.TCP_DPORT == M[ R[1] ] ) THEN 9. RETURN TRUE; 10. FI 11. ROF 11. FI 12. FI 12. RETURN FALSE;

  25. Summary • concept of ‘flow’  generalised • copying and context switching minimised • processing in kernel/NIC  complex apps + ‘pipes’ • FPL: FFPF Packet Languages  fast + flexible • persistent storage  flow-specific state • flow groups applications sharing packet buffers • commandline/GUIs  easy to use

  26. More Information http://ffpf.sourceforge.net/

  27. Pkt processing on IXP 29

More Related