Packet filtering with Netfilter's NFQUEUE vs. Berkeley Packet Filter (BPF)

3
votes

I've just read in these answers about two options for developing packet filters in linux.

The first is using iptables and netfilter, probably with NFQUEUE and libnetfilter_queue library.

The second is by using BPF (Berkeley Packet Filter), that seems in a quick reading to have similar capabilities for filtering purposes.

So, which of these alternatives is a better way to create a packet filter? What are the differences? My software is going to run as a gateway proxy, or "man-in-the-middle" that should receive a packet from one computer (with destination address to another one, not the filter's local address), and send it out after some filtering.

Thanks a lot!

1
linuxiptablesnetfilterbpf
I probably will go with netfilter/iptables since from an arquitectural point of view I think is better than B/PF. For just point out an example, I like the translations order on netfilter with the {PRE|POST}ROUTING chains since they don't clash with firewall chains/rules, au contraire of BFP, which order is strange.Diosney
Thanks. By the way, if i want to release an "out-of-the-box" software (that does not require os configuration like setting firewall rules, but only a simple kind of installation), isn't it better to use bpf? however, i need more information about the differences since it's not the main considerationReflection
Maybe, is true that it is simpler but that isn't always good.Diosney
By the way, the development in BPF is also simple or just the architecture?Reflection

1 Answers

1
votes

Though my understanding is limited to the theoretical, I've done some reading while debugging the Kubernetes networking implementation and can thus take a stab at answering this.

Broadly, both netfilter and eBPF (the successor to BPF) implement a virtual machine that execute some logic while processing packets. netfilter's implementation appears to strive for compatibility with iptables previous implementation, being essentially a more performant successor to iptables.

However, there are still performance problems when using iptables -- particularly when there are large sets of iptables rules. The way eBPF is structured can alleviate some of these performance problems; specifically:

  • eBPF can be offloaded to a "smart nic"
  • eBPF can be structured to lookup rules more efficiently

Though it was initially used for network processing, eBPF is also being used for kernel instrumentation (sysdig, iovisor). It has a far larger set of use cases, but because of this, is likely a much tougher learning curve.

So, in summary:

  • Use what you're familiar with, unless you hit perf problems then
  • Look at eBPF

Relevant:

Notes:

  • eBPF is the successor to cBPF, and has replaced it in the kernel
  • I refer to eBPF explicitly here out of habit