eBPF packet filters/classifiers using Julia? anyone interested in experimenting?

Hi there enthusiasts. Linux kernel has a system called eBPF for creating bytecode that can be used in a variety of places, including in tc filters and the firewall system. Firewalling is a bit more experimental, but the tc-bpf system for classifying packets and doing tc actions is I think more well tested.


For simple firewall purposes, there's a BPF match in iptables: https://ipset.netfilter.org/iptables-extensions.man.html

Interestingly the Julia programming language which is a very nice just in time compiled language for interactive usage has a module called BPFnative.jl which can take in Julia functions and output bytecode compiled versions. Right now there's not much in the way of documentation but there are a bunch of tests in the package that can be used as examples of how to use it. The output could in theory be dumped to a file and then transported over to a router and loaded into the kernel.

I'm wondering if anyone is interested in experimenting with using eBPF to classify packets on ingress and take actions like setting DSCP values and soforth for the purpose of improving quality of service or other useful actions?

@moeller0 for example? or anyone from the Help prioritizing games with alternative qdisc design thread?

There is a eBPF mode for Suricata6 I could never get to compile correctly. I'd have to revisit why, but I believe it was limited to x86_64 only?

I guess the biggest issue that we would need a method to peek into the NAT tables on ingress, that is the reason for our issues, otherwise, I believe, tc would be workable, but without getting to the NATed internal addresses things are just odd. Now, ebpf might be able to pull that off, but that seems a big step....

The ever impressive Pete Heist (of irtt fame) has his own experiments with using ebpf as part of a classification scheme, see:

I always wondered whether I should try to learn Julia, but I guess in my field Matlab (in spite of the steep license costs) still rules and the next likely candidate would be python...

Yeah, I think that's a big deal, and I've been wondering about it. Perhaps we could do a routing based solution, where things go through the routing machinery, and then get routed to an IFB before then being mirrored to their final destination? at that point it would have the appropriate NATted addresses? Also for IPv6 it's normally not an issue :slight_smile:

Julia blows matlab and python both out of the water IMHO. If you learn Julia you will never go back. Might make it hard to keep your job :wink:

Probably the solution is still to switch to nftables, and ultimately let nftables compile to eBPF which I think is the direction it will head in.