Userspace netmap-powered JIT-compiled firewall
Student: Daniel Peyrolón (dpl@freebsd.org)
Mentor: David Chisnall (theraven@freebsd.org)
Project description
The objective of this project is to develop a netmap-powered firewall with JIT-compiling and Capsicum support. Doing this we will be able to change the firewalling rules while running and provide the userspace with a very efficient and secure firewall.
Also, a very important part of this project is the benchmarking itself.
Approach to solve the problem
Understand bpdjit.
Understand netmap-ipfw.
Isolate and refactor the netmap-ipfw rules so that each rule is mapped ideally with a single function.
Add JIT-compiling of these functions inside netmap-ipfw.
Test and evaluate the final system.
Deliverables
The final deliverable will be the final version of a JIT-compiled firewall that uses IPFW, used with netmap. This would allow to have a variable set of rules that change dynamically the behavior of the firewall.
Milestones
- May 19th: Coding starts.
- Once the example (bpfjit), has been studied and understood, I will start adapting netmap-ipfw and refactored the routines for each separated rule.
- Jun 23th: Mid-term evaluations.
- By this point, we should have a working firewall with a simple JIT compiling system, and a good set of routines to be used. Now we will optimize the implementation as much as possible.
- Aug 11th: Suggested "pencils down".
- By this point the firewall should be finished. It would be the time to test it, and quantify the gain of performance compared to the traditional ipfw/kernel net stack implementations.
- Aug 18th: Firm "pencils down" date.
Test Plan
The test plan for this project is to test individual rules and its working inside the JIT-compiler separately, and when finished, do some tests with real sets of rules.
The Code
My code can be found here (svn), and here (github)
Results
For now, I encountered a bug on netmap that prevented the filtration of any more than 1000 packets. I benchmarked that in the worst case scenario (just one rule), and I got a 7x faster firewall.
The firewall is not completed yet (there are some rules to implement yet, but that is easy). Before finishing it, I'll port it to the C LLVM API.