JIT Compilation For firewalls (ipfw)

Still building this... :(

Project description

The objective of this project is continue developing the netmap-powered JIT-compiled firewall that we worked on last year, perform some clear optimizations to that, and finally port the code to ipfw from base-system. Once we complete the firewall, we'll be able to perform optimizations on that. One of such optimizations would be let the interpreter run for a while, and get information about the kind of traffic that goes through it, or what rules are applied most. With that information, we can reorder the compilation of the firewall so that the jump to the action associated with the rules that are most often triggered are first.

Approach to solving the problem

* Finish the compilation using the C bindings for LLVM. I'd like to say that I'd be able to do this before the GSoC starts, but I'm not that sure.

* Finish writing the compiling boilerplate to get to compile all the rules. Special care will be needed when compiling flow-controlling rules. For the others, it's just a matter of emmiting a function call (inlined), which will be easy.

* I'd say that the next step would be implementing the feedback-driven optimizations. One example of this would be to use the interpreter for a while, analyze the most common kind of traffic (i.e. the number of times a rule is hit), and reorder the JIT default compilation to make it emit the rules that hit most first.

This is where we could do the coolest things, in my opinion. At this point we should do a lot of evaluation and experimentation with the system. This should provide us with good data, which should then be evaluated against the different use cases of the firewall. The netperf project would be awesomely helpful here (both for testing, and to get the use cases of the firewall), and we could have a nice interaction with them.

* What I would do after this is porting the JIT compiler to the base-ipfw. This shouldn't be too hard, as I had a brief conversation with Mark R. V. Murray about this, and he thought that it should be easy.


The final deliverable will be the final version of an optimized ipfw JIT-compiler, as well as its wrapper in order to use the compiled binary at kernel space.


Test Plan

We will perform testing using conductor, a python system written by the mentor written to test distributed systems.

The Code

My code can be found here (svn), and here (github)

SummerOfCode2015/JITCompilationForFirewalls (last edited 2015-06-03T13:15:49+0000 by DanielPeyrolon)