Hello.
Starting with Linux kernel 4.18. we have a production ready XDP + eBPF capabilities, which is now included in production, starting with RedHat Enterprise Linux v.8.1. and of course included in CentOS Linux 8.1. Other will follow soon.
For those not familiar, in simple words:
XDP is Express Data Path technology which uses a new way of processing network packets and through the so called ebpf making rules (firewall and other) which are compiled using eBPF Virtual Machine in kernel space. This method of work is also very fast.
This entire design drastically improve speed of processing network packets, from 3.5 x and even more (on the same hardware as iptables/nftables).
Even more speed can be achieved using special network cards such Netronome cards with "Network Flow Processor" or Intel 800 series (review).
Measures show the next results in packet processing for firewall usage:
Explanation from graph:
iptables = iptables firewall/rules
nftables = nftables firewall/rules
bpfilter (host driver XDP, JIT) = XDP + eBPF (bpfilter rules): means network card with XDP enabled in driver only + Just In Time compiling eBPF rules
bpfilter (hardware offload) = same as bpfilter above, but with hardware acceleration in special NIC like Netronome or Intel 800 series.
Source of the image:
https://www.netronome.com/blog/bpf-...hese-things-and-what-do-they-mean-enterprise/
So, my question are: could you consider to include it over time in a new releases of Proxmox VE firewall ?.
I know that it is a big job to do so, but for now there is at lease one interesting project for easing things up
With which it is easy to inline convert iptables rules to eBPF rules, using so called: bpfilter.
Video of bpfilter usage (inline conversion of iptables rules to eBPF rules): https://www.youtube.com/watch?v=AfgwVya9Cog
BR,
Hrvoje.
Starting with Linux kernel 4.18. we have a production ready XDP + eBPF capabilities, which is now included in production, starting with RedHat Enterprise Linux v.8.1. and of course included in CentOS Linux 8.1. Other will follow soon.
For those not familiar, in simple words:
XDP is Express Data Path technology which uses a new way of processing network packets and through the so called ebpf making rules (firewall and other) which are compiled using eBPF Virtual Machine in kernel space. This method of work is also very fast.
This entire design drastically improve speed of processing network packets, from 3.5 x and even more (on the same hardware as iptables/nftables).
Even more speed can be achieved using special network cards such Netronome cards with "Network Flow Processor" or Intel 800 series (review).
Measures show the next results in packet processing for firewall usage:
Explanation from graph:
iptables = iptables firewall/rules
nftables = nftables firewall/rules
bpfilter (host driver XDP, JIT) = XDP + eBPF (bpfilter rules): means network card with XDP enabled in driver only + Just In Time compiling eBPF rules
bpfilter (hardware offload) = same as bpfilter above, but with hardware acceleration in special NIC like Netronome or Intel 800 series.
Source of the image:
https://www.netronome.com/blog/bpf-...hese-things-and-what-do-they-mean-enterprise/
So, my question are: could you consider to include it over time in a new releases of Proxmox VE firewall ?.
I know that it is a big job to do so, but for now there is at lease one interesting project for easing things up
With which it is easy to inline convert iptables rules to eBPF rules, using so called: bpfilter.
Video of bpfilter usage (inline conversion of iptables rules to eBPF rules): https://www.youtube.com/watch?v=AfgwVya9Cog
BR,
Hrvoje.
).