pcn-iptables: a clone of iptables based on eBPF¶
Polycube includes the pcn-iptables
standalone application, a stateful firewall whose syntax and semantic are compatible with the well-known iptables
Linux tool.
The frontend provides the same CLI of iptables; users can set up security policies using the same syntax by simply executing pcn-iptables
instead of iptables
.
The backend is based on eBPF programs, more efficient classificaiton algorithms and runtime optimizations; the backend runs as a dedicated service in Polycube.
Supported features¶
Currently supported features:
Support for
INPUT
,OUTPUT
,FORWARD
chainsSupport for
ip
,protocol
,ports
,tcp flags
,interfaces
Support for
connection tracking
Support for bpf
TC
andXDP
mode
Detailed supported parameters
-s
source IP-d
destination IP-p
l4 protocol--sport
source port--dport
destination port--tcpflags
tcp flags-i
input interface-o
output interface-m conntrack --ctstate
conntrack module
Detailed supported targets
-j ACCEPT
accept traffic-j DROP
drop traffic
Detailed supported commands
-S
Show rules-L
List rules-A
Append rule-I
Insert rule-D
Delete rule-P <CHAIN> DROP/ACCEPT
Setup default policy for<CHAIN>
-F <CHAIN>
Flush policies for<CHAIN>
Limitations¶
No support for multiple chains
No support for
SNAT
,DNAT
,MASQUESRADE
-S
-L
generate an output slightly different from iptables
Install¶
Prerequisites¶
pcn-iptables comes as a component of polycube framework. Refer to polycube install guide for dependencies, kernel requirements and basic checkout and install guide.
Install¶
To compile and install pcn-iptables
, you should enable the ENABLE_PCN_IPTABLES
flag in the polycube CMakeFile, which is set to OFF
by default;
this allows to compile the customized version of iptables
used to translate commands, and install in the system pcn-iptables-init pcn-iptables and pcn-iptables-clean utils.
Note:
The ENABLE_SERVICE_IPTABLES
flag, which is set to ON
by default, is used to compile and install the libpcn-iptables.so
service (like other polycube services: bridge, router, ..).
This flag is required to be enabled as well, but it comes by default.
cd polycube
# Note: ensure git submodules are updated
# git submodule update --init --recursive
mkdir -p build
cd build
cmake .. -DENABLE_PCN_IPTABLES=ON
make -j`nproc` && sudo make install
Run¶
1. Initialize pcn-iptables¶
# Start polycubed, in other terminal (or background)
sudo polycubed --daemon
# Initialize pcn-iptables
pcn-iptables-init
2. Use pcn-iptables¶
pcn-iptables
provides same iptables syntax. Please refer to iptables
online docs for more info.
Following are just few examples of available commands.
# E.g.
pcn-iptables -A INPUT -s 10.0.0.1 -j DROP # Append rule to INPUT chain
pcn-iptables -D INPUT -s 10.0.0.1 -j DROP # Delete rule from INPUT chain
pcn-iptables -I INPUT -s 10.0.0.2 -j DROP # Insert rule into INPUT chain
# Example of a complex rule
pcn-iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.2 -p tcp --sport 9090 --dport 80 --tcpflags SYN,ACK ACK -j DROP
# Example of a conntrack rule
pcn-iptables -A OUTPUT -m conntrack --ctstate=ESTABLISHED -j ACCEPT
# Show rules
pcn-iptables -S # dump rules
pcn-iptables -L INPUT # dump rules for INPUT chain
pcn-iptables -P FORWARD DROP # set default policy for FORWARD chain
NOTE: do not use use sudo pcn-iptables ...
3. Stop pcn-iptables¶
# Stop and clean pcn-iptables
pcn-iptables-clean
# Execute the below command to validate if cleanup is successful.
pcn-iptables -S
``Note: On successful cleanup, you should receive "No cube found named pcn-iptables"``
Advanced Features¶
XDP mode¶
pcn-iptables
can also be run in XDP
mode. This mode comes with performance gain, especially when policy are configured to DROP traffic.
pcn-iptables-init-xdp
Limitations¶
pcn-iptables operates only on interfaces that support XDP native mode
traffic is not filtered on interfaces that support only eBPF TC programs.
pcn-iptables components¶
pcn-iptables
is composed by three main components:
pcn-iptables
service (src/services/pcn-iptables
): a Polycube service, a special one since performs some extra work, but basically expose its API and CLI, according to Polycube standard.
iptables submodule¶
A customized fork of iptables is included as submodule under src/components/iptables/iptables. This modified version of iptables is in charge of validate commands, translate them from iptables to polycube syntax, then forward them to pcn-iptables service instead of pushing them into the kernel via netfilter.
scripts folder¶
Scripts are used as a glue logic to make pcn-iptables run. Main purpose is initialize, cleanup and run pcn-iptables, pass pcn-iptables parameters through iptables (in charge of converting them), then pass converted commands to pcn-iptables service.
Scripts are installed under /usr/local/bin
.
pcn-iptables components¶
pcn-iptables
is composed by three main components:
pcn-iptables
service (src/services/pcn-iptables
): a Polycube service that is especially tailored to work with thepcn-iptables
executable; as usual, it exposes its API and CLI according to Polycube standard.iptables*
(src/components/iptables/iptables
): a modified version of iptables, in charge of validate commands, translate them from iptables to polycube syntax, then forward them to pcn-iptables service instead of push them into the kernel via netfilter.scripts
(src/components/iptables/scripts
): this is a folder containing some glue logic and scripts to initialize, cleanup and usepcn-iptables
.pcn-iptables
itself is a script that forwards commands toiptables*
(2), then forwards the translated command topcn-iptables
(1). Scripts are installed under/usr/local/bin
.