CN116886422A - eBPF-based network high-speed forwarding relay method and system - Google Patents
eBPF-based network high-speed forwarding relay method and system Download PDFInfo
- Publication number
- CN116886422A CN116886422A CN202311018125.2A CN202311018125A CN116886422A CN 116886422 A CN116886422 A CN 116886422A CN 202311018125 A CN202311018125 A CN 202311018125A CN 116886422 A CN116886422 A CN 116886422A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- ebpf
- processing
- xdp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012545 processing Methods 0.000 claims abstract description 83
- 230000006870 function Effects 0.000 claims abstract description 58
- 239000000872 buffer Substances 0.000 claims abstract description 43
- 230000005540 biological transmission Effects 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims abstract description 18
- 239000013598 vector Substances 0.000 claims abstract description 11
- 231100000279 safety data Toxicity 0.000 claims abstract description 5
- 238000001914 filtration Methods 0.000 claims description 17
- 238000013507 mapping Methods 0.000 claims description 17
- 230000007246 mechanism Effects 0.000 claims description 11
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000032258 transport Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000005562 fading Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network high-speed forwarding relay method and a system based on eBPF, comprising the following steps: when data appears in the annular buffer zone in the main memory zone, triggering a hard interrupt, and simultaneously, issuing processing time to an interrupt vector table by the central processing unit to execute a driving code; when in driving, the kernel network interface circularly triggers soft interrupt by consuming data from the main memory area through the kernel network interface circulation and the kernel thread in the central processing unit, processes the data through the soft interrupt and sends the data after the soft interrupt processing to a network protocol stack in the system; and processing the data processed by the network protocol layer in the network by using the XDP hook function set to obtain safety data. The invention filters unnecessary or invalid data in the high-speed network data according to the prefabricated rule base in a near-core mode, identifies and processes network attack, and reduces the processing and transmission of interference and aggressive data in a network protocol stack.
Description
Technical Field
The invention relates to the technical field of network flow control, in particular to a network high-speed forwarding relay method and system based on an eBPF.
Background
With the development of the internet, requirements of data transmission rates, such as video conferences, high-definition video streaming media, and the like, are increasing. These applications require higher data transmission rates, otherwise problems such as delays, jamming, etc. occur, affecting the user experience. The advent of high-speed forwarding relay technology has been directed to meeting the demands for higher data transmission rates and better fault tolerance in wireless communication systems.
The environment in a wireless communication system tends to be more complex than a wired communication system, such as signal interference, channel fading, and the like. These factors can affect the reliability and stability of data transmission. The high-speed forwarding relay technology can improve the reliability and stability of data transmission by means of packet transmission, forwarding and the like, thereby meeting the requirements of users on higher data transmission rate and better fault tolerance.
The high-speed forwarding relay technique can also improve the capacity and coverage of the network. By dividing the data packet into smaller data packets for transmission, delay in the transmission process can be reduced, and the data transmission rate can be improved. Meanwhile, the relay node is used for forwarding, so that the coverage area of the network can be enlarged, and network signals can reach farther places. Since the data packet is divided into smaller data packets for transmission, the energy consumption in the transmission process is smaller. Meanwhile, the relay node is used for forwarding, so that the signal transmission distance in the network can be reduced, and the power consumption of the network is reduced.
Although the high-speed forwarding relay technique is widely used in wireless communication systems, it has some drawbacks. The following are some common drawbacks:
1. network delay: the high-speed forwarding relay technology requires packetization and forwarding of data packets, and thus increases network delay. The increase in network delay can affect the user experience, requiring lower network delay for applications such as video conferencing, high definition video streaming, etc.
2. Safety: while high-speed forwarding relay technology may improve network security, it also presents some security concerns. Since the data packet is divided into smaller data packets for transmission, the data may be tampered with. Meanwhile, the data can be intercepted illegally and tampered by forwarding through the relay node.
In summary, forwarding relay technology, while having various benefits in terms of network transmission and optimization, presents some difficulties and challenges in implementation.
In addition, the existing Linux kernel-based processing can provide high-performance packet processing capability, the traditional data plane development suite DPDK bypasses the kernel, packet processing is adopted to migrate to a user space to accelerate network operation, and the network card is directly interacted with through a driver, so that the obvious high performance is brought, but powerful resource abstraction management and security management in the kernel are abandoned.
Disclosure of Invention
In order to overcome the technical defects, the invention aims to provide the network high-speed forwarding relay method and the system based on the eBPF, which are safer and have higher transmission efficiency.
The invention discloses a network high-speed forwarding relay method based on eBPF, which comprises the following steps: when the network card receives the data frame, the eBPF program forwards the data frame in the network card queue to a main memory area of the kernel through a direct memory access device, and adopts a message queue to store the data; when data appears in the annular buffer zone in the main memory zone, triggering a hard interrupt, and simultaneously issuing processing time to an interrupt vector table by a central processing unit so as to execute a driving code; when in driving, consuming data from the main memory area through a kernel network interface circulation and a kernel thread in the central processing unit, wherein the kernel network interface circulation triggers soft interrupt, processes the data through the soft interrupt and sends the data after the soft interrupt processing to a network protocol stack in a system; applying a buffer area to store data through a device driving function layer in a network protocol stack in the system; the central processing unit consumes the data processed by the soft interrupt to the buffer area, and fills the metadata after consumption in the kernel; pushing the data in the buffer area to a network protocol layer in a network for processing, and processing the data processed by the network protocol layer in the network by an XDP hook function set to obtain safety data.
Preferably, before the processing of the preset rule on the data processed by the network protocol layer in the network by using the XDP hook function set, the method further includes: and filtering the data processed by the network protocol layer in the network through a data packet filtering mechanism.
Preferably, the pushing the data in the buffer to a network protocol layer in the network for processing includes: and filtering the data of the network layers in the network protocol layers in the network through a transmission layer protocol in the network protocol layers in the network, and transmitting the filtered data to an XDP hook function set.
Preferably, when data appears in the message queue, triggering the hard interrupt includes: during the process of carrying out the hard interrupt, other interrupt requests are masked.
Preferably, the pushing the data in the buffer to a network protocol layer in the network for processing includes: and performing integrity detection through a network layer in a network protocol layer in the network.
Preferably, the processing of the preset rule for the data processed by the network protocol layer in the network through the XDP hook function set includes: configuring an XDP hook function set in the eBPF program, and importing a plurality of processing rules into the XDP hook function set; and processing the filtered data through the processing rule to discard part of the data, reject the request part of the data or accept the part of the data.
Preferably, the processing the filtered data by the processing rule to discard a part of the data includes: configuring a blacklist mapping table in the XDP hook function set; when the XDP hook function set of the eBPF program receives data, if a matching item of a source address or a destination address of the data is found from the blacklist mapping table, the XDP hook function set directly discards the data.
Preferably, said configuring a blacklist mapping table in said XDP hook function set includes: and adding or deleting an element in the blacklist mapping table through the eBPF program, wherein the element comprises a matching item corresponding to a source address or a destination address of data.
Preferably, pushing the data in the buffer to a network protocol layer in a network for processing, and processing the data processed by the network protocol layer in the network by using an XDP hook function set to obtain the security data includes: copying the filtered data to an application layer buffer area associated with the buffer area in an application layer through the eBPF program; the application layer buffer employs a blocking system call function or through a polling mechanism to actively receive the secure data.
The invention also discloses a network high-speed forwarding relay system based on the eBPF, which comprises an application layer, a kernel and an eBPF program, wherein the eBPF program is communicated with the kernel and the application layer, so that network data forwarding between the application layer and the kernel is realized.
After the technical scheme is adopted, compared with the prior art, the method has the following beneficial effects:
1. according to the invention, unnecessary or invalid data is filtered and network attacks are identified and processed in the high-speed network data according to the prefabricated rule base in a near-core mode, so that the processing and transmission of interference and aggressive data in a network protocol stack are reduced, the consumption of server resources and broadband resources is reduced, the high-speed forwarding relay of service traffic is realized, and the stability and timeliness of a service network are realized;
2. because the system resource loss is greatly reduced, the invention has better relay effect on large-scale network forwarding and provides a good treatment method for the stability and the safety of the edge large-scale network.
Drawings
Fig. 1 is a schematic diagram of an eBPF-based network high-speed forwarding relay method provided by the present invention;
fig. 2 is a flowchart of a network high-speed forwarding relay method based on eBPF provided by the present invention.
Detailed Description
Advantages of the invention are further illustrated in the following description, taken in conjunction with the accompanying drawings and detailed description.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
In the description of the present invention, it should be understood that the terms "longitudinal," "transverse," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate orientations or positional relationships based on the orientation or positional relationships shown in the drawings, merely to facilitate describing the present invention and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present invention.
In the description of the present invention, unless otherwise specified and defined, it should be noted that the terms "mounted," "connected," and "coupled" are to be construed broadly, and may be, for example, mechanical or electrical, or may be in communication with each other between two elements, directly or indirectly through intermediaries, as would be understood by those skilled in the art, in view of the specific meaning of the terms described above.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present invention, and are not of specific significance per se. Thus, "module" and "component" may be used in combination.
Referring to fig. 1-2, the invention discloses a network high-speed forwarding relay method based on eBPF, which comprises the following steps:
s100, when the network card receives the data frame, the eBPF program forwards the data frame in the network card queue to a main memory area of the kernel through a direct memory access device, and the data is stored by adopting a message queue;
s200, triggering a hard interrupt when data occurs in an annular buffer zone in a main memory zone, and simultaneously issuing processing time to an interrupt vector table by a central processing unit so as to execute a driving code; when in driving, data is consumed from the main memory area through kernel network interface circulation and kernel threads in the central processing unit, wherein the kernel network interface circulation triggers soft interrupt, processes the data through the soft interrupt and sends the data after the soft interrupt processing to a network protocol stack in the system;
s300, applying a buffer area to store data through a device driving function layer in a network protocol stack in the system; the central processing unit consumes the data processed by the soft interrupt to the buffer area, and fills the metadata after the consumption in the kernel;
s400, pushing the data in the buffer area to a network protocol layer in a network for processing, and processing the data processed by the network protocol layer in the network by using an XDP hook function set to obtain safety data.
eBPF (Extended Berkeley Packet Filter) program refers to an extended packet filter, and can implement fast processing and forwarding of kernel-mode network packets in the network domain. The method is applied to near-core processing technology, and the execution efficiency is very high.
The XDP hook function set is a rule defined by a XDP (eXpress Data Path) program, the XDP program is an action executed by the XDP hook function set in turn, the XDP program refers to a quick data path, the XDP program is an eBPF hook in Linux, the eBPF program can be mounted, and the method can process network data packets when the network data packets reach a network card driving layer, has very excellent data surface processing performance, and opens up a highway processed by a Linux network. The running XDP program may specify the subsequent actions driven on the network packets by the XDP action code. XDP is a hook point in the network card driver for fast processing of data packets, which can process data before the network protocol stack, and has very high performance.
According to the invention, the abnormal data packet is intercepted in advance by executing the data soft interrupt, so that the processing efficiency of the kernel is improved. And the data is directly forwarded and discarded by means of rule matching of the XDP hook function set information table, so that the network forwarding speed can be improved, the distributed denial of service (DDos) attack can be resisted, and the device performance pressure can be reduced. The XDP hook function set not only reserves the basic network protocol stack module, but also can carry out programmable processing on the packet in the kernel, and the XDP hook function set is used for helping the function, so that the data frame is loaded into the kernel to run after being detected to be safe.
Further, in the data frame access and soft interrupt process of steps S100-S200, when the network card receives the data frame, the eBPF program forwards the data frame in the network card queue to the main memory area of the kernel through the direct memory accessor, and uses the message queue to store the data; when data appears in the annular buffer zone in the main memory zone, triggering a hard interrupt, and simultaneously, issuing processing time to an interrupt vector table by the central processing unit to execute a driving code; and when the system is driven, data is consumed from the main memory area through kernel network interface circulation and kernel threads in the central processing unit, wherein the kernel network interface circulation triggers soft interrupt, processes the data through the soft interrupt and sends the data after the soft interrupt processing to a network protocol stack in the system. Specifically, when the network card receives a data frame, the eBPF program forwards the data using a Direct Memory Access (DMA), specifically copying from the network card queue to a Primary memory. The main memory area includes a plurality of memory portions (e.g., ring buffers), each of which may employ a different data storage means, such as a ring message queue, which refers to a message queue in which data is recirculated back to the message queue after processing. Preferably, when data occurs in the ring buffer of the main memory area, a hard interrupt is triggered, and the central processing unit CPU issues the processing time to the interrupt vector table, and executes the driving code to drive. The interrupt vector table is a list of interrupt vectors, the interrupt vector table is stored in the main memory area, and entries of interrupt handlers corresponding to 256 interrupt sources are stored therein, and since the CPU may detect interrupt information at any time, that is, the CPU may execute the interrupt handlers at any time, the interrupt handlers must be always stored in a certain space of the main memory area, and the entry addresses of the interrupt handlers, that is, the interrupt vectors, must be stored in the corresponding interrupt vector table entries.
In driving, soft interrupt processing can be used because the execution path is short and the kernel execution efficiency is faster. Specifically, the device driver uses a kernel network interface (e.g., NAPI) and a kernel thread (e.g., ksoftirqd) of the central processor CPU to consume data of the data packet from the ring buffer. The responsibility of the kernel network interface loop is primarily to trigger a soft interrupt to process a data packet by the soft interrupt handler and send the data into the network protocol stack.
It should be noted that, the process of consuming data by the CPU and soft interrupt is a cyclic step, specifically, after soft interrupt, the CPU performs data consumption (data fetching), after consumption, the data continues to be transmitted along the message queue (for example, the above-mentioned ring message queue), and if the CPU consumes the data, the CPU needs to execute soft interrupt again, and performs data fetching operation, so as to form a cyclic operation.
Further, in the process of performing hard interrupt processing, other interrupt requests are shielded, so that interrupt events are prevented from being lost.
Further, in step S300, a buffer is applied for storing the data traffic packet by a device driver layer in a network protocol stack in the system; and the central processing unit consumes the data processed by the soft interrupt into a buffer area and fills the consumed metadata in the kernel. Specifically, the network protocol stack in the system has four layers, namely a network protocol interface layer, a network device interface layer, a device driving function layer and a network device medium layer. And, the network protocol layer includes OSI seven-layer network model, from top to bottom in proper order: application layer (including http/https protocol), presentation layer (including JPEG protocol), session layer (including SQL protocol), transport layer (including TCP, UDP protocol), network layer (including IP protocol), data link layer (including Ethernet protocol), physical layer (including RJ45 protocol).
The device driver function layer in the network protocol stack applies for a new buffer (for example, socket_buffers, which is a most basic data structure abstracted from buffering and processing of data packets in the kernel, and uses multiple fields to identify different network layers) to store the traffic packets, and after the data is consumed from the central processing unit CPU queue to the buffer, the kernel fills the metadata, where the metadata refers to the existence form of the data after being consumed.
Further, in step 400, the data in the buffer is pushed to a network protocol layer in the network for processing, and the data processed by the network protocol layer in the network is processed by the XDP hook function set to obtain the security data. Specifically, the data in the buffer area is pushed to a network protocol layer in the network for processing, and the integrity detection is performed through the network layer in a network protocol layer network protocol stack in the network. Specifically, the buffer is copied and pushed to a queue of a network layer in the network protocol layer for further processing, and integrity check is performed on the data: to a source address, a source port, a destination address, a destination port, and a corresponding protocol to detect whether data is completely available. For example, user a wants to access B portal, where user a is the source address, the source port is a random high-order port, B portal is the destination address, port 443, and the protocol is https (TCP).
And then, filtering the data of the network layer in the network protocol layer in the network through a transmission layer protocol in the network protocol layer in the network, and transmitting the filtered data to the XDP hook function set. Specifically, the data of the network layer is filtered through the protocol of the transmission layer, and the data which is not discarded after the filtering process is transmitted to the XDP hook function set.
If the network layer confirms that the data is completely available after the network layer detects, processing the data processed by the network protocol layer in the network by using the XDP hook function set according to a preset rule, and further including: and filtering the data processed by the network protocol layer in the network through a data packet filtering mechanism. In particular, the packet filtering mechanism herein is preferably netfilter. netfilter is a packet filtering and processing tool in the Linux kernel, and may process a packet according to a configuration rule, for example, performing packet filtering, network Address Translation (NAT), and the like. The XDP hook function set is dependent on netfilter, is a powerful data packet processing mechanism in the Linux kernel, can perform high-performance data processing at the early stage of a network protocol stack, and improves network performance and flexibility. By using the XDP hook function set, low-latency and high-throughput packet processing can be achieved, such as implementing BPF-based packet filtering, lightweight firewall (network intrusion), etc.
Then, configuring an XDP hook function set in the eBPF program, and importing a plurality of processing rules into the XDP hook function set; the filtered data is processed by the processing rules to discard the partial data, or reject the requested partial data, or accept the partial data. The XDP hook function set is available for processing data packets by defining a series of rules in the code. For a network card with an XDP program bound to a network device driver, when the network device receives a data packet, the network device will preferentially execute rules defined in the XDP program, and according to these rules, it can determine the next operation of the data packet, such as discarding part of data, rejecting part of data requested, or accepting part of data in fig. 1, for example, transferring the data packet to a conventional network protocol stack, discarding a data packet with a blacklist address, or redirecting the data packet to other network interfaces.
By using the XDP hook function set, the XDP program can conveniently and flexibly define and manage the blacklist address. The XDP hook function set may be understood as a mechanism for sharing data between the BPF virtual machine and the user space, in which case the blacklist address may exist in the form of a mapping table, so that the XDP program may look up whether it exists in the blacklist from the mapping table when receiving a data packet, and if the source or destination address of the data packet finds a match in the blacklist mapping table, the XDP program may discard the data packet directly.
Further, configuring a blacklist mapping table in the XDP hook function set; when receiving data, if a matching item of a source address or a destination address of the data is found from the blacklist mapping table, the XDP hook function set of the eBPF program directly discards the data, and adds or deletes an element in the blacklist mapping table through the eBPF program, wherein the element comprises the matching item corresponding to the source address or the destination address of the data. Specifically, in order to enable the XDP program to modify the blacklist mapping table during running, the program must make an intrusive modification to the mapping table (table, repeatedly initiate an attack, identify as a blacklist), that is, the XDP program needs to dynamically add or delete an element to the blacklist mapping table after loading the element onto the network card, where the element includes a matching item corresponding to a source address or a destination address of data, so that the XDP program can change the blacklist policy according to real-time requirements, and flexibility is higher.
It should be noted that, referring to fig. 1, after the network card copies the data packet to the accept queue, the XDP hook function set is triggered, so that various metadata structures (such as blocking offensive traffic and blocking requests) can be blocked effectively, thereby greatly improving the high-speed forwarding rate of the network. The XDP program can quickly execute rule judgment when the data packet arrives at the network card, and can be directly discarded if the data packet accords with the blacklist rule, so that the safety and performance of the network are improved. The invention can efficiently filter and process the data packet by rule judgment of the XDP program and application of the blacklist mapping table.
Finally, copying the data after the security filtering to an application layer cache area associated with the buffer memory area in the application layer through an eBPF program; the application layer buffer employs a blocking system call function or through a polling mechanism to actively receive security data. Specifically, the filtered and rule-judged secure data is copied to an application layer buffer area associated with the buffer area in the application layer through an eBPF program, and the application layer buffer area adopts a blocking system call function (such as recv and read functions) or a polling mechanism (such as epoll) to actively receive the secure data.
The CPU consumes the data after soft interruption, then inputs the data into a buffer area, processes the data on a network layer and a transmission layer, then inputs the processed data into a data packet filtering mechanism for filtering, and then adopts an XDP hook function set for further data processing to obtain safety data.
The invention is mainly applied to the control and treatment direction of network flow, especially the network treatment of edge equipment, through the screening of the network data packet of the method, the size of normally available data can be reduced, a large amount of resources are saved for the flow of the network and the network protocol stack, the detection and discarding of the attack data packet are continuously realized under the holding of a rule base, and the transmission safety of the data packet and the request flow safety received by a server are ensured.
The invention also discloses a network high-speed forwarding relay system based on the eBPF, which comprises an application layer, a kernel and an eBPF program, wherein the eBPF program is communicated with the kernel and the application layer, so that network data forwarding between the application layer and the kernel is realized.
The eBPF is essentially understood as a virtual machine that can execute eBPF bytecodes, and a user can write a program using eBPF assembly or C language, then compile the program into eBPF bytecodes, and then execute the eBPF bytecodes by the eBPF virtual machine. Preferably, compiling and loading the eBPF program comprises the steps of:
running a compile command compile file (e.g., forward_relay.c), compiling a source file (e.g., forward_relay.c) of an eBPF program into an eBPF bytecode (e.g., forward_relay.o) using clang (a c language);
loading an eBPF binary file into the kernel by using a function (such as load_bpf_file), verifying the security and the compliance of the eBPF binary file, and compiling the eBPF binary file into corresponding machine codes;
after the execution of the source file (e.g. forwarding_relay.c), the eBPF program can be validated, and when the application call is subsequently performed, the kernel triggers the bound callback function (i.e. the function in the XDP program) to execute the program on the source file (e.g. forwarding_relay.c), so as to realize the eBPF program.
It should be noted that the embodiments of the present invention are preferred and not limited in any way, and any person skilled in the art may make use of the above-disclosed technical content to change or modify the same into equivalent effective embodiments without departing from the technical scope of the present invention, and any modification or equivalent change and modification of the above-described embodiments according to the technical substance of the present invention still falls within the scope of the technical scope of the present invention.
Claims (10)
1. The network high-speed forwarding relay method based on eBPF is characterized by comprising the following steps:
when the network card receives the data frame, the eBPF program forwards the data frame in the network card queue to a main memory area of the kernel through a direct memory access device, and adopts a message queue to store the data;
when data appears in the annular buffer zone in the main memory zone, triggering a hard interrupt, and simultaneously issuing processing time to an interrupt vector table by a central processing unit so as to execute a driving code; when in driving, consuming data from the main memory area through a kernel network interface circulation and a kernel thread in the central processing unit, wherein the kernel network interface circulation triggers soft interrupt, processes the data through the soft interrupt and sends the data after the soft interrupt processing to a network protocol stack in a system;
applying a buffer area to store data through a device driving function layer in a network protocol stack in the system; the central processing unit consumes the data processed by the soft interrupt to the buffer area, and fills the metadata after consumption in the kernel;
pushing the data in the buffer area to a network protocol layer in a network for processing, and processing the data processed by the network protocol layer in the network by an XDP hook function set to obtain safety data.
2. The eBPF-based network high-speed forwarding relay method of claim 1, wherein before said processing the data processed by the network protocol layer in the network by the XDP hook function, further comprises:
and filtering the data processed by the network protocol layer in the network through a data packet filtering mechanism.
3. The eBPF-based network high-speed forwarding relay method according to claim 1 or 2, wherein pushing the data in the buffer to a network protocol layer in a network for processing comprises:
and filtering the data of the network layers in the network protocol layers in the network through a transmission layer protocol in the network protocol layers in the network, and transmitting the filtered data to an XDP hook function set.
4. The eBPF-based network high-speed forwarding relay method of claim 1, wherein said triggering a hard interrupt when data appears in said message queue comprises:
during the process of carrying out the hard interrupt, other interrupt requests are masked.
5. The eBPF-based network high-speed forwarding relay method of claim 1, wherein said pushing data in said buffer to a network protocol layer in a network for processing comprises:
and performing integrity detection through a network layer in a network protocol layer in the network.
6. The eBPF-based network high-speed forwarding relay method of claim 1, wherein said processing the data processed by the network protocol layer in the network through the XDP hook function set includes:
configuring an XDP hook function set in the eBPF program, and importing a plurality of processing rules into the XDP hook function set;
and processing the filtered data through the processing rule to discard part of the data, reject the request part of the data or accept the part of the data.
7. The eBPF-based network high-speed forwarding relay method of claim 6, wherein said processing the filtered data by said processing rule to discard a portion of the data comprises:
configuring a blacklist mapping table in the XDP hook function set;
when the XDP hook function set of the eBPF program receives data, if a matching item of a source address or a destination address of the data is found from the blacklist mapping table, the XDP hook function set directly discards the data.
8. The eBPF-based network high-speed forwarding relay method of claim 7, wherein said configuring a blacklist map table in said XDP hook function set comprises:
and adding or deleting an element in the blacklist mapping table through the eBPF program, wherein the element comprises a matching item corresponding to a source address or a destination address of data.
9. The method of claim 1, wherein pushing the data in the buffer to a network protocol layer in a network for processing, and performing processing of a preset rule on the data processed by the network protocol layer in the network by using an XDP hook function set, so as to obtain security data comprises:
copying the filtered data to an application layer buffer area associated with the buffer area in an application layer through the eBPF program;
the application layer buffer employs a blocking system call function or through a polling mechanism to actively receive the secure data.
10. The network high-speed forwarding relay system based on the eBPF is characterized by comprising an application layer, a kernel and an eBPF program, wherein the eBPF program is communicated with the kernel and the application layer, so that network data forwarding between the application layer and the kernel is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311018125.2A CN116886422A (en) | 2023-08-14 | 2023-08-14 | eBPF-based network high-speed forwarding relay method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311018125.2A CN116886422A (en) | 2023-08-14 | 2023-08-14 | eBPF-based network high-speed forwarding relay method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886422A true CN116886422A (en) | 2023-10-13 |
Family
ID=88270049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311018125.2A Pending CN116886422A (en) | 2023-08-14 | 2023-08-14 | eBPF-based network high-speed forwarding relay method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886422A (en) |
-
2023
- 2023-08-14 CN CN202311018125.2A patent/CN116886422A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109547580B (en) | Method and device for processing data message | |
| Moon et al. | {AccelTCP}: Accelerating network applications with stateful {TCP} offloading | |
| CN101217493B (en) | TCP data package transmission method | |
| US8234361B2 (en) | Computerized system and method for handling network traffic | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| WO2022134942A1 (en) | Method and apparatus for identifying message under mass traffic | |
| US7571247B2 (en) | Efficient send socket call handling by a transport layer | |
| EP3625939A1 (en) | Access node for data centers | |
| WO2023005773A1 (en) | Message forwarding method and apparatus based on remote direct data storage, and network card and device | |
| WO2018032399A1 (en) | Server and method having high concurrency capability | |
| US20030231632A1 (en) | Method and system for packet-level routing | |
| US20070043856A1 (en) | Methods and systems for low-latency event pipelining | |
| CN107888500B (en) | Message forwarding method and device, storage medium and electronic equipment | |
| EP1966713A2 (en) | Runtime adaptable search processor | |
| US10015205B1 (en) | Techniques for traffic capture and reconstruction | |
| US10587514B1 (en) | Filtering control plane decision requests for forwarding network packets | |
| Tsikoudis et al. | LEoNIDS: A low-latency and energy-efficient network-level intrusion detection system | |
| KR101200906B1 (en) | High Performance System and Method for Blocking Harmful Sites Access on the basis of Network | |
| US11757912B2 (en) | Deep packet analysis | |
| WO2023040303A1 (en) | Network traffic control method and related system | |
| CN111600852A (en) | Firewall design method based on programmable data plane | |
| CN116723162B (en) | Network first packet processing method, system, device, medium and heterogeneous equipment | |
| CN116886422A (en) | eBPF-based network high-speed forwarding relay method and system | |
| CN115714679A (en) | Network data packet processing method and device, electronic equipment and storage medium | |
| CN113453278B (en) | TCP packet segmentation packaging method based on 5G UPF and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |