| With the development of computer technology and communication technology,Internet users and applications have put forward higher requirements for the speed of processing network packets.In recent years,extended Berkeley Packet Filter(eBPF),as a popular technology,has flexible kernel programmability,and is gradually applied to network traffic monitoring,kernel performance analysis,packet security filtering,application load balancing,network acceleration,etc.,and still has broad application scenarios waiting for researchers to explore.The traditional network packet sending and receiving path is relatively long,the processing process is relatively complex,and there is a lot of room for optimization:the firewall in the traditional network is generally at the back of the packet receiving path,if the packet can be filtered early in the packet receiving path,the packet forwarding speed can be greatly improved;for the case where the processes between local machines communicate through the TCP/IP protocol,if it can bypass part of the protocol stack and directly forward,the packet forwarding efficiency can also be optimized.In view of the above problems,this thesis mainly conducts research on fast packet processing technology based on eBPF,designs and implements eBPF-based firewall and eBPF-based fast forwarding system.The main work is as follows:(1)This thesis analyzes the traditional network packet receiving process,and designs a firewall based on eBPF.The main working position of the firewall program is located at the eBPF XDP(e Xpress Data Path,XDP)hook in the bottom layer of the kernel network or the network card driver,and mainly implements three modules.The eBPF program loading module compiles the rule matching program,injects the program into the kernel,and starts the rule dynamic update module Web service at the same time;the rule dynamic update module realizes the dynamic update of filtering rules through the Web service;the rule matching program module implements the filtering logic of the firewall program.Experimental results show that the eBPF-based firewall can process packets at an earlier position on the packet receiving path,and has better performance than traditional packet filtering methods such as iptables.(2)Design a fast forwarding system based on eBPF for the inter-process communication scenario of microservices in the same host.The main working position of the fast forwarding system is linked to the socket layer of eBPF,and mainly implements three modules.The eBPF program loading module compiles the fast forwarding module program and creates an eBPF map;the eBPF map update module monitors the connection establishment processes of the inter-process communication,and collects the socket information at both ends of the communication;the fast forwarding module is triggered when the inter-process communication socket sends packets,and queries eBPF map,according to the information of the peer socket,the packet is directly sent to the peer socket bypassing the kernel TCP/IP protocol stack and the local loopback interface.The experimental results show that the fast forwarding system based on eBPF can realize the packet forwarding of the local inter-process communication,and compared with the method of packet forwarding through the conventional TCP/IP protocol stack,it has obvious performance improvements in terms of throughput,round-trip delay,transactions per second,and multi-thread concurrency. |
