bpfilter

eBPF-based packet filtering framework

Star on GitHub ForkWebsite

C

310 stars 52 forks 24 contributorsActive · 9h agoSince 2023

Meet the team

See all 24 on GitHub →

qdeslandes

qdeslandes1.1k contributions

pzmarzly

pzmarzly24 contributions

yaakov-stein

yaakov-stein13 contributions

ryanbsull

ryanbsull6 contributions

Languages

View on GitHub →

C71.1%

Shell9.4%

Befunge4%

C++4%

Python3.1%

CMake2.6%

Community health

4 of 6 standards met

Community profile →

75

✓README✓License✓Contributing✓Code of Conduct○Issue Template○PR Template

Recent PRs & issues

Active · Last activity 9h ago

See all on GitHub →

build: add packages for `make doc` to nixOpenPR

https://github.com/NixOS/nixpkgs/pull/486778 was merged 🎉 We still have to wait a few days for the commits to move from to , so I'll keep this as a draft until then I've changed the inputs from to just for testing, we don't really want to have our inputs on , I'll change it back in a few day when the commits are on Also updated the (not definitive version, will need one more update when changing this from draft to review) All the packages don't seem necessary, I was able to build and read documentation with just thoses EDIT: I don't think our dear AI is aware that this is a draft

SkohTV · 1h ago

Recent fixes

View closed PRs →

lib: helper: simplify and extend _BF_APPLY macrosMergedPR

Use recursive chaining where each calls . Extend from a max of 10 arguments to 16 (likely will be necessary for #355). Update to use 1ULL to avoid UB when enum values reach 31+ ( already has 31 values). Note: If we need to support more flags at some point, we may want to look in to the Swanson Map Macro. For now, that is probably making things more complicated than they need to be. Testing: CI/Existing tests Manual Testing

yaakov-stein · 9h ago

Structured data for AI agents

Repository: facebook/bpfilter. Description: eBPF-based packet filtering framework Stars: 310, Forks: 52. Primary language: C. Languages: C (71.1%), Shell (9.4%), Befunge (4%), C++ (4%), Python (3.1%). License: GPL-2.0. Homepage: https://bpfilter.io/ Latest release: v0.6.0 (5mo ago). Open PRs: 2, open issues: 25. Last activity: 9h ago. Community health: 75%. Top contributors: qdeslandes, pzmarzly, yaakov-stein, ryanbsull, rphibel, SkohTV, AliGhaffarian, vinxcls, daandemeyer, JonSnow1807 and others.

facebook/bpfilter — Open Source Showroom — GitShow

Restore counter values on chain updateMergedPR

As mentioned in #389, when replaces a chain, the new BPF program starts with a zeroed counter map. The behavior should be that when updating a specific entity within a chain (set, rule, etc.), the counters should be preserved (see @qdeslandes comment below for more details and rationale). This PR adds that behavior specifically for , while leaving the existing behavior for . Notes/Thoughts: With the current implementation, counters are copied from the old map to the new map after the new program is loaded but before the link swap. This means that it is possible for some packets to be unaccounted for in the time between the data being transferred and when the new chain begins filtering. While it is possible to keep the same maps (and thus the exact number) since we know the number of rules will be the same, doing that would require a more invasive approach (the flag would need to propagate into more methods) and will not work for or . A enum is added for flexibility in case we need future arguments as opposed to a boolean (which is simpler but harder to work with if we need to use or update this in the future). However, the goal either way should be for this to be temporary (in line with the consolidated behavior mentioned here). ~## Design~ ~The implementation assumes:~ ~Chains may have large numbers of rules, sets, and set elements, but rules won't have exceedingly large numbers of matchers~ ~Update overhead should remain negligible relative to program generation and loading~ ~Simplicity is preferred over hyper-optimizations where possible~ ~Set mapping. Because set matchers reference sets by position and positions can change between chains, a set index mapping is built first. To efficiently compare large sets, old sets are hashed (FNV-1a with commutative element sum for order-independence), sorted by hash, and binary-searched for each new set. Hash matches are verified deterministically with , which copies each set's elements into a flat array, sorts them, and compares with memcmp.~ ~Rule matching. Rules are hashed the same way - FNV-1a of scalar fields plus a commutative sum of per-matcher hashes. A new rules set matchers hash their mapped old index so equivalent rules produce identical hashes regardless of set position (this abstracts away the whole idea of the set so we don't need to worry about it). Old rules are sorted by hash and binary-searched for each new rule, with full order-independent matcher comparison to verify matches. Once again, hash matches are verified deterministically using .~ ~Counter transfer. For each matched pair, the old counter is read and written to the new program's counter map. Policy and error counters are always preserved. This happens after but before , so there is no race.~ ~## Performance Tested with up to 10k rules and 100 sets of 50k elements each. The mapping and transfer overhead was negligible relative to program generation and loading.~ Test plan Added tests to and Manual testing ~Unit tests for and ~ ~E2E test covering rule reordering and set index shuffling~

yaakov-stein · 1d ago