| Keywords [eng] |
eBPF, XDP, tinklo paketų valymas, tinklo paketų filtravimas, Linux tinklo posistemė. eBPF, XDP, network packet sanitization, network packet filtering, Linux networking stack |
| Abstract [eng] |
Traditional packet-processing solutions face trade-offs between performance and flexibility, while existing network packet filtering systems are largely oriented toward allowing packets through or dropping them rather than filtering or sanitizing them. Recent advances in the Linux kernel's eBPF subsystem enable the development of programs that can efficiently process large volumes of network traffic directly within the Linux kernel, without building complex kernel modules and without requiring a kernel reboot. This thesis presents an overview of the architecture and implementation of a high-performance network packet processing, filtering, and sanitization system based on modern Linux kernel technologies-eBPF and XDP. The developed packet sanitization system consists of several core components. A user-space application written in Go acts as the management and configuration interface: it loads eBPF programs into the kernel, processes user-defined packet sanitization rules, performs various monitoring functions, and provides statistics on processed, sanitized, or dropped network packets. The kernel-space eBPF program is attached at the XDP hook, which enables packet processing immediately after reception-or even on the network interface card-before packets reach the traditional Linux networking stack. This allows network packet filtering and sanitization to be performed very efficiently and quickly, avoiding expensive context switches. The solution was experimentally evaluated under a range of traffic rates from 1 to 500 thousand packets per second, covering all implemented packet sanitization functions. In the test environment, synthetic network packets were processed using the developed program with varying numbers of sanitization rules. The experimental results showed that the XDP/eBPF packet sanitization implementation is capable of processing packets at the maximum traffic rate. The processing time of different sanitization rules remained nearly constant and varied only slightly across different traffic loads. Packet processing throughput depends on the number of rules used and their complexity. Compared with the more traditional Linux subsystem solution based on Netfilter NFQUEUE, the XDP/eBPF implementation achieved nearly five times higher throughput and sustained the full generated packet stream. The developed system supports TCP and UDP traffic, but can be easily extended to support additional protocols. The protocol-processing functions are modular and straightforward to expand. The current implementation operates primarily on packet headers; to perform more advanced packet analysis and processing mechanisms, it would be necessary to extend efficient mechanisms for transferring packets from kernel space to user space, for example by using AF_XDP sockets. Overall, the results indicate that the proposed solution based on Linux kernel eBPF and XDP technologies provides an effective compromise between performance and flexibility for network packet filtering and sanitization tasks and could be successfully applied in real-world network security systems. |
