pcn-iptables: a clone of iptables based on eBPF
Polycube includes the
pcn-iptables standalone application, a stateful firewall whose syntax and semantic are compatible with the well-known
iptables Linux tool.
The frontend provides the same CLI of iptables; users can set up security policies using the same syntax by simply executing
pcn-iptables instead of
The backend is based on eBPF programs, more efficient classificaiton algorithms and runtime optimizations; the backend runs as a dedicated service in Polycube.
Currently supported features:
- Support for
- Support for
- Support for
- Support for bpf
Detailed supported parameters
-m conntrack --ctstateconntrack module
Detailed supported targets
-j ACCEPTaccept traffic
-j DROPdrop traffic
Detailed supported commands
-P <CHAIN> DROP/ACCEPTSetup default policy for
-F <CHAIN>Flush policies for
- No support for multiple chains
- No support for
-Lgenerate an output slightly different from iptables
pcn-iptables comes as a component of polycube framework. Refer to :doc:`polycube install guide<../../../installation>` for dependencies, kernel requirements and basic checkout and install guide.
To compile and install
pcn-iptables, you should enable the
ENABLE_PCN_IPTABLES flag in the polycube CMakeFile, which is set to
OFF by default;
this allows to compile the customized version of
iptables used to translate commands, and install in the system pcn-iptables-init pcn-iptables and pcn-iptables-clean utils.
ENABLE_SERVICE_IPTABLES flag, which is set to
ON by default, is used to compile and install the
libpcn-iptables.so service (like other polycube services: bridge, router, ..).
This flag is required to be enabled as well, but it comes by default.
cd polycube # Note: ensure git submodules are updated # git submodule update --init --recursive mkdir -p build cd build cmake .. -DENABLE_PCN_IPTABLES=ON make -j`nproc` && sudo make install
1. Initialize pcn-iptables
# Start polycubed, in other terminal (or background) sudo polycubed --daemon # Initialize pcn-iptables pcn-iptables-init
2. Use pcn-iptables
pcn-iptables provides same iptables syntax. Please refer to
iptables online docs for more info.
Following are just few examples of available commands.
# E.g. pcn-iptables -A INPUT -s 10.0.0.1 -j DROP # Append rule to INPUT chain pcn-iptables -D INPUT -s 10.0.0.1 -j DROP # Delete rule from INPUT chain pcn-iptables -I INPUT -s 10.0.0.2 -j DROP # Insert rule into INPUT chain # Example of a complex rule pcn-iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.2 -p tcp --sport 9090 --dport 80 --tcpflags SYN,ACK ACK -j DROP # Example of a conntrack rule pcn-iptables -A OUTPUT -m conntrack --ctstate=ESTABLISHED -j ACCEPT # Show rules pcn-iptables -S # dump rules pcn-iptables -L INPUT # dump rules for INPUT chain pcn-iptables -P FORWARD DROP # set default policy for FORWARD chain
NOTE: do not use use
sudo pcn-iptables ...
3. Stop pcn-iptables
# Stop and clean pcn-iptables pcn-iptables-clean # Execute the below command to validate if cleanup is successful. pcn-iptables -S ``Note: On successful cleanup, you should receive "No cube found named pcn-iptables"``
pcn-iptables can also be run in
XDP mode. This mode comes with performance gain, especially when policy are configured to DROP traffic.
- pcn-iptables operates only on interfaces that support XDP native mode
- traffic is not filtered on interfaces that support only eBPF TC programs.
A customized fork of iptables is included as submodule under :scm_web:`src/components/iptables/iptables <src/components/iptables>`. We customized this version of iptables in order not to inject iptables command into netfilter, but convert them, after a validation step, into polycube syntax.
Scripts are used as a glue logic to make pcn-iptables run. Main purpose is initialize, cleanup and run pcn-iptables, pass pcn-iptables parameters through iptables (in charge of converting them), then pass converted commands to pcn-iptables service.
Scripts are installed under