Demo: Implementing iptables using a programmable stateful data plane abstraction

Iptables is a well known Linux’s user interface to control the Netfiltermodule, which is responsible for processing packets traversing the Linux’s networking subsystem. In cooperation with the conntrackmodule, Netfilter supports a wide range of network functions such as: filtering, NAT, stateful firewall, load balancer, anomaly detection, etc. Given the central role of the iptables’ functions in the Linux networking subsystem, their implementation’s packet forwarding performance is critical. For reference, a today’s server is equipped with a couple of 10Gbps network interfaces, and 40Gbps interfaces are becoming common. Unfortunately, current general purpose systems’ speed is not growing as fast as the network interfaces speed [1], therefore, providing such a packet forwarding throughput is a challenge. In this work, we explore the feasibility of using programmable data plane abstractions to offload iptables operations from a server’s CPU to a smart NIC. Given the dynamic nature of the iptables configurations and the need to support multiple applications at the same time, the selected abstraction (i) should provide the ability to perform runtime updates as well as (ii) support multiple concurrent functions. Data plane abstractions. A Match-Action Table (MAT) abstraction, e.g., the one adopted by OpenFlow, would fulfill our requirements, since it provides runtime programmability of the forwarding tables while supporting forwarding entries belonging to different functions. Unfortunately, a typical MAT does not support the implementation of functions that require read/write operations of algorithmic state. In fact, MATs are already used by some smart NICs as a mean to sup-