eBPF / XDP on OPNsense with hardware support? (Deciso)

Started by trinitronx, March 21, 2025, 04:30:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 21, 2025, 04:30:26 PM

I'm wondering about eBPF / XDP support in FreeBSD / OPNsense.  Is it possible to load eBPF programs into a NIC capable of XDP running FreeBSD?

This has great potential application for a firewall device, because eBPF loaded into an XDP capable NIC hardware is extremely fast, according to Cloudflare's testing.

For example, I have a DEC850 v2, which appears to have hardware support for this.

Deciso DEC850 v2 has 4x Intel I225-V 2.5 GbE ports:

  • igc0
  • igc1
  • igc2
  • igc3

Code Select
sudo pciconf -llcvVBa igc0
Password:
drv selector class    rev  hdr  vendor device subven subdev
igc0@pci0:2:0:0: 020000   03   00   8086   15f3   8086   0000
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller I225-V'
    class      = network
    subclass   = ethernet
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 5 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 128(512) FLR RO NS
                 max read 512
                 link x1(x1) speed 5.0(5.0) ASPM L1(L1)
    ecap 0001[100] = AER 2 0 fatal 0 non-fatal 0 corrected
    ecap 0003[140] = Serial 1 f490eaffff010b7a
    ecap 0018[1c0] = LTR 1
    ecap 001f[1f0] = Precision Time Measurement 1
    ecap 001e[1e0] = L1 PM Substates 1

According to RedHat's eBPF docs, this hardware is capable of XDP (eXpress Data Path):

Network card   Driver   Basic   Redirect   Target   HW offload   Zero-copy   Large MTU  
IntelĀ® Ethernet Controller I225-LM/I225-V familyigc yes yes yes [a] no yes yes [c]

  • [a]: Only if an XDP program is loaded on the interface.
  • [c]: Transmitting side only. Cannot receive large packets through XDP.

Is it possible to leverage XDP from FreeBSD / OPNsense?

March 21, 2025, 04:43:37 PM #1
eBPF is Linux only as far as I know.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 21, 2025, 07:03:31 PM #2 Last Edit: March 21, 2025, 07:48:27 PM by trinitronx Reason: clarification regarding XDP_MODE_HW
Quote from: Patrick M. Hausen on March 21, 2025, 04:43:37 PMeBPF is Linux only as far as I know.

For running kernel-space eBPF sandboxed programs, it seems that might be a limitation with FreeBSD's kernel.

🤔 What about loading a pre-compiled XDP into the Intel hardware from FreeBSD?  Theoretically, could this be possible? [1]

[1]: To be clear, I'm talking about hardware mode / XDP_MODE_HW, assuming that the NIC supports offloading the eBPF program onto the NIC hardware itself.
March 22, 2025, 03:01:31 AM #3
Quote from: trinitronx on March 21, 2025, 04:30:26 PM[...]
This has great potential application for a firewall device, because eBPF loaded into an XDP capable NIC hardware is extremely fast, according to Cloudflare's testing.
[...]

I'd have to read that more closely, but offhand it appears as though it can silently (no logs, possibly no sampling or other accounting) selectively discard packets at a high rate. Lots of devices can do that (many switches, a few NICs), at (pick your) line rate. I considered either using a Chelsio NIC or running my Internet link through one of my switches (for line-rate stateless filters), but I'm not exactly Cloudflare - DoS is pretty low on my list of concerns, and I really like having all of my filters in one place.

The deeper you get, the more expensive. You start with the NIC or switch filters, and pretty soon you're trying to shoehorn a hardware-assisted statekeeping plugin into VPP/DPDK running on FreeBSD. Be careful out there.
Print
Go Up Pages1
User actions