Sep. 27 / EuroBSDCon 2025 Souma Sakaguchi (Future University Hakodate, Japan) This is a part of joint work with Shintaro Suzuki (Future University Hakodate) Yuki Nakata (SAKURA internet inc. / Future Univ. Hakodate) Katsuya Matsubara (Future University Hakodate)
Future University Hakodate, Japan • Interests: Container Networking / Virtualization / OS • Research Topic: Lightweight Security Sandboxing for Containers • Email: [email protected]
the Compatibility of Linux Containers by Jail and Linuxulator • Transparently Apply Capsicum to the Linux Containers 3 Academic Work: Lightweight Security Sandboxing for Containers [1] Objective: Mitigate exploits of vulnerabilities in the Linux kernel while preserving the containers' lightweight nature [1] Y. Nakata, S. Suzuki and K. Matsubara: Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing, Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems. pp. 58-64 (2023). Invalidate exploits of Linux kernel vulnerabilities with less overheads because of the kernel implementation defferencies Reduces attack surface (syscalls) by Capusicum
Y. Nakata, S. Suzuki and K. Matsubara: Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing, Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems. pp. 58-64 (2023). Comparison of sandboxed Linux runtimes and FreeBSD’s linuxularotor # of supported syscalls unixbench scores BETTER BETTER
[1] Y. Nakata, S. Suzuki and K. Matsubara: Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing, Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems. pp. 58-64 (2023). Access to files that should not be readable Execute attack code on Linux Linux
[2] Y. Nakata, S. Suzuki and K. Matsubara: Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing, Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems. pp. 58-64 (2023). Execute attack code on Linuxulator Failed to read ! FreeBSD’s Linuxurator
Container Networking is crucial. • Microservices Architecture - Assigning a Container to each Microservice - The overall service is composed of processes that container communication, triggered by user access • Frequent container communication [2] [2] J. Lewis and M. Fowler: Microservices, 2014, https://martinfowler.com/articles/microservices.html (Accessed on 2025/7/24) Container Container Container Container Container Container Microservices Architecture
technologies are dominated by Linux コンテナ コンテナ コンテナ コンテナ コンテナ コンテナ Microservices Architecture • We want a rich container environment just like Linux! ◦ Jail with vnet only implements primitive container network ◦ Lacks functionality to transplant Linux Container ecosystems [2] J. Lewis and M. Fowler: Microservices, 2014, https://martinfowler.com/articles/microservices.html (Accessed on 2025/7/24) Microservices Architecture
node Container-to-Internet • Isolating network resources • Assigning network device to Isolated spaces • Assigning IP addresses • Clouds consist of multiple nodes • Routing control to containers on different nodes • Accessing to external resources from containers • Packet Control Using Filtering and NAT Container-to-Container among nodes
FreeBSD for containers communication • Calico: The de facto standard[4] CNI Plugin and Modules - Configuration network device and route Container-to-Container on single node - Route Advertisement to containers by BGP Container-to-Container among nodes - Packet filtering and NAT Container-to-Internet [4] Datadog: 11 Facts About Real-World Container Use, 2020, https://www.datadoghq.com/ja/container-report-2020/ (Accessed on 2025/7/22)
https://www.datadoghq.com/ja/container-report-2020/ (Accessed on 2025/7/22) Approach: Porting Linux Standard CNI Plugins Porting Calico to FreeBSD for containers communication • Calico: The de facto standard[4] CNI Plugin and Modules - Configuration network device and route Container-to-Container on single node - Route Advertisement to containers by BGP Container-to-Container among nodes - Packet filtering and NAT Container-to-Internet
https://www.datadoghq.com/ja/container-report-2020/ (Accessed on 2025/7/22) Approach: Porting Linux Standard CNI Plugins Porting Calico to FreeBSD for containers communication • Calico: The de facto standard[4] CNI Plugin and Modules - Configuration network device and route Container-to-Container on single node - Route Advertisement to containers by BGP Container-to-Container among nodes - Packet filtering and NAT Container-to-Internet
https://www.datadoghq.com/ja/container-report-2020/ (Accessed on 2025/7/22) Approach: Porting Linux Standard CNI Plugins Porting Calico to FreeBSD for containers communication • Calico: The de facto standard[4] CNI Plugin and Modules - Configuration network device and route Container-to-Container on single node - Route Advertisement to containers by BGP Container-to-Container among nodes - Packet filtering and NAT Container-to-Internet
with configurations for Calico modules calicoctl: Register Calico configurations to etcd Calico-BIRD: BGP Configuration and route control Felix: Management of route control and packet diltering iptables: Firewall and NAT configuration on the Linux kernel nerdctl: Controlling container runtime and CNI plugin Calico Plugin: CNI Plugins that configure IP addresses and network devices Container Runtime: Container management, such as execution and deletion
network resources per Jail ◦ Like Linux Network Namespace • Sharing network resources among multiple containers ◦ Jail and VNET have a one-to-one mapping New Share Inherit VNET cannot share network resources among multiple Jails Container Container Container Container Container Container
an Alternative to Netlink 21 Netlink, used for network configuration, is not fully available on FreeBSD • Netlink: Network Resource Management Provided by the Linux Kernel Request Network Configurations via Netlink through the Library BIRD - Route Advertisement Using BGP Calico Plugin - Assign IP addresses - Create network devices Felix - Routing table operations - Monitoring network devices
on FreeBSD capable of Netlink-equivalent behavior feature • Routing Socket: Netlink-Compatible routing operations available on FreeBSD - Only routing table operations are possible with an equivalent function • ioctl(AF_INET): Functions for managing network resources, as used by “ifconfig” - Create network devices - Assign IP addresses • https://github.com/oss-fun/netlink
and structures with different values between Linux and FreeBSD • Usable with Minor Modifications #define AF_NETLINK 16 #define PF_ROUTE 17 Netlink (Linux) Routing Socket (FreeBSD) Differences in constants for creating communication sockets with the same role type NlMsghdr struct { Len uint32 Type uint16 Flags uint16 Seq uint32 Pid uint32 } Defined the message header structure used for Routing Socket
Interface for FreeBSD func (h *Handle) LinkAdd(link Link) error ex. function of creating a link device 1. Prepared a message requesting link device creation 2. Request to Netlink | Create link device 3. Receive results from Netlink Linux
by ioctl system call 3. Receive results 25 func (h *Handle) LinkAdd(link Link) error _, _, errno := unix.Syscall( unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCIFCREATE2), uintptr(unsafe.Pointer(&ifr)), ) Network Resource Management by ioctl(AF_INET) Defined Functions with same Interface for FreeBSD ex. function of creating a link device
iptables, used for packet filtering and NAT, is unavailable on FreeBSD. • iptables: Feature of Packet filtering・NAT on Linux - Apply the network policy defined by the user - For communication with external hosts Packet Control and NAT via Rules chain: Set of Rules chain & Rule Jump mark: Marking to Packets ipset: IP Address Pool Management
to iptables • ipfw: Packet Filtering and NAT functionality implemented in the FreeBSD kernel - Replicating iptables functionality using ipfw capabilities - Implementation needs to account for differences in specification methods and syntax Packet Control and NAT via Rules RuleNumber & Rule Jump Tag: Marking to Packets Table: IP Address Pool Management
for Incoming, Outgoing, and Forwarded Packets ipfw add 1 call 10 ip from not me to me in ipfw add 2 call 20 ip from me to not me out ipfw add 3 call 30 ip from not me to not me ipfw add 4 skipto 65535 ip from any to any ipfw add 10 count // in packet ipfw add 11 call (PREROUTING-raw ) ipfw add 12 call (PREROUTING-mangle ) ipfw add 13 call (PREROUTING-nat ) ipfw add 14 call (INPUT-filter ) ipfw add 19 skipto 65535 ip from any to any ipfw add 20 count // out packet ipfw add 21 call (OUTPUT-raw ) ipfw add 22 call (OUTPUT-nat ) ipfw add 23 call (OUTPUT-filter ) ipfw add 24 call (POSTROUTING-mangle ) ipfw add 25 call (POSTROUTING-nat ) ipfw add 29 skipto 65535 ip from any to any ipfw add 30 count // forward packet ipfw add 31 call (PREROUTING-raw ) ipfw add 32 call (PREROUTING-mangle ) ipfw add 33 call (PREROUTING-nat ) ipfw add 34 call (FORWARD-filter ) ipfw add 35 call (POSTROUTING-mangle ) ipfw add 36 call (POSTROUTING-nat ) ipfw add 60 skipto 65535 ip from any to any (some_chain ) ipfw add 65535 allow ip from any to any Convert into a Single Rule
Packets to ◦◦ Allow Packets to ×× Jamp chain_A Drop Packets from □□ … Drop Pakctets to △△ Drop Packets from▲▲ … Return Main Rules chain_A iptables(Linux) • Management rules by chain • Give custom names to chains and Rule jump with a specified chain name • Return to the calling chain Chain-Equivalent Behavior by Rule Number Jumps
with a rule number instead of chain jamp (call Action & skipto Action) • Return to the calling rule (return Action) Instead of “Chain”: Management Rules by Rule Number Chain-Equivalent Behavior by Rule Number Jumps Create Rule Groups by Treating Rules Numbered 100 and Above as Chains 1: Allow Packets to ◦◦ 2: Allow Packets to ×× 3: Jamp Rule 100 4: Drop Packets from □□ … 100: Drop Pakctets to △△ 101: Drop Packets from▲▲ … 199: Return Main Rules Rule 100…
syntax ex. Deny packets to UDP and Port 4789 ( = VXLAN Traffic) iptables -A INPUT -p udp --dport 4789 -j DROP ipfw add 100 deny udp from any to any dst-port 4789 ipfw(FreeBSD) iptables(Linux) By implementing differences in syntax, the same rules can be reproduced
Is Possible nat 1 ip from table(cali40masq-ipam-pools) to not table(cali40all-ipam-pools) via em0 nat 1 ip from any to any in via em0 ipfw nat 1 config if em0 unreg_only ipfw(FreeBSD) Outgoing Packets Incoming Packets
Available Types iptables(Linux) • mark: marked with a uint32 ipfw(FreeBSD) • Tag: marked with a uint16 iptables -t mangle -A INPUT -j MARK --set-mark 0x1 iptables -A INPUT -m mark --mark 0x1 -j ACCEPT ipfw add 10 count tag 1 ip from any to any ipfw add 11 allow ip from any to any tagged 1 “Mark” used by Calico is sufficient with half the bit width
add 100 Deny ip from table(calico_ip) to any iptables -A INPUT -m set --match-set calico_ip -j Drop Name: calico-ip Members: 192.168.10.1 172.168.0.0/16 --- table(calico_ip), set(0) --- 192.168.10.1 172.168.0.0/16
Communication with etcd Rules Rules Save and Restore Rule Synchronization Filtering by eBPF Communication with k8s Using wireguard Existing implementation fixed unsupport User land Kernel ipfw add 1 call 10 ip from not me to me in ipfw add 2 call 20 ip from me to not me out ipfw add 3 call 30 ip from not me to not me ipfw add 4 skipto 65535 ip from any to any ipfw add 10 count // in packet …
IPPool metadata: name: default-ipv4-ippool spec: cidr: 172.16.166.0/24 ipipMode: Never vxlanMode: Never natOutgoing: true disabled: false Range of IP addresses used by containers
'{ "kind": "Node", "apiVersion": "projectcalico.org/v3", "metadata": { "name": "node1" }, "spec": { "bgp": { "ipv4Address": "192.168.100.11/24" } }, "status": {} }' Store Node Information such as host IP into etcd
IPPool metadata: name: default-ipv4-ippool spec: cidr: 192.168.100.0/24 ipipMode: Never vxlanMode: Never natOutgoing: true disabled: false Change the IP address range, deploy containers on a different network
plugin ‘Calico’ for FreeBSD • Challenge & Solution ◦ Vnet can't share network resources between Jails ✅ Use a nested Vnet jail to share a private network among jails ◦ Existing Netlink implementation for FreeBSD has lacks on functionality ✅Re-implement a wrapper library capable of netlink-equivalent behavior using the routing socket and ioctls ◦ No Iptables in FreeBSD ✅Convert iptables-style routing rules for IPFW
soumasakaguchi
harukiabe
shilo113
shisyu_gaku
zozotech
ditccsugii
kworkdev
shomaekawa
tsukaman
hjmkth
findy_eventslides
bethany
.jpg){kind=icon}
taukami
mclloyd
eileencodes
hannesfritz
holman
jakevdp
hatefulcrawdad
danielanewman
addyosmani
shpigford
bluesmoon
csswizardry
lara
![4 Academic Work: FreeBSD as a Linux-compat Runtime [1] [1]](https://files.speakerdeck.com/presentations/3dd64ed223f5482fbcbb1105c2e2bde5/slide_3.jpg){kind=link}
![5 Academic Work: Can FreeBSD Mitigate Linux Vulnerability Exploits? [2]](https://files.speakerdeck.com/presentations/3dd64ed223f5482fbcbb1105c2e2bde5/slide_4.jpg){kind=link}
![12 [4] Datadog: 11 Facts About Real-World Container Use, 2020,](https://files.speakerdeck.com/presentations/3dd64ed223f5482fbcbb1105c2e2bde5/slide_11.jpg){kind=link}
![13 [4] Datadog: 11 Facts About Real-World Container Use, 2020,](https://files.speakerdeck.com/presentations/3dd64ed223f5482fbcbb1105c2e2bde5/slide_12.jpg){kind=link}
![14 [4] Datadog: 11 Facts About Real-World Container Use, 2020,](https://files.speakerdeck.com/presentations/3dd64ed223f5482fbcbb1105c2e2bde5/slide_13.jpg){kind=link}
