NaCl - A unikernel configuration language



We’ve been working on Network Function Virtualization for quite some time now. We have a functioning router, firewall and load-balancer. Initially these were configured in C++. This wasn’t ideal and certainly not something we wanted our customers to do.

So we designed a language to do this. It transpiles the code into C++ code which is then fed into our build system. The result is that setting up the network is now pretty straight forward. A minimal routing firewall can be configured like this:

Filter::IP fw {
    if   (ct.state   ==   established)   {
    Filter::TCP {
        if (ip.daddr == TARGET and tcp.dport == TPORT) {
            log("New connection accepted\n")
    } // end TCP
    log("Dropping packet in fw\n")
}  // End of fw

It’s quite different from the iptables, but it seems we can do most of the things iptables/netfilter is able to do. Some modules are naturally missing. I really like the option to split up the firewall set with if-statements.

We’re using ANTLR to parse this. As a bonus ANTLR allows us to build the parser into our webui mgmt tool, giving the user a fast and easy way to validate the configuration. This is quite helpful as the throwing compiler errors from Clang on the user is suboptimal. :-/

If anybody else would like help to implement this in their own unikernel let us know and we’d be happy to provide some assistance.

We will likely expand this to also cover layer 4 load balancing and later layer 7 load balancing as well.

Performance seems good and we’re somewhere in the 10-20% faster than linux-range. Once we enable ThinLTO I think we can expect this to outperform Linux quite substantially.

Annika did most of the implementation and she wrote about it here: