Xtables2 xtables 2 suppress the different tables that exits in current Netfilter. If a rule only apply to a specific type of traffic (read owner id match per-example) then it just don’t match. One of the interest to have one single table is that it is possible to easily update the ruleset by just doing a single atomic swap. Manual chains can be created by hand as there are very useful to create factorized rules. ...
Top starting from left: Jan Engelhardt, Tomasz Bursztyka, Daniel Borkmann, Julien Vehent, Holger Eitzenberger, Victor Julien, Eric Leblond, Eric Dumazet, Nicolas Dichtel, David Miller, S. Park Bottom starting from left: Martin Topholm, Jesper Sander Lindgren, Pablo Neira Ayuso, Simon Horman, Jozsef Kadlecsik, Jesper Dangaard Brouer, Patrick McHardy, Thomas Graf
Introduction connMan is a network manager which has support for a lot of different layers from ethernet and WiFi to NFC and link sharing. It features automatic link switch and allow you to select your preferred type of support. The communication with UI is event based so it is easy to do as only a few windows type are needed. Discussion David Miller pointed out the fact that DHCP client is really often putting the interface in promiscuous mode and this is not a good idea as it is like having a tcpdump started on every laptop. As connMann does ahave its own implementation, they could maybe take this into account and improved the situation. This is in fact already the case as the DHCP client is using an alternate method.
Tc interaction tc interaction has been contributed by Florian Westphal. It is thus now possible to use a set match to differentiate Qos or routing of packet. This opens a wide area for experimentation. Packet and byte counters This is a fairly larger rewriting of set element and extensions which adds packets and bytes counters to the element. The syntax has been updated: ipset add <set> <elem> packets n bytes m It is also possible to do check on counters !! For example, ipset will be able to do a match on a set and to refine the selection by specifying the number of packets we must have seen before matching. Counters can also be updated in the set match. ...
Introduction This is a new kernel packet filtering framework. The only change is on iptables. Netfilter hooks, connection tracking system, NAT are unchanged. It provides a backward compatibility. nftables was released in March 2009 by Patrick Mchardy. It has been revived in the precedent months by Pablo Neira Ayuso and other hackers. Architecture It uses a pseudo-state machine in kernel-space which is similar to BPF: 4 registers: 4 general purpose (128 bits long each) + 1 verdict provides instruction set (which can be extended) Here’s a example of existing instructions: ...
Open vSwitch is a multi-layer switch. It is designed to enable network automation through programmatic extension, while still supporting standard management interfaces and protocols. Openflow is a management protocol that is supported by Open vSwitch. Openflow is has a basic support for MPLS. It features a minimum operation set to enable to configure MPLS correclty. Openflow MPLS support is partially implemented in Open vSwitch but there is some difficulties. SOme of the operations feature update of L3+ parameter like TTL. They must be updated in same manner in the MPLS header and in the packet header. And this is quite complicated as it supposed to decode the packet below MPLS. But MPLS header does not include the encapsulated ethernet type so it is almost impossible to access correctly to the packet structure. ...
Suricata and Netfilter can be better friend as they are doing some common work like decoding packet and maintaining flow table. In IPS mode, Suricata is receiving raw packet from libnetfilter_queue. It has to made the parsing of this packet but this kind of thing has also been done by kernel. So it should be possible to avoid to duplicate the work. ...
Pablo Neira Ayuso has made a panorama of Netfilter changes since last workshop. On user side, the first main change to be published after last workshop, is libnetfilter_cttimeout. It allows you to define different timeout policies and to apply them to connections by using the CT target. An other important new “feature” is a possibility to disable to automatic helper assignment. More information on Secure use of iptables and connection tracking helpers. ...
Martin is working for one.com a local ISP and is facing some DDoS. SYN cookie was implemented but the performance were too low with performance below 300kpps which is not what was expected. In fact SYN is on a slow path with a single spin lock protecting the SYN backtrack queue. So the system behave like a single core system relatively to SYN attacks. Jesper Dangaard Brouer has proposed a patch to move the syn cookie out of the lock but it has some downside and could not be accepted. In particular, the syncookie system needs to check every type of packet to see if they belong to a previous syn cookie response and thus a central point is needed. ...
The routing cache was maintaining a list of routing decisions. This was an hash table which was highly dynamic and was changing due to traffic. One of the major problem was the garbage collector. An other severe issue was the possibility of DoS using the increase The routing cache has been suppressed in Linux 3.6 after a 2 years effort by David and the other Linux kernel developers. The global cache has been suppressed and some stored information have been moved to more separate resources like socket. ...
Kronosnet is a “I conceived it when drunk but it works well” VPN implementation. It is using an Ether TAP for the VPN to provide a lyaer 2 vpn. To avoid reinventing the wheel, it is delegating most of the work to the kernel. It supports multilink and redundancy of servers. On multilink side, 8 links can be done per-host to help redundancy. One of the use of this project is the creation of private network in the cloud as it can be easily setup to provide redundancy and connection for a lot of clients (64k simultaneous clients). And because a layer 2 VPN is really useful for this type of usage. ...
Introduction I’ve made yesterday a presentation of ulogd2 at Open Source Days in Copenhagen. After a brief history of Netfilter logging, I’ve described the key features of ulogd2 and demonstrate two interfaces, nf3d and djedi. The slides are available: Ulogd2, Netfilter logging reloaded. Screencasts This video demonstrates some features of nf3d: This screencast is showing some of the capabilities of djedi: Thanks a lot to the organizers for this cool event.
Introduction Iptables duplicate work for each family and is using a socket protocol which is far too static. Xtables2 is an ongoing effort to evolve the packet filter. It aims at providing finer frained modification (and not the whole ruleset modification). Capabilities rule packing: increase cache hit. family independent: no more IPv4 and IPv6 specific code. Only the hook remains specific as they are dependant of core network. xt extension support atomic replace support xtables syntax is quite similar but not the same. libxtadm is a high-level library for ruleset inspection/manipulation. ...
PF_PACKET introduction This is access to raw packet inside Linux. It is used by libpcap and by other projects like Suricata. PF_PACKET performance can be improved via dedicated features: Zero-copy RX/TX Socket clustering Linux socket filtering (BPF) BPF architecture looks like a small virtual machine with register and memory stores. It has different instructions and the kernel has its own kernel extensions to access to cpu number, vlan tag. Netsniff-NG Netsniff-ng is a set of minimal tools: ...
Introduction ConnMan is a connection manager which integrate all critical networking components. It provides a smart D-Bus API to develop an User Interface. It is plugin oriented and all different network stacks are implemented in different modules. Connection sharing (aka tethering) is using Netfilter to setup NAT masquerading. So it is a simple usage. Switching to nftables Application connectivity is a more advanced part involving Netfilter as it makes a use of statistics and differenciated routing. For example, in a car, service data must be sent to manufacturer operator and not on the owner network. ...
The problem Centralized firewall design does not scale well when dealing with a lot of servers. It begins to collapse after a few thousands rules. Furthermore, to be able to have an application A to connect to server B, it would take a workflow and possibly 3 weeks to get the opening. From Service Oriented Architecture to Service Oriented Security Service are autonomous. They call each other using a standard protocol. The architecture is described by a list of dependencies between services. You can then specify security via things like ACCEPT Caching TO Frontend ON PORT 80. But this force you to do provisioning each time a server start. ...
Why ipset ? iptables is enough sufficient but in some cases limit are found: High number of rules: iptables is linear Need to change the rules often Independant study available at d(a)emonkeeper’s purgatory has shown that the performance of ipset are almost constant with respect to the number of filtered hosts: History The originating project was ippool featuring a a basic set and after some time it has been taken over by Jozsef and renamed ipset. A lot of type of sets are now handled. ...
Introduction Harald Welte when asked about IPv6 NAT was answering: “it will be over my dead body”. It is now available in official kernel. Reasons for adding IPv6 NAT Dynamic IPv6 Prefixes : ISP assigning dynamic IPv6 prefixes so Internal network address change. NAT can bring you stability. Easier test setup. Users are asking and most operating systems have it. To resume the arguments of NAT, Patrick McHardy used this video: ...
Introduction nftable is a kernel packet filtering framework to replaces iptables. It brings no changes in the core (conntrack, hooks). Match logic is changed: you fetch keys and once you have your key set, you make operation on them. Advanced and specialized matchs are built upon this system. nftables vs iptables In iptables, extension were coded in separate files and they must be put in iptables source tree. To act, they must modify on a binary array storing the ruleset and injecting it back to the kernel. So every update involve a full download and upload of the whole ruleset. ...
Patrick (aka kaber) has just made available his work on memory mapped netlink. Both the kernel and the libmnl part are available on git.kernel.org. You can pull kernel code other net-next tree: git pull git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nl-mmap-2.6.git Libmnl code can be fetched: git clone git://git.kernel.org/pub/scm/linux/kernel/git/kaber/libmnl-mmap.git Once done a NETLINK_MMAP kernel compilation option is then available via make config. Documentation is available in the Linux tree. It is in the file: Documentation/networking/netlink_mmap.txt