SlideShare uma empresa Scribd logo

Kernel Recipes 2013 - Nftables, what motivations and what solutions

Anne Nicolas
Anne Nicolas

Iptables and Netfilter were introduced in 2001 along with Linux 2.4 as the full layer for firewall. The functionalities and the codes changed quite a lot during this decade, but nothing like what has been done with nftables. The motivation for this change is to overcome the limitations of iptables that was beginning to date both foncionnal level and in the code design: problem with the system update rules (very expensive when the number of rules increases which has become a problem to manage not static rules), code duplication, problematic for code maintenance and users. Nftables is a replacement for iptables that has been developed since 2008 by Patri ck McHardy who is the head of the Netfilter project. After a period of sleep, the developments around the project resumed in 2012 and a team of developers was formed and is working on the project. Nftables solves the problem of updates performance using a communication message between the kernel and user space. Infrastructure Netlink was used because it is the basis of the latest major Netfilter developments. The most notable changes: incremental update and atomic rules guaranteeing the performance and consistency of the set of rules expression of the rules using a pseudo machine for avoiding complex operations of writing core modules and additional extensions Nftables exceeds the limitations of iptables and brings news that should resolve elegant and efficient way many problems. The work is already significant and only the high-level library has not yet been developed. Given the remaining work, the first official release is planned for late 2013.

Tecnologia
1 de 41
Baixar para ler offline
nftables, far more than %s/ip/nf/g Éric Leblond Nefilter Coreteam September 24, 2013 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 1 / 48
1 Introduction 2 Netfilter in 2013 3 Iptables limitations 4 Nftables, an Iptables replacement 5 Advantages of the approach 6 An updated user experience 7 Conclusion Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 2 / 48
Éric Leblond Hacker and contractor Independant Open Source and Security consultant Started and developped NuFW, the authenticating firewall Core developer of Suricata IDS/IPS Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 4 / 48
History ipchains (1997) Linux 2.2 firewalling stateless Developped by Paul ’Rusty’ Russel iptables (2000) Linux 2.4 firewalling Stateful tracking and full NAT support in-extremis IPv6 support Netfilter project ’Rusty’ Russel developed iptables and funded Netfilter project Netfilter coreteam was created to consolidate the community Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 6 / 48
Features Filtering and logging Filtering on protocol fields on internal state Packet mangling Change TOS Change TTL Set mark Connection tracking Stateful filtering Helper to support protocol like FTP Network Address Translation Destination Network Address Translation Source Network Address Translation Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 7 / 48
Netfilter inside kernel Hooks Hooks at different points of network stack Verdict can be issued and skb can be modified To each hook correspond at least table Different families filter raw nat mangle Loading a module create the table Connection tracking tasks Maintain a hash table with known flows Detect dynamic connection opening for some protocols Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 8 / 48
Major components Netfilter filtering In charge of accepting, blocking, transforming packets Configured by ioctl Connection tracking Analyse traffic and maintain flow table Cost in term of performance Increase security iptables Configuration tools Update ruleset inside kernel Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 9 / 48
The nfnetlink (r)evolution Nfnetlink First major evolution of Netfilter (Linux 2.6.14, 2005) Netfilter dedicated configuration and message passing mechanism New interactions NFLOG: enhanced logging system NFQUEUE: improved userspace decision system NFCT: get information and update connection tracking entries Based on Netlink datagram-oriented messaging system passing messages from kernel to user-space and vice-versa Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 10 / 48
Netlink Header format Payload format Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 11 / 48
Components created following 2.6.14 conntrack-tools conntrackd connection tracking replication daemon provide high availability developped by Pablo Neira Ayuso conntrack: command line tool to update and query connection tracking ulogd2 logging daemon handle packets and connections logging Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 12 / 48
Latest changes ipset Efficient set handling Address list or more complex set Reach vanilla kernel in 2011 (Linux 2.6.39) nfacct Efficient accounting system Appeared in 2012 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 13 / 48
Kernel code How much code 70000 LOC reside in kernelspace around 50000 LOC in user-space Iptables extensions 111 iptables extensions. Various tasks: tcp cluster bpf statistic Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 14 / 48
Performance Adding a rule The problem Atomic replacement of ruleset Sent from kernel to userspace Modified and sent back by userspace Huge performance impact Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 16 / 48
Dynamic ruleset Network gets dynamic Firewall can’t be static anymore Cloud IP reputation Combinatory explosion : one rule per-server and protocol Set handling Set handling is made via ipset Efficient but not as integrated as possible Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 17 / 48
Code duplication Different filtering family Netfilter classic filtering Brigde filtering Arp filtering IPv4 and IPv6 Matches and target Similar code in numerous Netfilter module Nothing is shared Manual parsing Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 18 / 48
Problem due to binary blob usage ABI breakage Binary exchange between userspace and kernel No modification possible without touching kernel Trusting userspace Kernel is parsing a binary blob Possible to break the internal parser Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 19 / 48
Integration via exec Frontend and iptables No officially available library Frontend fork iptables command libiptables Available inside iptables sources Not a public library API and ABI breakage are not checked during version upgrade Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 20 / 48
Lack of flexible table and chains configurations Module loading is the key Chains are created when module init Induce a performance cost even without rules No configuration is possible Chains are hardcoded FORWARD is created on a server Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 21 / 48
Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 23 / 48
History Introduced in 2008 Developped and presented by Patrick McHardy at NFWS2008 Presentation took 3 hours Alpha stage in 2008 Development did stop Patrick McHardy did not finish the code alone Nobody did join the effort Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 24 / 48
Video Interlude The video http://www.youtube.com/watch?v=DQp1AI1p3f8 Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 25 / 48
What explanations ? Should have "Release often release early" ? Started by Patrick McHardy only Almost complete work presented during NFWS 2008 Complex to enter the project Too early ? No user were demanding for that explicitly Ipset was available and fixing the set issue Solution for dynamic handling was sufficient Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 26 / 48
Development restarted in 2012 Funding by Sophos/Astaro Pablo Neira Ayuso get funded by Astaro Work restart in 2012 Gaining momemtum Tomasz Bursztyka joined the development team Work on Connman Lack of libs was painful to him Start to hack on nftables Google summer of code 3 students Some good results Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 27 / 48
A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 28 / 48
Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftables: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 29 / 48
Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 30 / 48
From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 31 / 48
From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Deliniearization Postprocessing Textify Example ip f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ bitwise reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: ip daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 32 / 48
Kernel Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. xtables compatibility Possible to use old extensions Necessary to provide backward compatibility Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 33 / 48
Notification Event based notification Each rule update trigger an event Event is sent to userspace via nfnetlink Userspace usage Implemented in libnftables Program can update his view on the ruleset without dump Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 34 / 48
A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 36 / 48
Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 37 / 48
Example of ICMPv6 include/datatype.h | 2 ++ include/payload.h | 14 +++++++++++ src/parser.y | 33 +++++++++++++++++++++++++++--- src/payload.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ src/scanner.l | 4 ++ 5 files changed, 109 insertions(+), 3 deletions(-) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 38 / 48
Example of ICMPv6 static const struct datatype icmp6_type_type = { . type = TYPE_ICMP6_TYPE, .name = " icmpv6_type " , . desc = "ICMPv6 type " , . byteorder = BYTEORDER_BIG_ENDIAN, . size = BITS_PER_BYTE, . basetype = &integer_type , . sym_tbl = &icmp6_type_tbl , } ; #define ICMP6HDR_FIELD(__name , __member) HDR_FIELD(__name , struct icmp6_hdr , __member) #define ICMP6HDR_TYPE(__name , __type , __member) HDR_TYPE(__name , __type , struct icmp6_hdr , __member) const struct payload_desc payload_icmp6 = { .name = " icmpv6 " , . base = PAYLOAD_BASE_TRANSPORT_HDR, . templates = { [ICMP6HDR_TYPE] = ICMP6HDR_TYPE( " type " , &icmp6_type_type , icmp6_type ) , [ICMP6HDR_CODE] = ICMP6HDR_FIELD( " code " , icmp6_code ) , [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD( " checksum " , icmp6_cksum ) , [ICMP6HDR_PPTR] = ICMP6HDR_FIELD( " parameter−problem " , icmp6_pptr ) , [ICMP6HDR_MTU] = ICMP6HDR_FIELD( " packet−too−big " , icmp6_mtu ) , [ICMP6HDR_ID] = ICMP6HDR_FIELD( " id " , icmp6_id ) , [ICMP6HDR_SEQ] = ICMP6HDR_FIELD( " sequence " , icmp6_seq ) , [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD( "max−delay " , icmp6_maxdelay ) , } , } ; Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 39 / 48
Basic utilisation File mode nft -f ipv4-filter Command line mode nft add rule ip f i l t e r input tcp dport 80 drop nft l i s t table f i l t e r −a nft delete rule f i l t e r output handle 10 CLI mode # nft −i nft > l i s t table < c l i >:1:12 −12: Error : syntax error , unexpected end of f i l e , expecting s t r i l i s t table ^ nft > l i s t table f i l t e r table f i l t e r { chain input { ip saddr 1.2.3.4 counter packets 8 bytes 273 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 41 / 48
Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nft add rule ip global f i l t e r ip daddr {192.168.0.0/24 , 192.168.1.4} tcp dport {22 , 443} accept Named set nft add set global ipv4_ad { type ipv4_address ; } nft add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nft delete element global ipv4_ad { 192.168.1.5} nft add rule ip global f i l t e r ip saddr @ipv4_ad drop Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 42 / 48
Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nft add rule f i l t e r output ip daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nft −i nft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; } nft > add element f i l t e r verdict_map { 1.2.3.5 => drop } nft > add rule f i l t e r output ip daddr vmap @verdict_map Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 43 / 48
Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address => v e r d i c t elements = { 192.168.0.44 => jump logmetender , 192.168.0.42 => jump logmetrue , 192.168.0.33 => accept } } chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop } chain logmetender { log l i m i t 10/ minute accept } chain logmetrue { counter log accept } } Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 44 / 48
Transition and evolution A complete iptables compatibility iptables-nftables Binary compatible with iptables Using nftables framework Same kernel can be used with two systems A progressive update A high level library To be used by frontends Or by network manager systems Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 45 / 48
Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches Availability for end 2013, beginning 2014 Finalizing iptables compatibility High level library Debug and some functionalities Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 47 / 48
Questions ? Do you have questions ? Thanks to Netfilter team Astaro/Sophos for financing the development Google for GSoC 2013 More information Netfilter : http://www.netfilter.org Nftables quick & dirty : https://t.co/cM4zogob8t Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 48 / 48

Recomendados

Unifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFUnifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFNetronome
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
nftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linuxnftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in LinuxTomofumi Hayashi
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 

Recomendados

Unifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFUnifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFNetronome
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
nftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linuxnftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in LinuxTomofumi Hayashi
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料KamezawaHiroyuki
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingMichelle Holley
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
eBPFは何が嬉しいのか
eBPFは何が嬉しいのかeBPFは何が嬉しいのか
eBPFは何が嬉しいのかYutaro Hayakawa
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
 
Waris l2vpn-tutorial
Waris l2vpn-tutorialWaris l2vpn-tutorial
Waris l2vpn-tutorialrakiva29
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver developmentAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guideScott Suehle
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFShapeBlue
 
サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜Yui Ito
 
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)VirtualTech Japan Inc.
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 
Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Anne Nicolas
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019Kentaro Ebisawa
 

Mais conteúdo relacionado

Mais procurados

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料KamezawaHiroyuki
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingMichelle Holley
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
eBPFは何が嬉しいのか
eBPFは何が嬉しいのかeBPFは何が嬉しいのか
eBPFは何が嬉しいのかYutaro Hayakawa
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
 
Waris l2vpn-tutorial
Waris l2vpn-tutorialWaris l2vpn-tutorial
Waris l2vpn-tutorialrakiva29
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guideScott Suehle
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFShapeBlue
 
サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜Yui Ito
 
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)VirtualTech Japan Inc.
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 

Mais procurados (20)

Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
Cgroupあれこれ-第4回コンテナ型仮想化の情報交換会資料
 
DPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet ProcessingDPDK: Multi Architecture High Performance Packet Processing
DPDK: Multi Architecture High Performance Packet Processing
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
eBPFは何が嬉しいのか
eBPFは何が嬉しいのかeBPFは何が嬉しいのか
eBPFは何が嬉しいのか
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
Waris l2vpn-tutorial
Waris l2vpn-tutorialWaris l2vpn-tutorial
Waris l2vpn-tutorial
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux Kernel
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver development
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guide
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Disaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoFDisaggregating Ceph using NVMeoF
Disaggregating Ceph using NVMeoF
 
サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜サーバ構築を自動化する 〜Ansible〜
サーバ構築を自動化する 〜Ansible〜
 
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
最近のたまおきの取り組み 〜OpenStack+αの実現に向けて〜 - OpenStack最新情報セミナー(2017年3月)
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 

Semelhante a Kernel Recipes 2013 - Nftables, what motivations and what solutions

Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Anne Nicolas
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019Kentaro Ebisawa
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memorymicchie
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Jace Liang
 
Tutorial contributing to nf-core
Tutorial contributing to nf-coreTutorial contributing to nf-core
Tutorial contributing to nf-coreGisela Gabernet
 
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...EneaSoftware
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...DevOps_Fest
 
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure SystemsUsing Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure SystemsYoshitake Kobayashi
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
 
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge ComputingFIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge ComputingFIWARE
 
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux KernelKernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux KernelAnne Nicolas
 
Yusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slidesYusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slidesYusuf Haruna
 
Data Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and FlexibilityData Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and FlexibilityAPNIC
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussionARCFIRE ICT
 

Semelhante a Kernel Recipes 2013 - Nftables, what motivations and what solutions (20)

Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memory
 
NFV features in kubernetes
NFV features in kubernetesNFV features in kubernetes
NFV features in kubernetes
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
Tutorial contributing to nf-core
Tutorial contributing to nf-coreTutorial contributing to nf-core
Tutorial contributing to nf-core
 
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
 
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure SystemsUsing Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
 
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge ComputingFIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
 
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux KernelKernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
 
Yusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slidesYusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slides
 
Data Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and FlexibilityData Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and Flexibility
 
nf-core usage tutorial
nf-core usage tutorialnf-core usage tutorial
nf-core usage tutorial
 
Enabling NFV features in kubernetes
Enabling NFV features in kubernetesEnabling NFV features in kubernetes
Enabling NFV features in kubernetes
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussion
 

Mais de Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstAnne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyAnne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureAnne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialAnne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconAnne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureAnne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerAnne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationAnne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaAnne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPAnne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Anne Nicolas
 

Mais de Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Último

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

Último (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 

Kernel Recipes 2013 - Nftables, what motivations and what solutions

  • 1. nftables, far more than %s/ip/nf/g Éric Leblond Nefilter Coreteam September 24, 2013 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 1 / 48
  • 2. 1 Introduction 2 Netfilter in 2013 3 Iptables limitations 4 Nftables, an Iptables replacement 5 Advantages of the approach 6 An updated user experience 7 Conclusion Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 2 / 48
  • 3. Éric Leblond Hacker and contractor Independant Open Source and Security consultant Started and developped NuFW, the authenticating firewall Core developer of Suricata IDS/IPS Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 4 / 48
  • 4. History ipchains (1997) Linux 2.2 firewalling stateless Developped by Paul ’Rusty’ Russel iptables (2000) Linux 2.4 firewalling Stateful tracking and full NAT support in-extremis IPv6 support Netfilter project ’Rusty’ Russel developed iptables and funded Netfilter project Netfilter coreteam was created to consolidate the community Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 6 / 48
  • 5. Features Filtering and logging Filtering on protocol fields on internal state Packet mangling Change TOS Change TTL Set mark Connection tracking Stateful filtering Helper to support protocol like FTP Network Address Translation Destination Network Address Translation Source Network Address Translation Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 7 / 48
  • 6. Netfilter inside kernel Hooks Hooks at different points of network stack Verdict can be issued and skb can be modified To each hook correspond at least table Different families filter raw nat mangle Loading a module create the table Connection tracking tasks Maintain a hash table with known flows Detect dynamic connection opening for some protocols Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 8 / 48
  • 7. Major components Netfilter filtering In charge of accepting, blocking, transforming packets Configured by ioctl Connection tracking Analyse traffic and maintain flow table Cost in term of performance Increase security iptables Configuration tools Update ruleset inside kernel Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 9 / 48
  • 8. The nfnetlink (r)evolution Nfnetlink First major evolution of Netfilter (Linux 2.6.14, 2005) Netfilter dedicated configuration and message passing mechanism New interactions NFLOG: enhanced logging system NFQUEUE: improved userspace decision system NFCT: get information and update connection tracking entries Based on Netlink datagram-oriented messaging system passing messages from kernel to user-space and vice-versa Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 10 / 48
  • 9. Netlink Header format Payload format Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 11 / 48
  • 10. Components created following 2.6.14 conntrack-tools conntrackd connection tracking replication daemon provide high availability developped by Pablo Neira Ayuso conntrack: command line tool to update and query connection tracking ulogd2 logging daemon handle packets and connections logging Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 12 / 48
  • 11. Latest changes ipset Efficient set handling Address list or more complex set Reach vanilla kernel in 2011 (Linux 2.6.39) nfacct Efficient accounting system Appeared in 2012 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 13 / 48
  • 12. Kernel code How much code 70000 LOC reside in kernelspace around 50000 LOC in user-space Iptables extensions 111 iptables extensions. Various tasks: tcp cluster bpf statistic Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 14 / 48
  • 13. Performance Adding a rule The problem Atomic replacement of ruleset Sent from kernel to userspace Modified and sent back by userspace Huge performance impact Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 16 / 48
  • 14. Dynamic ruleset Network gets dynamic Firewall can’t be static anymore Cloud IP reputation Combinatory explosion : one rule per-server and protocol Set handling Set handling is made via ipset Efficient but not as integrated as possible Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 17 / 48
  • 15. Code duplication Different filtering family Netfilter classic filtering Brigde filtering Arp filtering IPv4 and IPv6 Matches and target Similar code in numerous Netfilter module Nothing is shared Manual parsing Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 18 / 48
  • 16. Problem due to binary blob usage ABI breakage Binary exchange between userspace and kernel No modification possible without touching kernel Trusting userspace Kernel is parsing a binary blob Possible to break the internal parser Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 19 / 48
  • 17. Integration via exec Frontend and iptables No officially available library Frontend fork iptables command libiptables Available inside iptables sources Not a public library API and ABI breakage are not checked during version upgrade Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 20 / 48
  • 18. Lack of flexible table and chains configurations Module loading is the key Chains are created when module init Induce a performance cost even without rules No configuration is possible Chains are hardcoded FORWARD is created on a server Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 21 / 48
  • 19. Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 23 / 48
  • 20. History Introduced in 2008 Developped and presented by Patrick McHardy at NFWS2008 Presentation took 3 hours Alpha stage in 2008 Development did stop Patrick McHardy did not finish the code alone Nobody did join the effort Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 24 / 48
  • 21. Video Interlude The video http://www.youtube.com/watch?v=DQp1AI1p3f8 Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 25 / 48
  • 22. What explanations ? Should have "Release often release early" ? Started by Patrick McHardy only Almost complete work presented during NFWS 2008 Complex to enter the project Too early ? No user were demanding for that explicitly Ipset was available and fixing the set issue Solution for dynamic handling was sufficient Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 26 / 48
  • 23. Development restarted in 2012 Funding by Sophos/Astaro Pablo Neira Ayuso get funded by Astaro Work restart in 2012 Gaining momemtum Tomasz Bursztyka joined the development team Work on Connman Lack of libs was painful to him Start to hack on nftables Google summer of code 3 students Some good results Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 27 / 48
  • 24. A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 28 / 48
  • 25. Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftables: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 29 / 48
  • 26. Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 30 / 48
  • 27. From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 31 / 48
  • 28. From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Deliniearization Postprocessing Textify Example ip f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ bitwise reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: ip daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 32 / 48
  • 29. Kernel Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. xtables compatibility Possible to use old extensions Necessary to provide backward compatibility Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 33 / 48
  • 30. Notification Event based notification Each rule update trigger an event Event is sent to userspace via nfnetlink Userspace usage Implemented in libnftables Program can update his view on the ruleset without dump Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 34 / 48
  • 31. A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 36 / 48
  • 32. Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 37 / 48
  • 33. Example of ICMPv6 include/datatype.h | 2 ++ include/payload.h | 14 +++++++++++ src/parser.y | 33 +++++++++++++++++++++++++++--- src/payload.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ src/scanner.l | 4 ++ 5 files changed, 109 insertions(+), 3 deletions(-) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 38 / 48
  • 34. Example of ICMPv6 static const struct datatype icmp6_type_type = { . type = TYPE_ICMP6_TYPE, .name = " icmpv6_type " , . desc = "ICMPv6 type " , . byteorder = BYTEORDER_BIG_ENDIAN, . size = BITS_PER_BYTE, . basetype = &integer_type , . sym_tbl = &icmp6_type_tbl , } ; #define ICMP6HDR_FIELD(__name , __member) HDR_FIELD(__name , struct icmp6_hdr , __member) #define ICMP6HDR_TYPE(__name , __type , __member) HDR_TYPE(__name , __type , struct icmp6_hdr , __member) const struct payload_desc payload_icmp6 = { .name = " icmpv6 " , . base = PAYLOAD_BASE_TRANSPORT_HDR, . templates = { [ICMP6HDR_TYPE] = ICMP6HDR_TYPE( " type " , &icmp6_type_type , icmp6_type ) , [ICMP6HDR_CODE] = ICMP6HDR_FIELD( " code " , icmp6_code ) , [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD( " checksum " , icmp6_cksum ) , [ICMP6HDR_PPTR] = ICMP6HDR_FIELD( " parameter−problem " , icmp6_pptr ) , [ICMP6HDR_MTU] = ICMP6HDR_FIELD( " packet−too−big " , icmp6_mtu ) , [ICMP6HDR_ID] = ICMP6HDR_FIELD( " id " , icmp6_id ) , [ICMP6HDR_SEQ] = ICMP6HDR_FIELD( " sequence " , icmp6_seq ) , [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD( "max−delay " , icmp6_maxdelay ) , } , } ; Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 39 / 48
  • 35. Basic utilisation File mode nft -f ipv4-filter Command line mode nft add rule ip f i l t e r input tcp dport 80 drop nft l i s t table f i l t e r −a nft delete rule f i l t e r output handle 10 CLI mode # nft −i nft > l i s t table < c l i >:1:12 −12: Error : syntax error , unexpected end of f i l e , expecting s t r i l i s t table ^ nft > l i s t table f i l t e r table f i l t e r { chain input { ip saddr 1.2.3.4 counter packets 8 bytes 273 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 41 / 48
  • 36. Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nft add rule ip global f i l t e r ip daddr {192.168.0.0/24 , 192.168.1.4} tcp dport {22 , 443} accept Named set nft add set global ipv4_ad { type ipv4_address ; } nft add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nft delete element global ipv4_ad { 192.168.1.5} nft add rule ip global f i l t e r ip saddr @ipv4_ad drop Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 42 / 48
  • 37. Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nft add rule f i l t e r output ip daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nft −i nft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; } nft > add element f i l t e r verdict_map { 1.2.3.5 => drop } nft > add rule f i l t e r output ip daddr vmap @verdict_map Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 43 / 48
  • 38. Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address => v e r d i c t elements = { 192.168.0.44 => jump logmetender , 192.168.0.42 => jump logmetrue , 192.168.0.33 => accept } } chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop } chain logmetender { log l i m i t 10/ minute accept } chain logmetrue { counter log accept } } Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 44 / 48
  • 39. Transition and evolution A complete iptables compatibility iptables-nftables Binary compatible with iptables Using nftables framework Same kernel can be used with two systems A progressive update A high level library To be used by frontends Or by network manager systems Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 45 / 48
  • 40. Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches Availability for end 2013, beginning 2014 Finalizing iptables compatibility High level library Debug and some functionalities Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 47 / 48
  • 41. Questions ? Do you have questions ? Thanks to Netfilter team Astaro/Sophos for financing the development Google for GSoC 2013 More information Netfilter : http://www.netfilter.org Nftables quick & dirty : https://t.co/cM4zogob8t Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 48 / 48