SlideShare a Scribd company logo
1 of 34
by Jesper Dangaard Brouer  <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
Who am I ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Presentation overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ComX Networks A/S ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Physical surroundings ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Linux box ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Issues and limitations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object]
Issue: Bad route performance ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Existing solutions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The categorization tasks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Solution: SubnetSkeleton ,[object Object],[object Object],[object Object]
SubnetSkeleton: Algorithm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],10.1.2.3 10 .0.0.0/8 10.1.2 .0/24 10.1 .0.0/16
SubnetSkeleton: CIDR partitioning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SubnetSkeleton: iptables ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use  IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24);  # prefix list my $name  = &quot;bw&quot;;   # Shortname for bandwidth my $table = &quot; mangle &quot;;  # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;,  &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
Full routing performance achieved ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Back to subject: Slow ruleset changes
Issue: iptables command slow ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Take advantage of libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Next scalability issue: Chain lookup ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chains lookup: Solution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Mainline:  iptables ver.1.4.1 , git:2008-01-15 0 1 2 3 B D F H J L N C E O M K I G
Chain index: Insert chain ,[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name ,[object Object],0 1 2 3 B D F H J L N P C E A
Chain index: Delete chain ,[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Rebuild array 0 1 2 3 B D F H J L N C E O M K I G
Solving: Initial ruleset parsing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],mainline:  iptables ver.1.4.2-rc1 , git: 2008-07-03
Summary: Load time ,[object Object],[object Object],[object Object],[object Object],Machine with the most customers, has in filter table Chains: 9827 Rules:36532
Summary: Open Source ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Goal reached? ,[object Object],[object Object],[object Object],[object Object],[object Object]
The End ,[object Object],[object Object],81.161.128/0/18 195.135.216.0/22 87.72.0.0/16 82.211.224.0/19
Extra slides ,[object Object],[object Object],[object Object]
Route cache perf ,[object Object],[object Object],[object Object]
CPU util softirq ,[object Object],[object Object],[object Object]
More libiptc stats ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
BSD pf firewalling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

More Related Content

What's hot

OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management ProtocolPrasenjit Gayen
 
Module 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG ConceptsModule 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG ConceptsTail-f Systems
 
Porting a new architecture (NDS32) to open wrt project
Porting a new architecture (NDS32) to open wrt projectPorting a new architecture (NDS32) to open wrt project
Porting a new architecture (NDS32) to open wrt projectMacpaul Lin
 
Linux Serial Driver
Linux Serial DriverLinux Serial Driver
Linux Serial Driver艾鍗科技
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
Linux Ethernet device driver
Linux Ethernet device driverLinux Ethernet device driver
Linux Ethernet device driver艾鍗科技
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux NetworkingPLUMgrid
 

What's hot (20)

Dpdk performance
Dpdk performanceDpdk performance
Dpdk performance
 
OSPF by Abdullah Mukhtar
OSPF by Abdullah MukhtarOSPF by Abdullah Mukhtar
OSPF by Abdullah Mukhtar
 
Network Monitoring Tools
Network Monitoring ToolsNetwork Monitoring Tools
Network Monitoring Tools
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
Hands-on ethernet driver
Hands-on ethernet driverHands-on ethernet driver
Hands-on ethernet driver
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Module 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG ConceptsModule 3: NETCONF and YANG Concepts
Module 3: NETCONF and YANG Concepts
 
Porting a new architecture (NDS32) to open wrt project
Porting a new architecture (NDS32) to open wrt projectPorting a new architecture (NDS32) to open wrt project
Porting a new architecture (NDS32) to open wrt project
 
Linux Serial Driver
Linux Serial DriverLinux Serial Driver
Linux Serial Driver
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmics
 
Linux Ethernet device driver
Linux Ethernet device driverLinux Ethernet device driver
Linux Ethernet device driver
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Shell scripting
Shell scriptingShell scripting
Shell scripting
 
Character Drivers
Character DriversCharacter Drivers
Character Drivers
 

Viewers also liked

Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
The 100 - {dive} : event
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : eventIRT b-com
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haimharryvanhaaren
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 RedHatTelco
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 

Viewers also liked (20)

NOS Comparison
NOS ComparisonNOS Comparison
NOS Comparison
 
IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Iptables
IptablesIptables
Iptables
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
The 100 - {dive} : event
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : event
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haim
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
IP Address
IP AddressIP Address
IP Address
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configuration
 
Vagrant
VagrantVagrant
Vagrant
 

Similar to Danish ISP scales iptables firewall to thousands of customers using optimized rule processing and traffic categorization

Nad710 Network Address Translation
Nad710   Network Address TranslationNad710   Network Address Translation
Nad710 Network Address Translationtmavroidis
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375  Enhance teaching / snaptutorial.comEcet 375  Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comDavis117a
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375     Education Redefined - snaptutorial.comEcet 375     Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comDavisMurphyC86
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comrobertlesew62
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comlechenau125
 
ECET 375 Effective Communication/tutorialrank.com
 ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.comjonhson203
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comledlang1
 
NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)olatunde ismaila
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address SchemeErin Rivera
 
Introduction to tcp ip linux networking
Introduction to tcp ip   linux networkingIntroduction to tcp ip   linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
Low latency in java 8 v5
Low latency in java 8 v5Low latency in java 8 v5
Low latency in java 8 v5Peter Lawrey
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step  anung muhandanu Tutorial mikrotik step by step  anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comHarrisGeorgx
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm1 2d
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 

Similar to Danish ISP scales iptables firewall to thousands of customers using optimized rule processing and traffic categorization (20)

Nad710 Network Address Translation
Nad710   Network Address TranslationNad710   Network Address Translation
Nad710 Network Address Translation
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375  Enhance teaching / snaptutorial.comEcet 375  Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.com
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375     Education Redefined - snaptutorial.comEcet 375     Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.com
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.com
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.com
 
ECET 375 Effective Communication/tutorialrank.com
 ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.com
 
NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address Scheme
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Introduction to tcp ip linux networking
Introduction to tcp ip   linux networkingIntroduction to tcp ip   linux networking
Introduction to tcp ip linux networking
 
Low latency in java 8 v5
Low latency in java 8 v5Low latency in java 8 v5
Low latency in java 8 v5
 
IPv4 Addressing
 IPv4 Addressing   IPv4 Addressing
IPv4 Addressing
 
Firewall
FirewallFirewall
Firewall
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step  anung muhandanu Tutorial mikrotik step by step  anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.com
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdf
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Danish ISP scales iptables firewall to thousands of customers using optimized rule processing and traffic categorization

  • 1. by Jesper Dangaard Brouer <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24); # prefix list my $name = &quot;bw&quot;; # Shortname for bandwidth my $table = &quot; mangle &quot;; # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;, &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.

Editor's Notes

  1. TALK: First I&apos;ll focus on the routing performance issue I&apos;ll come back to slow rule changes later
  2. (To solve the routing performance issue, I had to: Make traffic categorizing scale!) (reducing the lookup time from O(n) to O(log(n)))
  3. (named skip-list search infrastructure by Thomas Jacob &lt;jacob@internet24.de&gt;) (In mainline, iptables version 1.4.1, git:2008-01-15) The runtime complexity is actually also affected by this &amp;quot;bucket&amp;quot; size concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
  4. (In mainline: iptables ver.1.4.2-rc1, git: 2008-07-03)