SlideShare a Scribd company logo

Kernel Recipes 2013 - Nftables, what motivations and what solutions

Anne Nicolas
Anne Nicolas

Iptables and Netfilter were introduced in 2001 along with Linux 2.4 as the full layer for firewall. The functionalities and the codes changed quite a lot during this decade, but nothing like what has been done with nftables. The motivation for this change is to overcome the limitations of iptables that was beginning to date both foncionnal level and in the code design: problem with the system update rules (very expensive when the number of rules increases which has become a problem to manage not static rules), code duplication, problematic for code maintenance and users. Nftables is a replacement for iptables that has been developed since 2008 by Patri ck McHardy who is the head of the Netfilter project. After a period of sleep, the developments around the project resumed in 2012 and a team of developers was formed and is working on the project. Nftables solves the problem of updates performance using a communication message between the kernel and user space. Infrastructure Netlink was used because it is the basis of the latest major Netfilter developments. The most notable changes: incremental update and atomic rules guaranteeing the performance and consistency of the set of rules expression of the rules using a pseudo machine for avoiding complex operations of writing core modules and additional extensions Nftables exceeds the limitations of iptables and brings news that should resolve elegant and efficient way many problems. The work is already significant and only the high-level library has not yet been developed. Given the remaining work, the first official release is planned for late 2013.

1 of 41
Download to read offline
nftables, far more than %s/ip/nf/g Éric Leblond Nefilter Coreteam September 24, 2013 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 1 / 48
1 Introduction 2 Netfilter in 2013 3 Iptables limitations 4 Nftables, an Iptables replacement 5 Advantages of the approach 6 An updated user experience 7 Conclusion Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 2 / 48
Éric Leblond Hacker and contractor Independant Open Source and Security consultant Started and developped NuFW, the authenticating firewall Core developer of Suricata IDS/IPS Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 4 / 48
History ipchains (1997) Linux 2.2 firewalling stateless Developped by Paul ’Rusty’ Russel iptables (2000) Linux 2.4 firewalling Stateful tracking and full NAT support in-extremis IPv6 support Netfilter project ’Rusty’ Russel developed iptables and funded Netfilter project Netfilter coreteam was created to consolidate the community Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 6 / 48
Features Filtering and logging Filtering on protocol fields on internal state Packet mangling Change TOS Change TTL Set mark Connection tracking Stateful filtering Helper to support protocol like FTP Network Address Translation Destination Network Address Translation Source Network Address Translation Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 7 / 48
Netfilter inside kernel Hooks Hooks at different points of network stack Verdict can be issued and skb can be modified To each hook correspond at least table Different families filter raw nat mangle Loading a module create the table Connection tracking tasks Maintain a hash table with known flows Detect dynamic connection opening for some protocols Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 8 / 48
Major components Netfilter filtering In charge of accepting, blocking, transforming packets Configured by ioctl Connection tracking Analyse traffic and maintain flow table Cost in term of performance Increase security iptables Configuration tools Update ruleset inside kernel Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 9 / 48
The nfnetlink (r)evolution Nfnetlink First major evolution of Netfilter (Linux 2.6.14, 2005) Netfilter dedicated configuration and message passing mechanism New interactions NFLOG: enhanced logging system NFQUEUE: improved userspace decision system NFCT: get information and update connection tracking entries Based on Netlink datagram-oriented messaging system passing messages from kernel to user-space and vice-versa Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 10 / 48
Netlink Header format Payload format Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 11 / 48
Components created following 2.6.14 conntrack-tools conntrackd connection tracking replication daemon provide high availability developped by Pablo Neira Ayuso conntrack: command line tool to update and query connection tracking ulogd2 logging daemon handle packets and connections logging Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 12 / 48
Latest changes ipset Efficient set handling Address list or more complex set Reach vanilla kernel in 2011 (Linux 2.6.39) nfacct Efficient accounting system Appeared in 2012 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 13 / 48
Kernel code How much code 70000 LOC reside in kernelspace around 50000 LOC in user-space Iptables extensions 111 iptables extensions. Various tasks: tcp cluster bpf statistic Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 14 / 48
Performance Adding a rule The problem Atomic replacement of ruleset Sent from kernel to userspace Modified and sent back by userspace Huge performance impact Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 16 / 48
Dynamic ruleset Network gets dynamic Firewall can’t be static anymore Cloud IP reputation Combinatory explosion : one rule per-server and protocol Set handling Set handling is made via ipset Efficient but not as integrated as possible Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 17 / 48
Code duplication Different filtering family Netfilter classic filtering Brigde filtering Arp filtering IPv4 and IPv6 Matches and target Similar code in numerous Netfilter module Nothing is shared Manual parsing Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 18 / 48
Problem due to binary blob usage ABI breakage Binary exchange between userspace and kernel No modification possible without touching kernel Trusting userspace Kernel is parsing a binary blob Possible to break the internal parser Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 19 / 48
Integration via exec Frontend and iptables No officially available library Frontend fork iptables command libiptables Available inside iptables sources Not a public library API and ABI breakage are not checked during version upgrade Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 20 / 48
Lack of flexible table and chains configurations Module loading is the key Chains are created when module init Induce a performance cost even without rules No configuration is possible Chains are hardcoded FORWARD is created on a server Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 21 / 48
Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 23 / 48
History Introduced in 2008 Developped and presented by Patrick McHardy at NFWS2008 Presentation took 3 hours Alpha stage in 2008 Development did stop Patrick McHardy did not finish the code alone Nobody did join the effort Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 24 / 48
Video Interlude The video http://www.youtube.com/watch?v=DQp1AI1p3f8 Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 25 / 48
What explanations ? Should have "Release often release early" ? Started by Patrick McHardy only Almost complete work presented during NFWS 2008 Complex to enter the project Too early ? No user were demanding for that explicitly Ipset was available and fixing the set issue Solution for dynamic handling was sufficient Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 26 / 48
Development restarted in 2012 Funding by Sophos/Astaro Pablo Neira Ayuso get funded by Astaro Work restart in 2012 Gaining momemtum Tomasz Bursztyka joined the development team Work on Connman Lack of libs was painful to him Start to hack on nftables Google summer of code 3 students Some good results Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 27 / 48
A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 28 / 48
Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftables: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 29 / 48
Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 30 / 48
From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 31 / 48
From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Deliniearization Postprocessing Textify Example ip f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ bitwise reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: ip daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 32 / 48
Kernel Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. xtables compatibility Possible to use old extensions Necessary to provide backward compatibility Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 33 / 48
Notification Event based notification Each rule update trigger an event Event is sent to userspace via nfnetlink Userspace usage Implemented in libnftables Program can update his view on the ruleset without dump Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 34 / 48
A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 36 / 48
Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 37 / 48
Example of ICMPv6 include/datatype.h | 2 ++ include/payload.h | 14 +++++++++++ src/parser.y | 33 +++++++++++++++++++++++++++--- src/payload.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ src/scanner.l | 4 ++ 5 files changed, 109 insertions(+), 3 deletions(-) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 38 / 48
Example of ICMPv6 static const struct datatype icmp6_type_type = { . type = TYPE_ICMP6_TYPE, .name = " icmpv6_type " , . desc = "ICMPv6 type " , . byteorder = BYTEORDER_BIG_ENDIAN, . size = BITS_PER_BYTE, . basetype = &integer_type , . sym_tbl = &icmp6_type_tbl , } ; #define ICMP6HDR_FIELD(__name , __member) HDR_FIELD(__name , struct icmp6_hdr , __member) #define ICMP6HDR_TYPE(__name , __type , __member) HDR_TYPE(__name , __type , struct icmp6_hdr , __member) const struct payload_desc payload_icmp6 = { .name = " icmpv6 " , . base = PAYLOAD_BASE_TRANSPORT_HDR, . templates = { [ICMP6HDR_TYPE] = ICMP6HDR_TYPE( " type " , &icmp6_type_type , icmp6_type ) , [ICMP6HDR_CODE] = ICMP6HDR_FIELD( " code " , icmp6_code ) , [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD( " checksum " , icmp6_cksum ) , [ICMP6HDR_PPTR] = ICMP6HDR_FIELD( " parameter−problem " , icmp6_pptr ) , [ICMP6HDR_MTU] = ICMP6HDR_FIELD( " packet−too−big " , icmp6_mtu ) , [ICMP6HDR_ID] = ICMP6HDR_FIELD( " id " , icmp6_id ) , [ICMP6HDR_SEQ] = ICMP6HDR_FIELD( " sequence " , icmp6_seq ) , [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD( "max−delay " , icmp6_maxdelay ) , } , } ; Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 39 / 48
Basic utilisation File mode nft -f ipv4-filter Command line mode nft add rule ip f i l t e r input tcp dport 80 drop nft l i s t table f i l t e r −a nft delete rule f i l t e r output handle 10 CLI mode # nft −i nft > l i s t table < c l i >:1:12 −12: Error : syntax error , unexpected end of f i l e , expecting s t r i l i s t table ^ nft > l i s t table f i l t e r table f i l t e r { chain input { ip saddr 1.2.3.4 counter packets 8 bytes 273 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 41 / 48
Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nft add rule ip global f i l t e r ip daddr {192.168.0.0/24 , 192.168.1.4} tcp dport {22 , 443} accept Named set nft add set global ipv4_ad { type ipv4_address ; } nft add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nft delete element global ipv4_ad { 192.168.1.5} nft add rule ip global f i l t e r ip saddr @ipv4_ad drop Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 42 / 48
Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nft add rule f i l t e r output ip daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nft −i nft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; } nft > add element f i l t e r verdict_map { 1.2.3.5 => drop } nft > add rule f i l t e r output ip daddr vmap @verdict_map Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 43 / 48
Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address => v e r d i c t elements = { 192.168.0.44 => jump logmetender , 192.168.0.42 => jump logmetrue , 192.168.0.33 => accept } } chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop } chain logmetender { log l i m i t 10/ minute accept } chain logmetrue { counter log accept } } Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 44 / 48
Transition and evolution A complete iptables compatibility iptables-nftables Binary compatible with iptables Using nftables framework Same kernel can be used with two systems A progressive update A high level library To be used by frontends Or by network manager systems Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 45 / 48
Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches Availability for end 2013, beginning 2014 Finalizing iptables compatibility High level library Debug and some functionalities Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 47 / 48
Questions ? Do you have questions ? Thanks to Netfilter team Astaro/Sophos for financing the development Google for GSoC 2013 More information Netfilter : http://www.netfilter.org Nftables quick & dirty : https://t.co/cM4zogob8t Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 48 / 48

Recommended

P4 Updates (2020) (Japanese)
P4 Updates (2020) (Japanese)P4 Updates (2020) (Japanese)
P4 Updates (2020) (Japanese)
Kentaro Ebisawa
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
VirtualTech Japan Inc.
 

Recommended

P4 Updates (2020) (Japanese)
P4 Updates (2020) (Japanese)P4 Updates (2020) (Japanese)
P4 Updates (2020) (Japanese)
Kentaro Ebisawa
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
VirtualTech Japan Inc.
 
nftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linuxnftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linux
Tomofumi Hayashi
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Unifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFUnifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPF
Netronome
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
Denys Haryachyy
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Panda Yamaki
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
Kentaro Ebisawa
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
Motonori Shindo
 
Operationalizing VRF in the Data Center
Operationalizing VRF in the Data CenterOperationalizing VRF in the Data Center
Operationalizing VRF in the Data Center
Cumulus Networks
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutron
rktidwell
 
20分でわかるgVisor入門
20分でわかるgVisor入門20分でわかるgVisor入門
20分でわかるgVisor入門
Shuji Yamada
 
Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?
Anne Nicolas
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019
Kentaro Ebisawa
 

More Related Content

What's hot

nftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linuxnftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linux
Tomofumi Hayashi
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Unifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFUnifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPF
Netronome
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
Denys Haryachyy
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Panda Yamaki
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
Kentaro Ebisawa
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
Motonori Shindo
 
Operationalizing VRF in the Data Center
Operationalizing VRF in the Data CenterOperationalizing VRF in the Data Center
Operationalizing VRF in the Data Center
Cumulus Networks
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutron
rktidwell
 
20分でわかるgVisor入門
20分でわかるgVisor入門20分でわかるgVisor入門
20分でわかるgVisor入門
Shuji Yamada
 

What's hot (20)

nftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linuxnftables: the Next Generation Firewall in Linux
nftables: the Next Generation Firewall in Linux
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Unifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPFUnifying Network Filtering Rules for the Linux Kernel with eBPF
Unifying Network Filtering Rules for the Linux Kernel with eBPF
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux Kernel
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!Hokkaido.cap #osc11do Wiresharkを使いこなそう!
Hokkaido.cap #osc11do Wiresharkを使いこなそう!
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
 
How to run P4 BMv2
How to run P4 BMv2How to run P4 BMv2
How to run P4 BMv2
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
 
Operationalizing VRF in the Data Center
Operationalizing VRF in the Data CenterOperationalizing VRF in the Data Center
Operationalizing VRF in the Data Center
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
BGP Dynamic Routing and Neutron
BGP Dynamic Routing and NeutronBGP Dynamic Routing and Neutron
BGP Dynamic Routing and Neutron
 
20分でわかるgVisor入門
20分でわかるgVisor入門20分でわかるgVisor入門
20分でわかるgVisor入門
 

Similar to Kernel Recipes 2013 - Nftables, what motivations and what solutions

Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?
Anne Nicolas
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019
Kentaro Ebisawa
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memory
micchie
 
NFV features in kubernetes
NFV features in kubernetesNFV features in kubernetes
NFV features in kubernetes
Kuralamudhan Ramakrishnan
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
tampham61268
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
Tutorial contributing to nf-core
Tutorial contributing to nf-coreTutorial contributing to nf-core
Tutorial contributing to nf-core
Gisela Gabernet
 
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
EneaSoftware
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps_Fest
 
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure SystemsUsing Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
Yoshitake Kobayashi
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
Anne Nicolas
 
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge ComputingFIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE
 
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux KernelKernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Anne Nicolas
 
Yusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slidesYusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slides
Yusuf Haruna
 
Data Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and FlexibilityData Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and Flexibility
APNIC
 
nf-core usage tutorial
nf-core usage tutorialnf-core usage tutorial
nf-core usage tutorial
Gisela Gabernet
 
Enabling NFV features in kubernetes
Enabling NFV features in kubernetesEnabling NFV features in kubernetes
Enabling NFV features in kubernetes
Kuralamudhan Ramakrishnan
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussion
ARCFIRE ICT
 

Similar to Kernel Recipes 2013 - Nftables, what motivations and what solutions (20)

Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?Kernel Recipes 2014 - What’s new in nftables?
Kernel Recipes 2014 - What’s new in nftables?
 
In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019In Network Computing Prototype Using P4 at KSC/KREONET 2019
In Network Computing Prototype Using P4 at KSC/KREONET 2019
 
PASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main MemoryPASTE: A Network Programming Interface for Non-Volatile Main Memory
PASTE: A Network Programming Interface for Non-Volatile Main Memory
 
NFV features in kubernetes
NFV features in kubernetesNFV features in kubernetes
NFV features in kubernetes
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
Tutorial contributing to nf-core
Tutorial contributing to nf-coreTutorial contributing to nf-core
Tutorial contributing to nf-core
 
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
Enabling accelerated networking - seminar by Enea at the Embedded Conference ...
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
DevOps Fest 2020. Даніель Яворович. Data pipelines: building an efficient ins...
 
Using Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure SystemsUsing Embedded Linux for Infrastructure Systems
Using Embedded Linux for Infrastructure Systems
 
Kernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologiesKernel Recipes 2015: Kernel packet capture technologies
Kernel Recipes 2015: Kernel packet capture technologies
 
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge ComputingFIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
FIWARE Global Summit - FogFlow, a new GE for IoT Edge Computing
 
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux KernelKernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
Kernel Recipes 2014 - kGraft: Live Patching of the Linux Kernel
 
Yusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slidesYusuf Haruna Docker internship slides
Yusuf Haruna Docker internship slides
 
Data Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and FlexibilityData Plane Evolution: Towards Openness and Flexibility
Data Plane Evolution: Towards Openness and Flexibility
 
nf-core usage tutorial
nf-core usage tutorialnf-core usage tutorial
nf-core usage tutorial
 
Enabling NFV features in kubernetes
Enabling NFV features in kubernetesEnabling NFV features in kubernetes
Enabling NFV features in kubernetes
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
Generic network architecture discussion
Generic network architecture discussionGeneric network architecture discussion
Generic network architecture discussion
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
Anne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Kernel Recipes 2013 - Nftables, what motivations and what solutions

  • 1. nftables, far more than %s/ip/nf/g Éric Leblond Nefilter Coreteam September 24, 2013 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 1 / 48
  • 2. 1 Introduction 2 Netfilter in 2013 3 Iptables limitations 4 Nftables, an Iptables replacement 5 Advantages of the approach 6 An updated user experience 7 Conclusion Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 2 / 48
  • 3. Éric Leblond Hacker and contractor Independant Open Source and Security consultant Started and developped NuFW, the authenticating firewall Core developer of Suricata IDS/IPS Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 4 / 48
  • 4. History ipchains (1997) Linux 2.2 firewalling stateless Developped by Paul ’Rusty’ Russel iptables (2000) Linux 2.4 firewalling Stateful tracking and full NAT support in-extremis IPv6 support Netfilter project ’Rusty’ Russel developed iptables and funded Netfilter project Netfilter coreteam was created to consolidate the community Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 6 / 48
  • 5. Features Filtering and logging Filtering on protocol fields on internal state Packet mangling Change TOS Change TTL Set mark Connection tracking Stateful filtering Helper to support protocol like FTP Network Address Translation Destination Network Address Translation Source Network Address Translation Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 7 / 48
  • 6. Netfilter inside kernel Hooks Hooks at different points of network stack Verdict can be issued and skb can be modified To each hook correspond at least table Different families filter raw nat mangle Loading a module create the table Connection tracking tasks Maintain a hash table with known flows Detect dynamic connection opening for some protocols Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 8 / 48
  • 7. Major components Netfilter filtering In charge of accepting, blocking, transforming packets Configured by ioctl Connection tracking Analyse traffic and maintain flow table Cost in term of performance Increase security iptables Configuration tools Update ruleset inside kernel Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 9 / 48
  • 8. The nfnetlink (r)evolution Nfnetlink First major evolution of Netfilter (Linux 2.6.14, 2005) Netfilter dedicated configuration and message passing mechanism New interactions NFLOG: enhanced logging system NFQUEUE: improved userspace decision system NFCT: get information and update connection tracking entries Based on Netlink datagram-oriented messaging system passing messages from kernel to user-space and vice-versa Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 10 / 48
  • 9. Netlink Header format Payload format Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 11 / 48
  • 10. Components created following 2.6.14 conntrack-tools conntrackd connection tracking replication daemon provide high availability developped by Pablo Neira Ayuso conntrack: command line tool to update and query connection tracking ulogd2 logging daemon handle packets and connections logging Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 12 / 48
  • 11. Latest changes ipset Efficient set handling Address list or more complex set Reach vanilla kernel in 2011 (Linux 2.6.39) nfacct Efficient accounting system Appeared in 2012 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 13 / 48
  • 12. Kernel code How much code 70000 LOC reside in kernelspace around 50000 LOC in user-space Iptables extensions 111 iptables extensions. Various tasks: tcp cluster bpf statistic Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 14 / 48
  • 13. Performance Adding a rule The problem Atomic replacement of ruleset Sent from kernel to userspace Modified and sent back by userspace Huge performance impact Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 16 / 48
  • 14. Dynamic ruleset Network gets dynamic Firewall can’t be static anymore Cloud IP reputation Combinatory explosion : one rule per-server and protocol Set handling Set handling is made via ipset Efficient but not as integrated as possible Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 17 / 48
  • 15. Code duplication Different filtering family Netfilter classic filtering Brigde filtering Arp filtering IPv4 and IPv6 Matches and target Similar code in numerous Netfilter module Nothing is shared Manual parsing Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 18 / 48
  • 16. Problem due to binary blob usage ABI breakage Binary exchange between userspace and kernel No modification possible without touching kernel Trusting userspace Kernel is parsing a binary blob Possible to break the internal parser Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 19 / 48
  • 17. Integration via exec Frontend and iptables No officially available library Frontend fork iptables command libiptables Available inside iptables sources Not a public library API and ABI breakage are not checked during version upgrade Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 20 / 48
  • 18. Lack of flexible table and chains configurations Module loading is the key Chains are created when module init Induce a performance cost even without rules No configuration is possible Chains are hardcoded FORWARD is created on a server Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 21 / 48
  • 19. Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 23 / 48
  • 20. History Introduced in 2008 Developped and presented by Patrick McHardy at NFWS2008 Presentation took 3 hours Alpha stage in 2008 Development did stop Patrick McHardy did not finish the code alone Nobody did join the effort Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 24 / 48
  • 21. Video Interlude The video http://www.youtube.com/watch?v=DQp1AI1p3f8 Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 25 / 48
  • 22. What explanations ? Should have "Release often release early" ? Started by Patrick McHardy only Almost complete work presented during NFWS 2008 Complex to enter the project Too early ? No user were demanding for that explicitly Ipset was available and fixing the set issue Solution for dynamic handling was sufficient Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 26 / 48
  • 23. Development restarted in 2012 Funding by Sophos/Astaro Pablo Neira Ayuso get funded by Astaro Work restart in 2012 Gaining momemtum Tomasz Bursztyka joined the development team Work on Connman Lack of libs was painful to him Start to hack on nftables Google summer of code 3 students Some good results Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 27 / 48
  • 24. A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 28 / 48
  • 25. Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftables: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 29 / 48
  • 26. Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 30 / 48
  • 27. From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 31 / 48
  • 28. From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Deliniearization Postprocessing Textify Example ip f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ bitwise reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: ip daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 32 / 48
  • 29. Kernel Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. xtables compatibility Possible to use old extensions Necessary to provide backward compatibility Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 33 / 48
  • 30. Notification Event based notification Each rule update trigger an event Event is sent to userspace via nfnetlink Userspace usage Implemented in libnftables Program can update his view on the ruleset without dump Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 34 / 48
  • 31. A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 36 / 48
  • 32. Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 37 / 48
  • 33. Example of ICMPv6 include/datatype.h | 2 ++ include/payload.h | 14 +++++++++++ src/parser.y | 33 +++++++++++++++++++++++++++--- src/payload.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ src/scanner.l | 4 ++ 5 files changed, 109 insertions(+), 3 deletions(-) Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 38 / 48
  • 34. Example of ICMPv6 static const struct datatype icmp6_type_type = { . type = TYPE_ICMP6_TYPE, .name = " icmpv6_type " , . desc = "ICMPv6 type " , . byteorder = BYTEORDER_BIG_ENDIAN, . size = BITS_PER_BYTE, . basetype = &integer_type , . sym_tbl = &icmp6_type_tbl , } ; #define ICMP6HDR_FIELD(__name , __member) HDR_FIELD(__name , struct icmp6_hdr , __member) #define ICMP6HDR_TYPE(__name , __type , __member) HDR_TYPE(__name , __type , struct icmp6_hdr , __member) const struct payload_desc payload_icmp6 = { .name = " icmpv6 " , . base = PAYLOAD_BASE_TRANSPORT_HDR, . templates = { [ICMP6HDR_TYPE] = ICMP6HDR_TYPE( " type " , &icmp6_type_type , icmp6_type ) , [ICMP6HDR_CODE] = ICMP6HDR_FIELD( " code " , icmp6_code ) , [ICMP6HDR_CHECKSUM] = ICMP6HDR_FIELD( " checksum " , icmp6_cksum ) , [ICMP6HDR_PPTR] = ICMP6HDR_FIELD( " parameter−problem " , icmp6_pptr ) , [ICMP6HDR_MTU] = ICMP6HDR_FIELD( " packet−too−big " , icmp6_mtu ) , [ICMP6HDR_ID] = ICMP6HDR_FIELD( " id " , icmp6_id ) , [ICMP6HDR_SEQ] = ICMP6HDR_FIELD( " sequence " , icmp6_seq ) , [ICMP6HDR_MAXDELAY] = ICMP6HDR_FIELD( "max−delay " , icmp6_maxdelay ) , } , } ; Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 39 / 48
  • 35. Basic utilisation File mode nft -f ipv4-filter Command line mode nft add rule ip f i l t e r input tcp dport 80 drop nft l i s t table f i l t e r −a nft delete rule f i l t e r output handle 10 CLI mode # nft −i nft > l i s t table < c l i >:1:12 −12: Error : syntax error , unexpected end of f i l e , expecting s t r i l i s t table ^ nft > l i s t table f i l t e r table f i l t e r { chain input { ip saddr 1.2.3.4 counter packets 8 bytes 273 Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 41 / 48
  • 36. Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nft add rule ip global f i l t e r ip daddr {192.168.0.0/24 , 192.168.1.4} tcp dport {22 , 443} accept Named set nft add set global ipv4_ad { type ipv4_address ; } nft add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nft delete element global ipv4_ad { 192.168.1.5} nft add rule ip global f i l t e r ip saddr @ipv4_ad drop Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 42 / 48
  • 37. Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nft add rule f i l t e r output ip daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nft −i nft > add map f i l t e r verdict_map { type ipv4_address => v e r d i c t ; } nft > add element f i l t e r verdict_map { 1.2.3.5 => drop } nft > add rule f i l t e r output ip daddr vmap @verdict_map Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 43 / 48
  • 38. Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address => v e r d i c t elements = { 192.168.0.44 => jump logmetender , 192.168.0.42 => jump logmetrue , 192.168.0.33 => accept } } chain forward { ct state established accept ip daddr @web_servers tcp dport ssh ip saddr map @admin_map ip daddr @web_servers tcp dport http log accept ip daddr @web_servers tcp dport https accept counter log drop } chain logmetender { log l i m i t 10/ minute accept } chain logmetrue { counter log accept } } Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 44 / 48
  • 39. Transition and evolution A complete iptables compatibility iptables-nftables Binary compatible with iptables Using nftables framework Same kernel can be used with two systems A progressive update A high level library To be used by frontends Or by network manager systems Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 45 / 48
  • 40. Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches Availability for end 2013, beginning 2014 Finalizing iptables compatibility High level library Debug and some functionalities Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 47 / 48
  • 41. Questions ? Do you have questions ? Thanks to Netfilter team Astaro/Sophos for financing the development Google for GSoC 2013 More information Netfilter : http://www.netfilter.org Nftables quick & dirty : https://t.co/cM4zogob8t Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Nefilter Coreteam) nftables, far more than %s/ip/nf/g September 24, 2013 48 / 48