SlideShare a Scribd company logo

Kernel Recipes 2014 - What’s new in nftables?

Anne Nicolas
Anne Nicolas

Nftables is a new packet filtering framework which aims at replacing iptables. It has been developed by the Netfilter team who wanted after 10 years of development to get rid of iptables. After a successful introduction in the 3.13 kernel and more than one year in vanilla kernel, nftables evolution has been important. If the main concepts did not change a lot of technical problem and improvement have been made. This talk will do a summary of these changes describing the one being the most challenging at the technical level. It will alsod focus on the decisions and orientations chosen during the Netfilter workshop in July. Eric Leblond, Stamus Networks

Software
1 of 47
Download to read offline
nftables, one year later Éric Leblond Stamus Networks September 25, 2014 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 1 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 2 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 3 / 40
Éric Leblond co-founder of Stamus Networks Company providing network probe based on Suricata Focusing on bringing you the best of Suricata IDS technology Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking Ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 4 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 5 / 40
Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftnl: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 8 / 40
Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 9 / 40
From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 10 / 40
From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Delinearization Postprocessing Textify Example i p f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ b i twi s e reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: i p daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40
Simplified kernel code A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 12 / 40
Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 13 / 40
Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nf t add rule i p global f i l t e r i p daddr {192.168.0.0/24 , 192.168.1.4} tcp dpor t {22 , 443} accept Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nf t add rule i p global f i l t e r i p daddr {192.168.0.0/24 , 192.168.1.4} tcp dpor t {22 , 443} accept Named set nf t add set global ipv4_ad { type ipv4_address ; } nf t add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nf t delete element global ipv4_ad { 192.168.1.5} nf t add rule i p global f i l t e r i p saddr @ipv4_ad drop Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nf t add rule f i l t e r output i p daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nf t i nft add map f i l t e r verdict_map { type ipv4_address = v e r d i c t ; } nft add element f i l t e r verdict_map { 1 . 2 . 3 . 5 = drop } nft add rule f i l t e r output i p daddr vmap @verdict_map Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address = v e r d i c t elements = { 192.168.0.44 = jump logmetender , 192.168.0.42 = jump logmetrue , 192.168.0.33 = accept } }c hain forward { c t s ta t e es tabl i shed accept i p daddr @web_servers tcp dpor t ssh i p saddr map @admin_map i p daddr @web_servers tcp dpor t { ht tp , h t tp s } log accept counter log drop }c hain logmetender { log l imi t 10/minute accept }c hain logmetrue { counter log accept } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 16 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 17 / 40
Sexy trailer The video http://youtu.be/fUTgQw75ikA Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 18 / 40
Documentation Man page Complete description of nft Man page style: Lot of things Concise description A few things missing A wiki Only a howto for now http://wiki.nftables.org/ Still incomplete but a good documentation Want to contribute: Ask on Netfilter mailing list to get an account Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 19 / 40
IPv4 and IPv6 filtering Don’t mix the old and the new Tables are defined relatively to a IP space Must declare a table for each protocol for each chain/hook Basic filtering chains table f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; } chain forward { type f i l t e r hook forward p r i o r i t y 0; } chain output { type f i l t e r hook output p r i o r i t y 0; } } table ip6 f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; } chain forward { type f i l t e r hook forward p r i o r i t y 0; } chain output { type f i l t e r hook output p r i o r i t y 0; } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 20 / 40
Handling of IPv4 and IPv6 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 21 / 40
Inet filtering Kernel side Introduce a new NFPROTO_INET family Realize dispatch later based on the effective family Activate IPv4 and IPv6 features when needed Example table i n e t f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; c t s ta t e establ ished , r e l a t e d accept i i f l o accept c t s ta t e new i i f != l o tcp dpor t { ssh , 2200} tcp f l a g s == syn counter log p r e f i x SSH at tempt group 1 accept i p saddr 192.168.0.0/24 tcp dpor t { 9300 , 3142} counter accept ip6 saddr 2a03 :2880:2110: df07 : face : b00c : 0 : 1 drop } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 22 / 40
Result: easy handling of IPv4 and IPv6 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 23 / 40
Atomic ruleset update (1/2) Bring transaction to nftables Update ruleset at once Need transaction support All pass or abort Need to handle table and rules Problem of set They exists at table level They are used at chain level Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 24 / 40
Atomic ruleset update (2/2) Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. Batch method Method Start transaction Send modifications mixing set and ruleset update Commit transaction Interest Limit the number of netlink messages Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 25 / 40
Dynamic set choice (1/2) Ipset usage Choose set type Among the possible choices The set subsystem Various set types are available hash rbtree No selector exists Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 26 / 40
Dynamic set choice (2/2) Constraint based selection Select set based on user constraint Memory usage Lookup complexity Syntax nf t add set f i l t e r set1 { type ipv4_addr ; size 1024 ; } nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y memory ; } nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y performance ; } Status Kernel space is implemented Userspace is not yet commited Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 27 / 40
Warning: NSFC THE FOLLOWING SLIDE CONTAINS IMAGES THAT MAY HURT THE SENSITIVITY OF SOME CATS. Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 28 / 40
The young guard Guiseppe Longo Arturo Borrero Gonzales Alvaro Neira Ayuso Ana Rey Google Summer of Code Outreach Program for Women Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 29 / 40
Ana Rey: nftables test system Regression test Test nft command and check result Most features are tested Sponsored by OPW Already led to fixes Example any/queue.t: OK any/ct.t: WARNING: line: 59: ’nft add rule -nnn ip test-ip4 output ct expiration 30’: ’ct expiration 30’ mismatches ’ct expiration 30s’ any/ct.t: WARNING: line: 61: ’nft add rule -nnn ip test-ip4 output ct expiration != 233’: ’ct expiration != 233’ mismatches ’ct expiration != 3m53s’ Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 30 / 40
Arturo Borrero: Nftsync (1/2) Principle Distribute ruleset across the network Support master/slave Deploy ruleset for non gateway systems Implementation Use notification system Collect update and distribute them Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 31 / 40
Nftsync (2/2) Current state Bootstrapped during summer Basic mode working No encryption yet Get it, try it, hack it http://git.netfilter.org/nft-sync/ Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 32 / 40
Guiseppe Longo: ebtables compat layer Provide tools compatibility Use old tools with new nftables framework Convert old command lines to new internal syntax Multi layer compatibility Bridge level: ebtables IP level: iptables Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 33 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 34 / 40
Libnftables High level library for third party software Network manager Firewall management interfaces It will be based on nftables Using same command line Providing transaction feature Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 35 / 40
Complete import/export Exporting ruleset Can currently be done via a single nft command XML and JSON format Importing ruleset No single command to restore nft -f is not enough nft import is needed Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 36 / 40
Unification with existing BPF No real difference Different keywords related to Netfilter ct meta May be possible to merge Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 37 / 40
1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 38 / 40
Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches IPv4 and IPv6 in one table Already usable Main features are here Compatibility can be used Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 39 / 40
Questions ? Do you have questions ? Thanks to Netfilter team Google for GSoC 2014 Outreach Program for Women More information Netfilter : http://www.netfilter.org Nftables wiki: http://wiki.nftables.org Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 40 / 40

Recommended

Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Anne Nicolas
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
Developping drivers on small machines
Developping drivers on small machinesDevelopping drivers on small machines
Developping drivers on small machines
Anne Nicolas
 
P4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC OffloadP4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC Offload
Open-NFP
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 

Recommended

Kernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Anne Nicolas
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
Developping drivers on small machines
Developping drivers on small machinesDevelopping drivers on small machines
Developping drivers on small machines
Anne Nicolas
 
P4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC OffloadP4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC Offload
Open-NFP
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Tsn linux elce17
Tsn linux elce17Tsn linux elce17
Tsn linux elce17
henrikau
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
Thomas Graf
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
Denys Haryachyy
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me
_xhr_
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
Thomas Graf
 
Captura de pacotes no KernelSpace
Captura de pacotes no KernelSpaceCaptura de pacotes no KernelSpace
Captura de pacotes no KernelSpacePeslPinguim
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
Olivier Bonaventure
 
Future Internet protocols
Future Internet protocolsFuture Internet protocols
Future Internet protocols
Olivier Bonaventure
 
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Adam Dunkels
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
HungWei Chiu
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
Admin621695
 

More Related Content

What's hot

Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Tsn linux elce17
Tsn linux elce17Tsn linux elce17
Tsn linux elce17
henrikau
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
Thomas Graf
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
Denys Haryachyy
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
Kernel TLV
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me
_xhr_
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
Thomas Graf
 
Captura de pacotes no KernelSpace
Captura de pacotes no KernelSpaceCaptura de pacotes no KernelSpace
Captura de pacotes no KernelSpacePeslPinguim
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
Olivier Bonaventure
 
Future Internet protocols
Future Internet protocolsFuture Internet protocols
Future Internet protocols
Olivier Bonaventure
 
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Adam Dunkels
 

What's hot (20)

Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
Tsn linux elce17
Tsn linux elce17Tsn linux elce17
Tsn linux elce17
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
Captura de pacotes no KernelSpace
Captura de pacotes no KernelSpaceCaptura de pacotes no KernelSpace
Captura de pacotes no KernelSpace
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
 
Future Internet protocols
Future Internet protocolsFuture Internet protocols
Future Internet protocols
 
Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...Building day 2 upload Building the Internet of Things with Thingsquare and ...
Building day 2 upload Building the Internet of Things with Thingsquare and ...
 

Similar to Kernel Recipes 2014 - What’s new in nftables?

iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
HungWei Chiu
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
Admin621695
 
SRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdfSRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdf
SiteReliabilityEngin
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
Tan Huynh Cong
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
Iptablesrocks
IptablesrocksIptablesrocks
Iptablesrocksqwer_asdf
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Maximilan Wilhelm
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
camsec
 
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
Joan Viladrosa Riera
 
Apache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
Apache Spark Streaming + Kafka 0.10 with Joan ViladrosarieraApache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
Apache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
Spark Summit
 
acn-practical_manual-19-20-1 final.pdf
acn-practical_manual-19-20-1 final.pdfacn-practical_manual-19-20-1 final.pdf
acn-practical_manual-19-20-1 final.pdf
Qual4
 
IPv6 infrastructure and multicasting status report
IPv6 infrastructure and multicasting status reportIPv6 infrastructure and multicasting status report
IPv6 infrastructure and multicasting status report
Ethern Lin
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
Marian Marinov
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
Bangladesh Network Operators Group
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2Zobair Khan
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing ProtocolsDsunte Wilson
 

Similar to Kernel Recipes 2014 - What’s new in nftables? (20)

iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
iptable casestudy by sans.pdf
iptable casestudy by sans.pdfiptable casestudy by sans.pdf
iptable casestudy by sans.pdf
 
SRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdfSRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdf
 
Iptables
IptablesIptables
Iptables
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 
Iptablesrocks
IptablesrocksIptablesrocks
Iptablesrocks
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
[Spark Summit EU 2017] Apache spark streaming + kafka 0.10 an integration story
 
Apache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
Apache Spark Streaming + Kafka 0.10 with Joan ViladrosarieraApache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
Apache Spark Streaming + Kafka 0.10 with Joan Viladrosariera
 
acn-practical_manual-19-20-1 final.pdf
acn-practical_manual-19-20-1 final.pdfacn-practical_manual-19-20-1 final.pdf
acn-practical_manual-19-20-1 final.pdf
 
IPv6 infrastructure and multicasting status report
IPv6 infrastructure and multicasting status reportIPv6 infrastructure and multicasting status report
IPv6 infrastructure and multicasting status report
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
Anne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
 

Recently uploaded

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 

Recently uploaded (20)

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 

Kernel Recipes 2014 - What’s new in nftables?

  • 1. nftables, one year later Éric Leblond Stamus Networks September 25, 2014 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 1 / 40
  • 2. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 2 / 40
  • 3. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 3 / 40
  • 4. Éric Leblond co-founder of Stamus Networks Company providing network probe based on Suricata Focusing on bringing you the best of Suricata IDS technology Netfilter Coreteam member Work on kernel-userspace interaction Kernel hacking Ulogd2 maintainer Port of Openoffice firewall to Libreoffice Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 4 / 40
  • 5. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 5 / 40
  • 6. Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
  • 7. Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
  • 8. Nftables A new filtering system Replace iptables and the filtering infrastructure No changes in Hooks Connection tracking Helpers A new language Based on a grammar Accessible from a library Netlink based communication Atomic modification Notification system Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 6 / 40
  • 9. A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
  • 10. A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
  • 11. A filtering based on a pseudo-state machine Inspired by BPF 4 registers 1 verdict A extensive instructions set Add Some Magic ? reg = pkt.payload[offset, len] reg = cmp(reg1, reg2, EQ) reg = pkt.meta(mark) reg = lookup(set, reg1) reg = ct(reg1, state) Easy creation of new matches reg1 = pkt.payload[offset_src_port, len] reg2 = pkt.payload[offset_dst_port, len] reg = cmp(reg1, reg2, EQ) Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 7 / 40
  • 12. Architecture Kernel Tables: declared by user and attached to hook User interface: nfnetlink socket ADD DELETE DUMP Userspace libmnl: low level netlink interaction libnftnl: library handling low-level interaction with nftables Netlink’s API nftables: command line utility to maintain ruleset Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 8 / 40
  • 13. Dynamic chain loading Chain are created on-demand Chain are created via a specific netlink message Non-user chain are: Of a specific type Bound to a given hook Current chain type filter: filtering table route: old mangle table nat: network address translation table Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 9 / 40
  • 14. From userspace syntax to kernel Converting user input Operation is made via a netlink message The userspace syntax must be converted From a text message following a grammar To a binary Netlink message Linearize Tokenisation Parsing Evaluation Linearization Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 10 / 40
  • 15. From kernel to userspace syntax Kernel send netlink message It must be converted back to text Conversion Delinearization Postprocessing Textify Example i p f i l t e r output 8 7 [ payload load 4b @ network header + 16 => reg 1 ] [ b i twi s e reg 1 = ( reg=1 & 0 x 0 0 f f f f f f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00500fd9 ] [ counter pkts 7 bytes 588 ] is translated to: i p daddr 217.15.80.0/24 counter packets 7 bytes 588 # handle 8 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 11 / 40
  • 16. Simplified kernel code A limited in-kernel size A limited set of operators and instructions A state machine No code dedicated to each match One match on address use same code as a match on port New matchs are possible without kernel modification LOC count 50000 LOC in userspace only 7000 LOC in kernel-space Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 12 / 40
  • 17. Less kernel update Pseudo state machine instruction Current instructions cover need found in previous 10 years New instruction require very limited code Development in userspace A new match will not need a new kernel ICMPv6 implementation is a single userspace patch Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 13 / 40
  • 18. Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
  • 19. Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nf t add rule i p global f i l t e r i p daddr {192.168.0.0/24 , 192.168.1.4} tcp dpor t {22 , 443} accept Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
  • 20. Set handling Interests of sets One single rule evaluation Simple and readable ruleset Evolution handling Anonymous set nf t add rule i p global f i l t e r i p daddr {192.168.0.0/24 , 192.168.1.4} tcp dpor t {22 , 443} accept Named set nf t add set global ipv4_ad { type ipv4_address ; } nf t add element global ipv4_ad { 192.168.1.4 , 192.168.1.5} nf t delete element global ipv4_ad { 192.168.1.5} nf t add rule i p global f i l t e r i p saddr @ipv4_ad drop Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 14 / 40
  • 21. Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
  • 22. Mapping Principle and interest Associative mapping linking two notions A match on the key trigger the use of the value Using addresses, interfaces, verdicts Examples Anonymous mapping: # nf t add rule f i l t e r output i p daddr vmap {192.168.0.0/24 => drop , 192.168.0.1 => accept } Named mapping: # nf t i nft add map f i l t e r verdict_map { type ipv4_address = v e r d i c t ; } nft add element f i l t e r verdict_map { 1 . 2 . 3 . 5 = drop } nft add rule f i l t e r output i p daddr vmap @verdict_map Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 15 / 40
  • 23. Usage example set web_servers { type ipv4_address elements = { 192.168.1.15 , 192.168.1.5} } map admin_map { type ipv4_address = v e r d i c t elements = { 192.168.0.44 = jump logmetender , 192.168.0.42 = jump logmetrue , 192.168.0.33 = accept } }c hain forward { c t s ta t e es tabl i shed accept i p daddr @web_servers tcp dpor t ssh i p saddr map @admin_map i p daddr @web_servers tcp dpor t { ht tp , h t tp s } log accept counter log drop }c hain logmetender { log l imi t 10/minute accept }c hain logmetrue { counter log accept } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 16 / 40
  • 24. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 17 / 40
  • 25. Sexy trailer The video http://youtu.be/fUTgQw75ikA Video generation Video generated with gource Various git history have been merged File path has been prefixed with project name Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 18 / 40
  • 26. Documentation Man page Complete description of nft Man page style: Lot of things Concise description A few things missing A wiki Only a howto for now http://wiki.nftables.org/ Still incomplete but a good documentation Want to contribute: Ask on Netfilter mailing list to get an account Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 19 / 40
  • 27. IPv4 and IPv6 filtering Don’t mix the old and the new Tables are defined relatively to a IP space Must declare a table for each protocol for each chain/hook Basic filtering chains table f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; } chain forward { type f i l t e r hook forward p r i o r i t y 0; } chain output { type f i l t e r hook output p r i o r i t y 0; } } table ip6 f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; } chain forward { type f i l t e r hook forward p r i o r i t y 0; } chain output { type f i l t e r hook output p r i o r i t y 0; } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 20 / 40
  • 28. Handling of IPv4 and IPv6 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 21 / 40
  • 29. Inet filtering Kernel side Introduce a new NFPROTO_INET family Realize dispatch later based on the effective family Activate IPv4 and IPv6 features when needed Example table i n e t f i l t e r { chain i np u t { type f i l t e r hook i np u t p r i o r i t y 0; c t s ta t e establ ished , r e l a t e d accept i i f l o accept c t s ta t e new i i f != l o tcp dpor t { ssh , 2200} tcp f l a g s == syn counter log p r e f i x SSH at tempt group 1 accept i p saddr 192.168.0.0/24 tcp dpor t { 9300 , 3142} counter accept ip6 saddr 2a03 :2880:2110: df07 : face : b00c : 0 : 1 drop } } Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 22 / 40
  • 30. Result: easy handling of IPv4 and IPv6 Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 23 / 40
  • 31. Atomic ruleset update (1/2) Bring transaction to nftables Update ruleset at once Need transaction support All pass or abort Need to handle table and rules Problem of set They exists at table level They are used at chain level Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 24 / 40
  • 32. Atomic ruleset update (2/2) Atomic ruleset update atomically commit a set of rule-set updates incrementally based on a generation counter/mask 00 active in the present, will be active in the next generation. 01 active in the present, needs to zero its future, it becomes 00. 10 inactive in the present, delete now. Batch method Method Start transaction Send modifications mixing set and ruleset update Commit transaction Interest Limit the number of netlink messages Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 25 / 40
  • 33. Dynamic set choice (1/2) Ipset usage Choose set type Among the possible choices The set subsystem Various set types are available hash rbtree No selector exists Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 26 / 40
  • 34. Dynamic set choice (2/2) Constraint based selection Select set based on user constraint Memory usage Lookup complexity Syntax nf t add set f i l t e r set1 { type ipv4_addr ; size 1024 ; } nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y memory ; } nf t add set f i l t e r set1 { type ipv4_addr ; p o l i c y performance ; } Status Kernel space is implemented Userspace is not yet commited Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 27 / 40
  • 35. Warning: NSFC THE FOLLOWING SLIDE CONTAINS IMAGES THAT MAY HURT THE SENSITIVITY OF SOME CATS. Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 28 / 40
  • 36. The young guard Guiseppe Longo Arturo Borrero Gonzales Alvaro Neira Ayuso Ana Rey Google Summer of Code Outreach Program for Women Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 29 / 40
  • 37. Ana Rey: nftables test system Regression test Test nft command and check result Most features are tested Sponsored by OPW Already led to fixes Example any/queue.t: OK any/ct.t: WARNING: line: 59: ’nft add rule -nnn ip test-ip4 output ct expiration 30’: ’ct expiration 30’ mismatches ’ct expiration 30s’ any/ct.t: WARNING: line: 61: ’nft add rule -nnn ip test-ip4 output ct expiration != 233’: ’ct expiration != 233’ mismatches ’ct expiration != 3m53s’ Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 30 / 40
  • 38. Arturo Borrero: Nftsync (1/2) Principle Distribute ruleset across the network Support master/slave Deploy ruleset for non gateway systems Implementation Use notification system Collect update and distribute them Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 31 / 40
  • 39. Nftsync (2/2) Current state Bootstrapped during summer Basic mode working No encryption yet Get it, try it, hack it http://git.netfilter.org/nft-sync/ Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 32 / 40
  • 40. Guiseppe Longo: ebtables compat layer Provide tools compatibility Use old tools with new nftables framework Convert old command lines to new internal syntax Multi layer compatibility Bridge level: ebtables IP level: iptables Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 33 / 40
  • 41. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 34 / 40
  • 42. Libnftables High level library for third party software Network manager Firewall management interfaces It will be based on nftables Using same command line Providing transaction feature Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 35 / 40
  • 43. Complete import/export Exporting ruleset Can currently be done via a single nft command XML and JSON format Importing ruleset No single command to restore nft -f is not enough nft import is needed Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 36 / 40
  • 44. Unification with existing BPF No real difference Different keywords related to Netfilter ct meta May be possible to merge Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 37 / 40
  • 45. 1 Introduction 2 Nftables, an Iptables replacement 3 Nftables since last Kernel Recipes 4 The future 5 Conclusion Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 38 / 40
  • 46. Conclusion A huge evolution Solving iptables problem An answer to new usages Set handling Complex matches IPv4 and IPv6 in one table Already usable Main features are here Compatibility can be used Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 39 / 40
  • 47. Questions ? Do you have questions ? Thanks to Netfilter team Google for GSoC 2014 Outreach Program for Women More information Netfilter : http://www.netfilter.org Nftables wiki: http://wiki.nftables.org Contact me Mail: eric@regit.org Twitter: @Regiteric Éric Leblond (Stamus Networks) nftables, one year later September 25, 2014 40 / 40