summaryrefslogtreecommitdiff
path: root/2003/netfilter-bof-ols2003
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
committerHarald Welte <laforge@gnumonks.org>2015-10-25 21:00:20 +0100
commitfca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch)
treea2011270df48d3501892ac1a56015c8be57e8a7d /2003/netfilter-bof-ols2003
import of old now defunct presentation slides svn repo
Diffstat (limited to '2003/netfilter-bof-ols2003')
-rw-r--r--2003/netfilter-bof-ols2003/topics71
1 files changed, 71 insertions, 0 deletions
diff --git a/2003/netfilter-bof-ols2003/topics b/2003/netfilter-bof-ols2003/topics
new file mode 100644
index 0000000..8f22470
--- /dev/null
+++ b/2003/netfilter-bof-ols2003/topics
@@ -0,0 +1,71 @@
+- rule loadtime performance
+ - loading 10k rules in 1k chains takes 4'30min on P3-733
+ - 27seconds in kernelspace: mark_source_chains()
+ - reimplementation finished, needs more testing
+ - 4 minutes in userspace: Two n^2 complexity functions
+ - one of them could be removed in old chain_cache framework
+ - other function needs reimplementation (underway)
+- ctnetlink still under development, used by a couple of large sites
+- pkt_tables to be merged later in 2.6.x
+ - change to liked lists of rules in linked lists of chains
+ - use netlink-based kernel/userspace interface
+- iptables2/pkttables userspace
+ - libnfentlink / libpkttnetlink as low-layer interface
+ - move all iptables functionality into libpkttables
+ - libpkttables provides query-interface
+ - what matches/targets does this system support?
+ - what parameters does match 'foo' support?
+ - what values are acceptable for param 'bar' of match 'foo'?
+ - what is the help message for param 'bar' of match 'foo'?
+- nf-hipac as high-performance alternative to iptables
+ - very complex multi-dimensional tree structure
+ - 530kilobyte patch, 180k kernel module
+ - algorithm well-proven and regression-tested in userspace
+ - scales really good even with 100k rules
+ - now supports all iptables matches/targets
+ - cannot replace iptables because
+ - large footprint
+ - high memory usage
+ - most likely to be integrated after pkt_tables / pkttnetlink merge
+- Session logging
+ - different implementations (SLOG one of them)
+ - best solution: ctnetlink event API
+ - problem: per-connection byte/packet counters in conntrack are
+ performance hit
+- ipv6 connection tracking
+ - usagi people are working on this
+- non-linear skb support (removal of skb_linearize())
+ - thanks to rusty, 2.5.x/2.6.x now has support
+ - changes in almost any netfilter/iptables API :(
+- stateful failover / state synchronization
+ - no sponsor yet, but most likely in Q4/2003
+- conntrack optimization
+ - new hashing algorithm in 2.4.21, should improve significantly
+ - locking optimization
+ - don't use timer per conntrack, but an expiration kernel thread
+- TRACE target / raw table
+ - experimental patch in patch-o-matic
+ - enables tracing of packet through ruleset
+- netfilter workshop, August 2003, Budapest, Hungary
+ - about 20 people will attend
+ - sponsored by Astaro Inc and KFKI Research Institute
+ - open to the public, registration needed
+- we need more community
+ - developer diaries on netfilter homepage?
+ - wiki or similar tool ?
+ - announcement of IRC channel(s) on website
+- patch-o-matic 2.6.x future?
+ - I will only maintain patch-o-matic for 2.6.x
+ - maybe somebody wants to backport patches?
+ - maybe an official 2.4.x maintainer?
+- development of testing tools
+ - simple packet generator not suitable for stateful filtering
+ - even simple packet generators are very expensive
+ - connection generator
+ - user can specify profile of a connection
+ - e.g. HTTP: TCP, 500 bytes one direction, 10k other
+ - user can specify quantity and distribution
+ - i.e. 10k 'HTTP', from random source to single dest.
+ - first implementation will be userspace-only, may change later
+ - work will start in September/October, I'll post an RFC
+- deprecate ipfwadm
personal git repositories of Harald Welte. Your mileage may vary