import of old now defunct presentation slides svn repo

1 files changed, 454 insertions, 0 deletions

diff --git a/iproute2/iproute2+tc-slides.mgp b/iproute2/iproute2+tc-slides.mgp
new file mode 100644
index 0000000..9791f79
--- /dev/null
+++ b/iproute2/iproute2+tc-slides.mgp
@@ -0,0 +1,454 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Advanced Linux Networking
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Contents
+
+	Introduction
+
+	Advanced Routing with iproute2
+
+	Bandwidth Management using tc
+
+	Advanced netfilter concepts
+
+	References / Further Reading
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Introduction
+
+Changes in the Linux IP stack
+
+	Alexey Kuznetsov introduced new routing in 2.2
+
+	IPv6 support required generalization
+
+	tc subsystem (traffic control)
+
+	Hooks in the Network stack (netfilter)
+
+	Netlink Sockets
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Advanced Linux Networking
+Introduction
+
+What can Linux do for me?
+
+	Sophisticated routing (not only destination based)
+
+	Control how the bandwidth is divided
+
+	Prevent DoS attacks (various kinds of flooding)
+
+	Advanced packet filtering (see my other talk)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART I - Advanced Routing
+
+	Traditional IP routing
+
+		router is connected to more than one network segment
+
+		router knows which hosts are direcltly attached to these segments
+
+		router knows where to send packets if destination not link-local
+
+		router builds decision for each packet, based on its destination
+
+	Why is this insufficient?
+
+		Real-world network scenario getting more complex
+
+		People want to have different routing for different services
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART I - Advanced Routing
+
+Policy routing with iproute2
+
+	Multiple routing tables
+
+	Rules describing which routing table to use
+
+	Configurable using commandline tool 'iproute2'
+
+	Each rule consists of
+		priority		(Determining order of rules)
+		match		(Which packets match this rule)
+			packet source address
+			packet destination address
+			TOS value
+			incoming interface
+			fwmark (set by ipchains / iptables)
+		action		Which routing table
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART I - Advanced Routing
+
+The 'ip' command
+		used for 
+			interface configuration
+			neighbour/arp tables
+			policy routing
+			routing tables
+			tunnels
+			multicast routing
+		communication with kernel through netlink sockets 
+
+		Important commands for policy routing
+			ip rule show	Show all rules in policy database
+			ip rule add	Add new rule to policy database
+			ip rule delete	Delete rule from policy database
+
+Examples:
+%font "typewriter"
+%size 3
+> ip rule add from 1.2.3.4/16 to 5.6.7.8/24 dev eth0 table 10
+
+> ip rule show
+
+0:      from all lookup local 
+32765:  from 1.2.3.4/16 to 5.6.7.8/24 iif eth0 lookup 10 
+32766:  from all lookup main 
+32767:  from all lookup 253 
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page 
+Advanced Linux Networking
+PART I - Advanced Routing
+
+The 'ip' command
+
+		Important commands for routing tables
+			ip route add	Add routing table entry
+			ip route del	Delete routing table entry
+			ip route list	List routing table
+			ip route flush	Flush routing cache
+
+		In reality far more sophisticated
+%font "typewriter"
+%size 2
+Usage: ip route { list | flush } SELECTOR
+       ip route get ADDRESS [ from ADDRESS iif STRING ]
+                            [ oif STRING ]  [ tos TOS ]
+       ip route { add | del | change | append | replace | monitor } ROUTE
+SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
+            [ table TABLE_ID ] [ proto RTPROTO ]
+            [ type TYPE ] [ scope SCOPE ]
+ROUTE := NODE_SPEC [ INFO_SPEC ]
+NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
+             [ table TABLE_ID ] [ proto RTPROTO ]
+             [ scope SCOPE ] [ metric METRIC ]
+INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]...
+NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
+OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ]
+           [ rtt NUMBER ] [ rttvar NUMBER ]
+           [ window NUMBER] [ cwnd NUMBER ] [ ssthresh REALM ]
+           [ realms REALM ]
+TYPE := [ unicast | local | broadcast | multicast | throw |
+          unreachable | prohibit | blackhole | nat ]
+TABLE_ID := [ local | main | default | all | NUMBER ]
+SCOPE := [ host | link | global | NUMBER ]
+FLAGS := [ equalize ]
+NHFLAGS := [ onlink | pervasive ]
+RTPROTO := [ kernel | boot | static | NUMBER ]
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART II - Bandwidth Management
+
+	What do I need Bandwidth Management for?
+
+		Decide how and who available bandwidth is devided
+
+		Limit available bandwidth for certain users / applications
+
+		Guarantee bandwidth for certain users / applications
+
+		Divide bandwidth more equally between users / applications
+
+		QoS, DiffServ, IntServ
+
+	Linux 2.2 / 2.4 provides elaborate framework
+
+		Called 'packet scheduling' or 'traffic control'
+		Another major achievement of Alexey Kuznetsov
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART II - Bandwidth Management
+
+Basic iptables commands
+
+To build a complete iptable command, we must specify
+	which table to work with
+	which chain in this table to use
+	an operation (insert, add, delete, modify)
+	a match
+	a target
+
+The syntax is
+%font "typewriter"
+%size 3
+iptables -t table -Operation chain -j target match(es)
+%font "standard"
+%size 5
+
+Example:
+%font "typewriter"
+%size 3
+iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
+%font "standard"
+%size 5
+ 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART II - packet filtering
+
+Targets
+
+	Builtin Targets to be used in filter table
+		ACCEPT	accept the packet
+		DROP	silently drop the packet 
+		QUEUE	enqueue packet to userspace
+		RETURN	return to previous (calling) chain
+		foobar	user defined chain
+
+Targets implemented as loadable modules 
+		REJECT	drop the packet but inform sender
+		MIRROR	change source/destination IP and resend
+		LOG  	log via syslog
+		ULOG	log via userspace
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART II - packet filtering
+
+Matches
+
+	Basic matches
+		-p			protocol (tcp/udp/icmp/...)
+		-s			source address (ip/mask)
+		-d			destination address (ip/mask)
+		-i			incoming interface
+		-o			outgoing interface
+
+	Match extensions
+		--dport		destination port
+		--sport	 	source port
+		--mac-source 	source MAC address
+		--mark 		nfmark
+		--tos		TOS field of IP header
+		--ttl		TTL field of IP header
+		--limit	 	rate limiting (n packets per timeframe)
+		--owner	 	owner uid of the socket sending the packet
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART III - NAT
+
+Overview
+
+		Previous Linux Kernels only implemented one special case of NAT: Masquerading
+
+		Netfilter enables Linux to do any kind of NAT.
+
+		All matches from packet filtering are available for the nat tables, too
+
+		We divide NAT into 'source NAT' and 'destination NAT'
+
+			SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+
+			DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+
+			MASQUERADE is a special case of SNAT
+
+			REDIRECT is a special case of DNAT
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART III - NAT
+
+Source NAT
+
+	SNAT Example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8
+%font "standard"
+%size 4
+
+Masquerading does almost the same as SNAT, but if the outgoing interfaces' address changes (in case we have a dialup with dynamic ip), the new address is used.
+
+	MASQUERADE Example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART III - NAT
+
+Destination NAT
+
+	DNAT example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1
+%font "standard"
+%size 4
+
+REDIRECT is a special case of DNAT, which alters the destination to the address of the incoming interface.
+
+	REDIRECT example:
+%font "typewriter"
+%size 3
+
+iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+PART IV - Packet mangling
+
+	Change certain parts of a packet based on rules in IP tables
+
+	Again all the matches available, as described in packet filtering section.
+
+	Currently, the supported packet mangling targets are:
+		TOS	manipulate the TOS bits 
+		TTL	set / increase / decrease TTL field
+		MARK	change the nfmark field of the skb
+
+Simple example:
+%font "typewriter"
+%size 3
+
+iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Advanced Netfilter concepts
+
+	Connection tracking
+
+		Implemented seperately from NAT 
+
+		Enables stateful filtering 
+
+		Implementation
+			hooks into NF_IP_PRE_ROUTING to track packets
+			hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to drop information about connections which got filtered out
+			protocol modules (currently TCP/UDP/ICMP)
+			application helpers (currently FTP and IRC-DCC)
+
+		Conntrack divides packets in the following four categories
+			NEW - would establish new connection
+			ESTABLISHED - part of already established connection
+			RELATED - is related to established connection
+			INVALID - (multicast, errors...)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Advanced Netfilter concepts
+
+%size 4
+	Userspace logging
+		flexible replacement for old syslog-based logging
+		packets to userspace via multicast netlink sockets
+		easy-to-use library (libipulog)
+		plugin-extensible userspace logging daemon already available
+
+	Queuing
+		reliable asynchronous packet handling 
+		packets to userspace via unicast netlink socket
+		easy-to-use library (libipq)
+		experimental queue multiplex daemon (ipqmpd)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Current Development and Future
+
+Netfilter (although it proved very stable) is still work in progress. 
+
+Areas of current development
+	infrastructure for conntrack/nat helpers in userspace
+	full TCP sequence number tracking
+	multicast support for connection tracking
+	more flexible matches (MAXCONN, ...)
+	more conntrack and NAT modules (RPC, SNMP, SMB, ...)
+	better IPv6 support (conntrack, more matches / targets)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Advanced Linux Networking
+Availability of slides / Links
+
+The slides and the an according paper of this presentation are available at 
+	http://www.gnumonks.org
+
+The netfilter homepage is mirrored at:
+	http://netfilter.samba.org
+	http://netfilter.kernelnotes.org
+	http://netfilter.filewatcher.org
+
+More documents / netfilter extensions (ulogd, ipqmpd, ...)
+	http://www.gnumonks.org/projects