From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2003/netfilter-bof-ols2003/topics | 71 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 2003/netfilter-bof-ols2003/topics (limited to '2003/netfilter-bof-ols2003/topics') diff --git a/2003/netfilter-bof-ols2003/topics b/2003/netfilter-bof-ols2003/topics new file mode 100644 index 0000000..8f22470 --- /dev/null +++ b/2003/netfilter-bof-ols2003/topics @@ -0,0 +1,71 @@ +- rule loadtime performance + - loading 10k rules in 1k chains takes 4'30min on P3-733 + - 27seconds in kernelspace: mark_source_chains() + - reimplementation finished, needs more testing + - 4 minutes in userspace: Two n^2 complexity functions + - one of them could be removed in old chain_cache framework + - other function needs reimplementation (underway) +- ctnetlink still under development, used by a couple of large sites +- pkt_tables to be merged later in 2.6.x + - change to liked lists of rules in linked lists of chains + - use netlink-based kernel/userspace interface +- iptables2/pkttables userspace + - libnfentlink / libpkttnetlink as low-layer interface + - move all iptables functionality into libpkttables + - libpkttables provides query-interface + - what matches/targets does this system support? + - what parameters does match 'foo' support? + - what values are acceptable for param 'bar' of match 'foo'? + - what is the help message for param 'bar' of match 'foo'? +- nf-hipac as high-performance alternative to iptables + - very complex multi-dimensional tree structure + - 530kilobyte patch, 180k kernel module + - algorithm well-proven and regression-tested in userspace + - scales really good even with 100k rules + - now supports all iptables matches/targets + - cannot replace iptables because + - large footprint + - high memory usage + - most likely to be integrated after pkt_tables / pkttnetlink merge +- Session logging + - different implementations (SLOG one of them) + - best solution: ctnetlink event API + - problem: per-connection byte/packet counters in conntrack are + performance hit +- ipv6 connection tracking + - usagi people are working on this +- non-linear skb support (removal of skb_linearize()) + - thanks to rusty, 2.5.x/2.6.x now has support + - changes in almost any netfilter/iptables API :( +- stateful failover / state synchronization + - no sponsor yet, but most likely in Q4/2003 +- conntrack optimization + - new hashing algorithm in 2.4.21, should improve significantly + - locking optimization + - don't use timer per conntrack, but an expiration kernel thread +- TRACE target / raw table + - experimental patch in patch-o-matic + - enables tracing of packet through ruleset +- netfilter workshop, August 2003, Budapest, Hungary + - about 20 people will attend + - sponsored by Astaro Inc and KFKI Research Institute + - open to the public, registration needed +- we need more community + - developer diaries on netfilter homepage? + - wiki or similar tool ? + - announcement of IRC channel(s) on website +- patch-o-matic 2.6.x future? + - I will only maintain patch-o-matic for 2.6.x + - maybe somebody wants to backport patches? + - maybe an official 2.4.x maintainer? +- development of testing tools + - simple packet generator not suitable for stateful filtering + - even simple packet generators are very expensive + - connection generator + - user can specify profile of a connection + - e.g. HTTP: TCP, 500 bytes one direction, 10k other + - user can specify quantity and distribution + - i.e. 10k 'HTTP', from random source to single dest. + - first implementation will be userspace-only, may change later + - work will start in September/October, I'll post an RFC +- deprecate ipfwadm -- cgit v1.2.3