1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
- rule loadtime performance
- loading 10k rules in 1k chains takes 4'30min on P3-733
- 27seconds in kernelspace: mark_source_chains()
- reimplementation finished, needs more testing
- 4 minutes in userspace: Two n^2 complexity functions
- one of them could be removed in old chain_cache framework
- other function needs reimplementation (underway)
- ctnetlink still under development, used by a couple of large sites
- pkt_tables to be merged later in 2.6.x
- change to liked lists of rules in linked lists of chains
- use netlink-based kernel/userspace interface
- iptables2/pkttables userspace
- libnfentlink / libpkttnetlink as low-layer interface
- move all iptables functionality into libpkttables
- libpkttables provides query-interface
- what matches/targets does this system support?
- what parameters does match 'foo' support?
- what values are acceptable for param 'bar' of match 'foo'?
- what is the help message for param 'bar' of match 'foo'?
- nf-hipac as high-performance alternative to iptables
- very complex multi-dimensional tree structure
- 530kilobyte patch, 180k kernel module
- algorithm well-proven and regression-tested in userspace
- scales really good even with 100k rules
- now supports all iptables matches/targets
- cannot replace iptables because
- large footprint
- high memory usage
- most likely to be integrated after pkt_tables / pkttnetlink merge
- Session logging
- different implementations (SLOG one of them)
- best solution: ctnetlink event API
- problem: per-connection byte/packet counters in conntrack are
performance hit
- ipv6 connection tracking
- usagi people are working on this
- non-linear skb support (removal of skb_linearize())
- thanks to rusty, 2.5.x/2.6.x now has support
- changes in almost any netfilter/iptables API :(
- stateful failover / state synchronization
- no sponsor yet, but most likely in Q4/2003
- conntrack optimization
- new hashing algorithm in 2.4.21, should improve significantly
- locking optimization
- don't use timer per conntrack, but an expiration kernel thread
- TRACE target / raw table
- experimental patch in patch-o-matic
- enables tracing of packet through ruleset
- netfilter workshop, August 2003, Budapest, Hungary
- about 20 people will attend
- sponsored by Astaro Inc and KFKI Research Institute
- open to the public, registration needed
- we need more community
- developer diaries on netfilter homepage?
- wiki or similar tool ?
- announcement of IRC channel(s) on website
- patch-o-matic 2.6.x future?
- I will only maintain patch-o-matic for 2.6.x
- maybe somebody wants to backport patches?
- maybe an official 2.4.x maintainer?
- development of testing tools
- simple packet generator not suitable for stateful filtering
- even simple packet generators are very expensive
- connection generator
- user can specify profile of a connection
- e.g. HTTP: TCP, 500 bytes one direction, 10k other
- user can specify quantity and distribution
- i.e. 10k 'HTTP', from random source to single dest.
- first implementation will be userspace-only, may change later
- work will start in September/October, I'll post an RFC
- deprecate ipfwadm
|