Netfilter 2008: Day 1

14 October 2008 in english | No comments

Well, I’m into embedded linux, so I was more than happy to be allowed to attend the first day of the Netfilter 2008 Workshop. The test below is very much in the “weblog” style, mean how I felt the conferences. These notes were written that day, so there could will be misunderstandings.

You will hopefully be able to find accurate summaries and PowerPoints at this page, hosted by the kind sponsor of the day.

Vyatta

They develop UI for routers: making “Linux as easy as Cisco to configure” seems to be their motto. They distribute and support a Debian-based distribution targeted to serve as a firewall. (Beige-boxes are extremely powerful these days) Most of the highlights were on the CLI they developed.

This CLI is very ingenious: it’s a hack of bash that takes a directory structure as the command list, making it very simple to extend.

“show network interface” will parse a default file at “show/network/interfaces”.

That file contain

Help text: to provide some simple online help. (or maybe just using an “help <command>” statement.
Commands to execute
Auto-completion choices: should just print on stdout list of acceptable inputs. (if available) For the sake of keeping it simple, the real user’s input wasn’t checked against that output.
Acceptable parameters: list of parameters and their respective types. The list was very simple, something like integer/text/ip address/…

I think that’s a very good idea, surely worth reusing somewhere. I also like the idea of modifying bash to handle another range of commands.

Linux multi-queues Networking

GET THAT PDF.

ComX networks

That’s a Danish ISP that uses firewalls on the ISP side to perform access control for their consumers. The implementation uses a lot of iptables chains, so the speaker has an opportunity to speak about optimizations.

Very interesting talk that seems to confirm that iptables performance is proportional to the chain’s length. His solution: branch often. If you have a chain that is 1000 steps long, having even a 3-levels tree (2 switchs: S - 5 branches - 4 branches - Exit) make it 50 steps long in the worst case scenario. Obviously, deciding how to split is the key to performance gains, so he made programs that used his knowledge of the network to write firewall commands.

Another factor of optimization is its use of libipt to commit new rules to the kernel, it is faster, and a big bonus point is that the operation becomes atomic: it’s exactly what we need for our firewall. Even if we use DROP policies, this is always a good idea.

NFQueues

Good idea, but the show quickly turned into a joke. Guess we don’t have any serious application for an firewall that need to make transactions with the userspace to check if a packet should be accepted.

Eole

This one was about a server suite for schools funded by the French government. The keys point I will remember is that: Anybody who isn’t a developer can’t understand the difference between freeware and open source. All they see is that “OpenOffice is like Office, only it’s cheaper, it’s free”.

Also why is that software is successful is because there is a lot of wizard, and because they very heavily worked on the use-cases to make sure that the system administrator can’t compromise the security of the network by mistake.

Ulogd

Need more info, still not sure about performance hit…

Conntrack Tools

Another joke one, but it’s because the guest didn’t show up.

Ipset

Ok, still blurry in my head, something in the line that ipset was an alternative to iptables. We need iptables because it is very convenient and powerful. Also ipset is very simple, so it isn’t sufficient for most uses.

The presentation was very technical, the guest is the archetype of the “eastern European geek”, love that, but still, hard to follow, then I understood:

You can use ipset with iptables. Ipset provides the “bitmap abstraction”. Bitmap can represent an ip address range or a port range. Bitmaps can be as large as 65k (16 bit), but the big point is that checking if a given element is in the set is a fast, fixed time, operation. (Move then add then compare)

We could use that property to segregate two classes of devices (or access permissions) within the same subnet.

Tags: embedded

No comments

Comments feed for this article

Trackback link: http://thebrave.info/blog/2008/10/netfilter-2008-day-1/trackback/

Mes Tweets

Et le balon est totalement ecologique: propulse par de l'air, du feu, du vent. (bfmtv) Et les metres cubes de butane patate ? about 2 weeks ago from digsby
@leolaporte We use the same GSM networks. I've used an US iPhone here for a year without problems. Also: until when do you stay in France? about 2 weeks ago from web
@hotdogsladies Zillions should have suggested to google chess drink for boards that heigthen the difficulty,but I'm bored so I'll do it anyw about 2 weeks ago from TwitterFon
Bloque ds les transports.Que de nostalgie,que de joyeux souvenirs. Pourvu que ça dure... about 2 weeks ago from TwitterFon
Confcall is killing me... about 1 month ago from TwitterFon
I'm sorting stuff on my hard drive. Proscratination would be adding another hard drive. about 1 month ago from digsby
Pt'ain, y'a vraiment rien de bien a la télé a 4 heures du mat... :( about 1 month ago from web
@tristramg Pourquoi? Les reserves n'ont pas baissé depuis l'année dernière, et a 30cts/L et en chute libre c'est abordable... about 1 month ago from digsby
Tip of the day: If you're working on a remote server via an ssh connection, think twice before messing with the firewall. about 2 months ago from web
Public transportation on strike, guess I won't go to the RFID exhibition... about 2 months ago from TwitterFon