SlideShare une entreprise Scribd logo

Netfilter: Making large iptables rulesets scale

Télécharger en tant que ODP, PDF
B
brouer

Howto make large iptables firewall rulesets scale under Linux. Presentation given at OpenSourceDays 2008 (and similar at Netfilter Developers Workshop 2008).

Technologie
1  sur  34
by Jesper Dangaard Brouer <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
Who am I ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Presentation overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ComX Networks A/S ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Physical surroundings ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Linux box ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Issues and limitations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object]
Issue: Bad route performance ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Existing solutions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The categorization tasks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Solution: SubnetSkeleton ,[object Object],[object Object],[object Object]
SubnetSkeleton: Algorithm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],10.1.2.3 10 .0.0.0/8 10.1.2 .0/24 10.1 .0.0/16
SubnetSkeleton: CIDR partitioning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SubnetSkeleton: iptables ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24); # prefix list my $name = &quot;bw&quot;; # Shortname for bandwidth my $table = &quot; mangle &quot;; # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;, &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
Full routing performance achieved ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Back to subject: Slow ruleset changes
Issue: iptables command slow ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Take advantage of libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Next scalability issue: Chain lookup ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chains lookup: Solution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Mainline: iptables ver.1.4.1 , git:2008-01-15 0 1 2 3 B D F H J L N C E O M K I G
Chain index: Insert chain ,[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name ,[object Object],0 1 2 3 B D F H J L N P C E A
Chain index: Delete chain ,[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Rebuild array 0 1 2 3 B D F H J L N C E O M K I G
Solving: Initial ruleset parsing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],mainline: iptables ver.1.4.2-rc1 , git: 2008-07-03
Summary: Load time ,[object Object],[object Object],[object Object],[object Object],Machine with the most customers, has in filter table Chains: 9827 Rules:36532
Summary: Open Source ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Goal reached? ,[object Object],[object Object],[object Object],[object Object],[object Object]
The End ,[object Object],[object Object],81.161.128/0/18 195.135.216.0/22 87.72.0.0/16 82.211.224.0/19
Extra slides ,[object Object],[object Object],[object Object]
Route cache perf ,[object Object],[object Object],[object Object]
CPU util softirq ,[object Object],[object Object],[object Object]
More libiptc stats ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
BSD pf firewalling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommandé

Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
Vpc notes
Vpc notesVpc notes
Vpc notes
Krunal Shah
 
Cours3 ospf-eigrp
Cours3 ospf-eigrpCours3 ospf-eigrp
Cours3 ospf-eigrp
Badr Guennoun
 
cours ospf
cours ospf cours ospf
cours ospf
EL AMRI El Hassan
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 

Recommandé

Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
Emin Abdul Azeez
 
Vpc notes
Vpc notesVpc notes
Vpc notes
Krunal Shah
 
Cours3 ospf-eigrp
Cours3 ospf-eigrpCours3 ospf-eigrp
Cours3 ospf-eigrp
Badr Guennoun
 
cours ospf
cours ospf cours ospf
cours ospf
EL AMRI El Hassan
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Cisco Canada
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
sarasanandam
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
Syed fawad Gillani
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
SUSE Labs Taipei
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
vpn-site-a-site-avec-des-routeurs-cisco
vpn-site-a-site-avec-des-routeurs-cisco vpn-site-a-site-avec-des-routeurs-cisco
vpn-site-a-site-avec-des-routeurs-cisco
Camara Assane
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
Dhruv Sharma
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
GLC Networks
 
1000 Ccna Questions And Answers
1000 Ccna Questions And Answers1000 Ccna Questions And Answers
1000 Ccna Questions And Answers
CCNAResources
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
Ccna command
Ccna commandCcna command
Ccna command
Siddhartha Rajbhatt
 
Protocole OSPF
Protocole OSPFProtocole OSPF
Protocole OSPF
Thomas Moegli
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
NOS Comparison
NOS ComparisonNOS Comparison
NOS Comparison
Aditya Kushwaha
 
IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2
n|u - The Open Security Community
 

Contenu connexe

Tendances

The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
Ahmed AbdelSalam
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 

Tendances (20)

CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
Bgp
BgpBgp
Bgp
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Service Function Chaining with SRv6
Service Function Chaining with SRv6Service Function Chaining with SRv6
Service Function Chaining with SRv6
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
vpn-site-a-site-avec-des-routeurs-cisco
vpn-site-a-site-avec-des-routeurs-cisco vpn-site-a-site-avec-des-routeurs-cisco
vpn-site-a-site-avec-des-routeurs-cisco
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
1000 Ccna Questions And Answers
1000 Ccna Questions And Answers1000 Ccna Questions And Answers
1000 Ccna Questions And Answers
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
Ccna command
Ccna commandCcna command
Ccna command
 
Protocole OSPF
Protocole OSPFProtocole OSPF
Protocole OSPF
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
 

En vedette

Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
Ahmed Mekkawy
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 

En vedette (20)

NOS Comparison
NOS ComparisonNOS Comparison
NOS Comparison
 
IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Iptables
IptablesIptables
Iptables
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
The 100 - {dive} : event
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : event
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haim
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
IP Address
IP AddressIP Address
IP Address
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configuration
 
Vagrant
VagrantVagrant
Vagrant
 

Similaire à Netfilter: Making large iptables rulesets scale

NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)
olatunde ismaila
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address Scheme
Erin Rivera
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
Alessandro De Suoodh
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm
1 2d
 

Similaire à Netfilter: Making large iptables rulesets scale (20)

Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translation
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comEcet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.com
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comEcet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.com
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.com
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.com
 
ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.com
 
NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address Scheme
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 
Low latency in java 8 v5
Low latency in java 8 v5Low latency in java 8 v5
Low latency in java 8 v5
 
IPv4 Addressing
IPv4 Addressing IPv4 Addressing
IPv4 Addressing
 
Firewall
FirewallFirewall
Firewall
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.com
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdf
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Netfilter: Making large iptables rulesets scale

  • 1. by Jesper Dangaard Brouer <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24); # prefix list my $name = &quot;bw&quot;; # Shortname for bandwidth my $table = &quot; mangle &quot;; # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;, &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.

Notes de l'éditeur

  1. TALK: First I&apos;ll focus on the routing performance issue I&apos;ll come back to slow rule changes later
  2. (To solve the routing performance issue, I had to: Make traffic categorizing scale!) (reducing the lookup time from O(n) to O(log(n)))
  3. (named skip-list search infrastructure by Thomas Jacob &lt;jacob@internet24.de&gt;) (In mainline, iptables version 1.4.1, git:2008-01-15) The runtime complexity is actually also affected by this &amp;quot;bucket&amp;quot; size concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
  4. (In mainline: iptables ver.1.4.2-rc1, git: 2008-07-03)