On Tue, Sep 14, 2010 at 4:28 AM, Praseed Pai <[email protected]> wrote: > > @all > I have got an idea here , why cannot we elaborate >the stuff so that it will be useful for all. > I will write my understanding and ask questions which >i have got trouble following. >
am glad to explain :-) > I understand from wordings that Packet filter runs on a Server. >I inferred this from > the "multiprocessor machines" stuff. My notion is that >routers can also host Packet filters. > (all routers have got a POSIX compliant system inside) Is there > any router level packet filter ? >( We can write filter logic using the remote administration > tool of the routers. An OS level packet filter is good for >multi homed servers though ) > > Any pointers to this ? > The simple term for a packet filter is a "firewall". Most of them comes with the Kernel itself with an option to turn them on/off in rc.conf or so. A few examples are. http://www.openbsd.org/faq/pf/ http://en.wikipedia.org/wiki/IPFilter http://www.netfilter.org/projects/iptables/index.html They can run on any system not just servers. A packet filter intercepts tcp/ip packets and performs actions like drop - packet is silently discarded. return - a TCP RST packet is returned for blocked TCP packets pass - allow the packet to pass through etc. according to the rule set. Some routers run with these OSes so they already have this packet filter capability. I guess by "router level" and "OS level" you mean "in-kernel" ? > > > >Highlights of NPF features include > > > >* MP-safety and locklessness for scalable MP performance: no longer is > > the packet filter the bottleneck in your multicore router > > > The above statement can be read as the feature is for people who want to > embedd NetBSD kernel inside their routers . The parallelism of multicore > machines ( or routers ) can make things quite fast. > When these OSes run on multi processor systems just like any other software the packet filter is also affected by the locking. http://en.wikipedia.org/wiki/Giant_lock One of the reasons Why DragonFlyBSd was formed is to get rid of this http://www.dragonflybsd.org/goals/#messaging Net BSD runs on many hardware http://www.netbsd.org/ports/#in-tree-ports even on a bread toaster http://www.embeddedarm.com/software/arm-netbsd-toaster.php and now with NPF you can get rid of the Giant Lock. So by adding the CPUs you get better perfomance rather than lose perfomance due to locking :-) Hope I made it clear enough? > > > > Fast hash-table and red-black tree lookups > > > > When they say lookup , what kind of stuff they lookup while rules are applied > ? > Ok a typical rule in PF will look like pass in on $ext_if from <allowed-users> to $ftp-server This will pass IPs in the <allowed-users> table comming on to the firewall's external interface to the FTP server behind it. the <allowed-users> table may contain 10 thousands of IPs so when a packet comes and this rule is applied the sourxe IP in that packet should be looked up in the <allowed-users> table to perform the "pass" action. just an example. > > > I assume Stateful packet filtering in this conext means the system will take > into > consideration a bunch of packets as logical unit. By chasing a few links i > could > understand what NAPT (sort of ..my understanding might be wrong as well ) is. > ALG , i believe is filtering the packets at a higher level than Network > layer. This > works at the TCP/IP application layer. Can be used for Load balancing etc ? > Staeful packet filtering means the TCP/IP SYN packet first sent will be evaluated with the ruleset and if it is passed a state entry will be made in the state table. The packets that match the state table enty will not be evaluated there after but passed. this is the way most firewall works now by defauly. It reduces a lot of overhead. > > > >* The N-Code processor, a packet-inspection engine inspired by BPF: > > the N-Code processor is programmed to match packets using generic, > > RISC-like instructions and a few CISC-like instructions for common > >patterns such as IPv4 addresses > > > I assume every packet filter engine has got a "virtual machine" inside to > execute instructions and the rules are baked into the instruction set of > this virtual processor. if this is possible , some one might do just in > time compilation to the host processor. BPF is berkeley packet filter. > Now that is beyond me :-) Most BSd systems have a BPF interface. > > > >* Familiar configuration syntax and utilities > > > >* Modularity and extensibility: users extend NPF by loading a kernel > > module. NPF provides developers with an extensions API. NPF rules > > can embed a hook that invokes an extension > > > From this , i understand that all packet filters have got a Domain Specific > Language ( a name would be Network Packet Filtering Language ) used > by network administrators. To augment this system , we can write C/C++ > based pluggins to the NPF core. The kernel module can have additional > layer which interprets the packet as well. > packet filters generally have a language to configure the rules like. http://www.openbsd.org/faq/pf/filter.html#syntax I haven't looked into NPF yet will let you know afterwards. > > > >By the end of January, NPF should have all of the capabilities that > >NetBSD users have come to expect by using the other filters in the > >kernel: > > * IPv4 reassembly support > > * Bi-directional NAT and port forwarding (re-direction) > > * FTP proxy support > > * IP header flags cleansing > > * ICMP packets and TCP RST packet blocking > > * Save/restore state > > * Packet logging, configurable using filter rules > > > I have followed some of them , and i need to read more to understand. > Most of the BSDs are using the OpenBSD PF because it is clean code, simple to configure, secure and can be clustered. So the new guy needs a little more time to grow up with features :-) > > > >Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to > >provide technical support to developers who will add IPv6 support to > >NPF. An outline of the steps to IPv6 support will be forthcoming. > > > I have been hearing about IPV6 ever since i started computer programming. > Any one in this group who has got exposure to this ? (as a programmer or > adminstrator ). > We can use it in the LAN but not on the Internet unless our IS supports it :-( This is a free book on it. http://www.secondinternet.org/content/free-ipv6-book-second-internet. I started making a few services in the LAN IPv6 at one point but other things came up and i am stuck. Well it will be quite some time till I get back because when Squeeze comes up I will have to spent a lot of time upgradig and migatin stuff to new servers on the internet. > > > >NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF > >is unique for using a bytecode interpreter in its packet-inspection > >engine, and for answering the question, "What does a packet filter > >designed from the bottom up for multiprocessor systems look like?" > > > This will be the USP of this intiative. The system which is designed to be > multi core programmable ( using Intel TBB (Thread building block ) or > OpenMP ) from the ground up will fare better than a system ported to > Multicore system from the unicore/uniprocessor system. > Yes! > Take for example the venerable GCC compiler. It is the compiler which > world relies on running a sizeable part of their system code. The problem > with GCC is that you can do parallel compilation. Apple corporation is > building a compiler which replicates GCC command line options to > do parallel compilation. The initiative is called CLANG and the compiler > infrastructure is based on LLVM ( http://clang.llvm.org/ ) > > The moral of the whole story is design system from the ground up with > multicore processors in mind. > Yes especially for the firewall as packet rate increases locking will cause it to be the bottleneck. The rule of thumb now is use a fast single processor machine. > Last , but not the least what about the relationship between BSD >derivative operating systems and FSF ? >Why cannot debian project use these kernels ? I think Hurd > is not every going to be ready in our life time. ( My personal opinion !) > Oh yea Debian uses them :-) http://www.debian.org/ports/kfreebsd-gnu/ http://www.debian.org/ports/netbsd/ hope I clarified stuff? cheers --Siju _______________________________________________ Indian Libre User Group Cochin Mailing List http://www.ilug-cochin.org/mailing-list/ http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org #[email protected]
