Hi Siju , Even though I did not follow it fully ( I am having only partial understanding of Network programming or NetWork adminstration ) , the post was informative. Thank you for posting. @all I have got an idea here , why cannot we elaborate the stuff so that it will be useful for all. I will write my understanding and ask questions which i have got trouble following. (do not try to post Wiki links for every stuff , but,as a additional comprehension mechanism Wiki links are welcome. It is just a suggestion ) > >The NetBSD Foundation is pleased to announce NPF, a new packet filter >by Mindaugas Rasiukevicius. NPF is designed for high performance on >multiprocessor machines, and for easy extensibility. > I understand from wordings that Packet filter runs on a Server. I inferred this from the "multiprocessor machines" stuff. My notion is that routers can also host Packet filters. (all routers have got a POSIX compliant system inside) Is there any router level packet filter ? ( We can write filter logic using the remote administration tool of the routers. An OS level packet filter is good for multi homed servers though ) Any pointers to this ? > >Highlights of NPF features include > >* MP-safety and locklessness for scalable MP performance: no longer is > the packet filter the bottleneck in your multicore router > The above statement can be read as the feature is for people who want to embedd NetBSD kernel inside their routers . The parallelism of multicore machines ( or routers ) can make things quite fast. > > Fast hash-table and red-black tree lookups > They have used sophistacated data structures and associated algorithms for making the rule lookup fast. Hash table is good in cases where you do not want sorted sequential access. Red black tree is the fastest data structure for in-memory lookup of key/value pairs. When they say lookup , what kind of stuff they lookup while rules are applied ? > >* Stateful packet filtering, Network Address Port Translation (NAPT), > and Application-Level Gateways (ALGs) for, e.g., traceroute > I assume Stateful packet filtering in this conext means the system will take into consideration a bunch of packets as logical unit. By chasing a few links i could understand what NAPT (sort of ..my understanding might be wrong as well ) is. ALG , i believe is filtering the packets at a higher level than Network layer. This works at the TCP/IP application layer. Can be used for Load balancing etc ? > >* The N-Code processor, a packet-inspection engine inspired by BPF: > the N-Code processor is programmed to match packets using generic, > RISC-like instructions and a few CISC-like instructions for common >patterns such as IPv4 addresses > I assume every packet filter engine has got a "virtual machine" inside to execute instructions and the rules are baked into the instruction set of this virtual processor. if this is possible , some one might do just in time compilation to the host processor. BPF is berkeley packet filter. > >* Familiar configuration syntax and utilities > >* Modularity and extensibility: users extend NPF by loading a kernel > module. NPF provides developers with an extensions API. NPF rules > can embed a hook that invokes an extension > >From this , i understand that all packet filters have got a Domain Specific Language ( a name would be Network Packet Filtering Language ) used by network administrators. To augment this system , we can write C/C++ based pluggins to the NPF core. The kernel module can have additional layer which interprets the packet as well. The vendor of your router can use this extensibility mechanism. > >By the end of January, NPF should have all of the capabilities that >NetBSD users have come to expect by using the other filters in the >kernel: > * IPv4 reassembly support > * Bi-directional NAT and port forwarding (re-direction) > * FTP proxy support > * IP header flags cleansing > * ICMP packets and TCP RST packet blocking > * Save/restore state > * Packet logging, configurable using filter rules > I have followed some of them , and i need to read more to understand. > >Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to >provide technical support to developers who will add IPv6 support to >NPF. An outline of the steps to IPv6 support will be forthcoming. > I have been hearing about IPV6 ever since i started computer programming. Any one in this group who has got exposure to this ? (as a programmer or adminstrator ). > >NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF >is unique for using a bytecode interpreter in its packet-inspection >engine, and for answering the question, "What does a packet filter >designed from the bottom up for multiprocessor systems look like?" > This will be the USP of this intiative. The system which is designed to be multi core programmable ( using Intel TBB (Thread building block ) or OpenMP ) from the ground up will fare better than a system ported to Multicore system from the unicore/uniprocessor system. Take for example the venerable GCC compiler. It is the compiler which world relies on running a sizeable part of their system code. The problem with GCC is that you can do parallel compilation. Apple corporation is building a compiler which replicates GCC command line options to do parallel compilation. The initiative is called CLANG and the compiler infrastructure is based on LLVM ( http://clang.llvm.org/ ) The moral of the whole story is design system from the ground up with multicore processors in mind. I might have introduce additional jargons to a already jargon filled ( but,meaningful for a network programmer and some adminstrators ) post from the NetBSD foundation Last , but not the least what about the relationship between BSD derivative operating systems and FSF ? Why cannot debian project use these kernels ? I think Hurd is not every going to be ready in our life time. ( My personal opinion !) regards Praseed Pai
--- On Mon, 9/13/10, Siju George <[email protected]> wrote: From: Siju George <[email protected]> Subject: [ILUG-Cochin.org] Introducing NPF, NetBSD's new packet filter To: "This List discusses GNU/Linux & GNU, GPL Software" <[email protected]> Date: Monday, September 13, 2010, 9:30 AM The NetBSD Foundation is pleased to announce NPF, a new packet filter by Mindaugas Rasiukevicius. NPF is designed for high performance on multiprocessor machines, and for easy extensibility. Highlights of NPF features include * MP-safety and locklessness for scalable MP performance: no longer is the packet filter the bottleneck in your multicore router * Fast hash-table and red-black tree lookups * Stateful packet filtering, Network Address Port Translation (NAPT), and Application-Level Gateways (ALGs) for, e.g., traceroute * The N-Code processor, a packet-inspection engine inspired by BPF: the N-Code processor is programmed to match packets using generic, RISC-like instructions and a few CISC-like instructions for common patterns such as IPv4 addresses * Familiar configuration syntax and utilities * Modularity and extensibility: users extend NPF by loading a kernel module. NPF provides developers with an extensions API. NPF rules can embed a hook that invokes an extension By the end of January, NPF should have all of the capabilities that NetBSD users have come to expect by using the other filters in the kernel: * IPv4 reassembly support * Bi-directional NAT and port forwarding (re-direction) * FTP proxy support * IP header flags cleansing * ICMP packets and TCP RST packet blocking * Save/restore state * Packet logging, configurable using filter rules Rasiukevicius will also write documentation and configuration examples. Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to provide technical support to developers who will add IPv6 support to NPF. An outline of the steps to IPv6 support will be forthcoming. NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF is unique for using a bytecode interpreter in its packet-inspection engine, and for answering the question, "What does a packet filter designed from the bottom up for multiprocessor systems look like?" NPF development is sponsored by the NetBSD Foundation. -- David Young On Behalf of The NetBSD Foundation -----Inline Attachment Follows----- _______________________________________________ Indian Libre User Group Cochin Mailing List http://www.ilug-cochin.org/mailing-list/ http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org #[email protected]
_______________________________________________ Indian Libre User Group Cochin Mailing List http://www.ilug-cochin.org/mailing-list/ http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org #[email protected]
