Hi siju , Thank you very much. Let me chase those links given by you and get back , if i need more clarfication
regards Praseed Pai --- On Tue, 9/14/10, Siju George <[email protected]> wrote: > From: Siju George <[email protected]> > Subject: Re: [ILUG-Cochin.org] Introducing NPF, NetBSD's new packet filter > To: "This List discusses GNU/Linux & GNU, GPL Software" > <[email protected]> > Date: Tuesday, September 14, 2010, 12:31 AM > On Tue, Sep 14, 2010 at 4:28 AM, > Praseed Pai <[email protected]> > wrote: > > > > @all > > I have got an idea here , why cannot we elaborate > >the stuff so that it will be useful for all. > > I will write my understanding and ask questions which > >i have got trouble following. > > > > am glad to explain :-) > > > > I understand from wordings that Packet filter runs on > a Server. > >I inferred this from > > the "multiprocessor machines" stuff. My notion is > that > >routers can also host Packet filters. > > (all routers have got a POSIX compliant system > inside) Is there > > any router level packet filter ? > >( We can write filter logic using the remote > administration > > tool of the routers. An OS level packet filter is > good for > >multi homed servers though ) > > > > Any pointers to this ? > > > > The simple term for a packet filter is a "firewall". > Most of them comes with the Kernel itself with an option to > turn them > on/off in rc.conf or so. > > A few examples are. > > http://www.openbsd.org/faq/pf/ > http://en.wikipedia.org/wiki/IPFilter > http://www.netfilter.org/projects/iptables/index.html > > They can run on any system not just servers. > > A packet filter intercepts tcp/ip packets and performs > actions like > > drop - packet is silently discarded. > return - a TCP RST packet is returned for blocked TCP > packets > pass - allow the packet to pass through > etc. > > according to the rule set. > > Some routers run with these OSes so they already have this > packet > filter capability. > > I guess by "router level" and "OS level" you mean > "in-kernel" ? > > > > > > >Highlights of NPF features include > > > > > >* MP-safety and locklessness for scalable MP > performance: no longer is > > > the packet filter the bottleneck in your > multicore router > > > > > The above statement can be read as the feature is for > people who want to embedd NetBSD kernel inside their routers > . The parallelism of multicore machines ( or routers ) can > make things quite fast. > > > > When these OSes run on multi processor systems just like > any other > software the packet filter is also affected by the > locking. > > http://en.wikipedia.org/wiki/Giant_lock > > One of the reasons Why DragonFlyBSd was formed is to get > rid of this > > http://www.dragonflybsd.org/goals/#messaging > > Net BSD runs on many hardware > > http://www.netbsd.org/ports/#in-tree-ports > > even on a bread toaster > > http://www.embeddedarm.com/software/arm-netbsd-toaster.php > > and now with NPF you can get rid of the Giant Lock. > > So by adding the CPUs you get better perfomance rather than > lose > perfomance due to locking :-) > > Hope I made it clear enough? > > > > > > > Fast hash-table and red-black tree lookups > > > > > > > When they say lookup , what kind of stuff they lookup > while rules are applied ? > > > > Ok a typical rule in PF will look like > > pass in on $ext_if from <allowed-users> to > $ftp-server > > This will pass IPs in the <allowed-users> table > comming on to the > firewall's external interface to the FTP server behind it. > > the <allowed-users> table may contain 10 thousands of > IPs so when a > packet comes and this rule is applied the sourxe IP in that > packet > should be looked up in the <allowed-users> table to > perform the "pass" > action. > > just an example. > > > > > > > > I assume Stateful packet filtering in this conext > means the system will take into > > consideration a bunch of packets as logical unit. By > chasing a few links i could > > understand what NAPT (sort of ..my understanding might > be wrong as well ) is. > > ALG , i believe is filtering the packets at a higher > level than Network layer. This > > works at the TCP/IP application layer. Can be used for > Load balancing etc ? > > > > Staeful packet filtering means the TCP/IP SYN packet first > sent will > be evaluated with the ruleset and if it is passed a state > entry will > be made in the state table. The packets that match the > state table > enty will not be evaluated there after but passed. this is > the way > most firewall works now by defauly. It reduces a lot of > overhead. > > > > > > > >* The N-Code processor, a packet-inspection engine > inspired by BPF: > > > the N-Code processor is programmed to match > packets using generic, > > > RISC-like instructions and a few CISC-like > instructions for common > > >patterns such as IPv4 addresses > > > > > I assume every packet filter engine has got a "virtual > machine" inside to > > execute instructions and the rules are baked into the > instruction set of > > this virtual processor. if this is possible , some one > might do just in > > time compilation to the host processor. BPF is > berkeley packet filter. > > > > Now that is beyond me :-) > Most BSd systems have a BPF interface. > > > > > > >* Familiar configuration syntax and utilities > > > > > >* Modularity and extensibility: users extend NPF > by loading a kernel > > > module. NPF provides developers with an > extensions API. NPF rules > > > can embed a hook that invokes an extension > > > > > From this , i understand that all packet filters have > got a Domain Specific > > Language ( a name would be Network Packet Filtering > Language ) used > > by network administrators. To augment this system , we > can write C/C++ > > based pluggins to the NPF core. The kernel module can > have additional > > layer which interprets the packet as well. > > > > packet filters generally have a language to configure the > rules like. > > http://www.openbsd.org/faq/pf/filter.html#syntax > > I haven't looked into NPF yet will let you know > afterwards. > > > > > > >By the end of January, NPF should have all of the > capabilities that > > >NetBSD users have come to expect by using the > other filters in the > > >kernel: > > > * IPv4 reassembly support > > > * Bi-directional NAT and port > forwarding (re-direction) > > > * FTP proxy support > > > * IP header flags cleansing > > > * ICMP packets and TCP RST packet > blocking > > > * Save/restore state > > > * Packet logging, configurable using > filter rules > > > > > I have followed some of them , and i need to read more > to understand. > > > > Most of the BSDs are using the OpenBSD PF because it is > clean code, > simple to configure, secure and can be clustered. So the > new guy needs > a little more time to grow up with features :-) > > > > > > >Beyond that, NPF needs code for IPv6 support. > Rasiukevicius agrees to > > >provide technical support to developers who will > add IPv6 support to > > >NPF. An outline of the steps to IPv6 support > will be forthcoming. > > > > > I have been hearing about IPV6 ever since i started > computer programming. > > Any one in this group who has got exposure to this ? > (as a programmer or > > adminstrator ). > > > > We can use it in the LAN but not on the Internet unless our > IS supports it :-( > > This is a free book on it. > > http://www.secondinternet.org/content/free-ipv6-book-second-internet. > > I started making a few services in the LAN IPv6 at one > point but other > things came up and i am stuck. Well it will be quite some > time till I > get back because when Squeeze comes up I will have to spent > a lot of > time upgradig and migatin stuff to new servers on the > internet. > > > > > > >NPF is the third packet filter in NetBSD, after IP > Filter and PF. NPF > > >is unique for using a bytecode interpreter in its > packet-inspection > > >engine, and for answering the question, "What does > a packet filter > > >designed from the bottom up for multiprocessor > systems look like?" > > > > > This will be the USP of this intiative. The system > which is designed to be > > multi core programmable ( using Intel TBB (Thread > building block ) or > > OpenMP ) from the ground up will fare better than a > system ported to > > Multicore system from the unicore/uniprocessor > system. > > > > Yes! > > > Take for example the venerable GCC compiler. It is the > compiler which > > world relies on running a sizeable part of their > system code. The problem > > with GCC is that you can do parallel compilation. > Apple corporation is > > building a compiler which replicates GCC command > line options to > > do parallel compilation. The initiative is called > CLANG and the compiler > > infrastructure is based on LLVM ( http://clang.llvm.org/ ) > > > > The moral of the whole story is design system from the > ground up with > > multicore processors in mind. > > > > Yes especially for the firewall as packet rate increases > locking will > cause it to be the bottleneck. The rule of thumb now is use > a fast > single processor machine. > > > > Last , but not the least what about the relationship > between BSD > >derivative operating systems and FSF ? > >Why cannot debian project use these kernels ? I think > Hurd > > is not every going to be ready in our life time. ( > My personal opinion !) > > > > Oh yea Debian uses them :-) > > http://www.debian.org/ports/kfreebsd-gnu/ > http://www.debian.org/ports/netbsd/ > > hope I clarified stuff? > > cheers > > --Siju > > _______________________________________________ > Indian Libre User Group Cochin Mailing List > http://www.ilug-cochin.org/mailing-list/ > http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org > #[email protected] > _______________________________________________ Indian Libre User Group Cochin Mailing List http://www.ilug-cochin.org/mailing-list/ http://mail.ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org #[email protected]
