a userspace api for netfilter control
play

A userspace API for netfilter control Netfilter Workshop 2007, - PowerPoint PPT Presentation

Dec 02, 2022 •517 likes •794 views

INSTITUT FR INSTITUT FR NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE Universitt Stuttgart Universitt Stuttgart UND DATENVERARBEITUNG UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J.

  1. INSTITUT FÜR INSTITUT FÜR NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE Universität Stuttgart Universität Stuttgart UND DATENVERARBEITUNG UND RECHNERSYSTEME Prof. Dr.-Ing. Dr. h. c. mult. P. J. Kühn Prof. Dr.-Ing. Dr. h. c. mult. P. J. Kühn A userspace API for netfilter control Netfilter Workshop 2007, Karlsruhe Sebastian Kiesel, Jochen Kögel , Sebastian Meier, Christian Blankenhorn Institute of Communication Networks and Computer Engineering University of Stuttgart {kiesel, koegel, smeier, blankenhorn}@ikr.uni-stuttgart.de September 11, 2007

  2. Agenda • Problem statement - limitations of connection tracking - alternatives • Firewall Control Frameworks: Overview ➥ Requirements on a Pinhole API • Pinhole API for netfilter - Design considerations - Implementation status - Mapping of pinholes to netfilter • Conclusion and Outlook Institute of Communication Networks and Computer Engineering University of Stuttgart

  3. Problem Statement Scenario SIP Proxy SIP RTP text • control flow and RELATED media flow - VoIP: SIP and RTP • strict fine-grained policies - not -A OUTPUT -p UDP -j ALLOW - more than allow/not allow connection from/to • more than one border element (load-balancing, protection, multi- homing,..) Institute of Communication Networks and Computer Engineering University of Stuttgart

  4. Problem Statement Approach 1: Connection Tracking only SIP Proxy SIP RTP conntrack sync text problems - extensibility/maintainability: new kernel modules for new or changed control protocols - robustness/security risk: parsing of complex protocols in the kernel - no authorization/fine-grained policies requires additional internal SIP-proxy/B2BUA Institute of Communication Networks and Computer Engineering University of Stuttgart

  5. Problem Statement Apporach 2: Application Layer Gateways (ALG) SIP Proxy SIP ALG (SBC) RTP text ALG (SBC) • SIP-ALG: Session Border Controller (SBC) - Processing of signaling and media (all in user space) - All RTP routed through ALG independent of IP-Routing - SBC needs full application knowledge (RTP codecs, ...) - packet filter in front of SBC: completely open to UDP? Conntrack? Institute of Communication Networks and Computer Engineering University of Stuttgart

  6. Problem Statement Approach 3: Firewall Control Protocol SIP Proxy firewall control SIP RTP SIP B2BUA text • firewall control daemons - running on firewall machines - accepting only messages from authorized machines • session stateful server (SIP B2BUA) - extracts RTP-flow parameters from signaling messages - authorizes calls - signals pinholes to open/close Institute of Communication Networks and Computer Engineering University of Stuttgart

  7. Problem Statement Approach 3: Firewall Control Protocol - prohibiting flows (IDS) SIP Proxy firewall control SIP RTP SIP B2BUA text IDS Firewall control daemon: how to control packet filter? - calling command line tools - using libraries (libiptc, nfnetlink) ➥ lots of dependencies on filter implementation, libraries, formats, OS ➥ general API makes sense ➥ detailed requirements? first have a look at firewall control... Institute of Communication Networks and Computer Engineering University of Stuttgart

  8. Firewall Control Frameworks Firewall/NAT Control protocol zoo • IETF MIDCOM Framework - Implemetation: Simco • IETF NSIS - path-coupled signaling framework (QoS requests, NAT, firewall) • H.248 MEGACO - ETSI: Profile for controlling media relays (BGF) - H.248.37: signal SBC to replace addresses for NAT traversal ➥ Focus on firewall control: MSimco, NSIS Institute of Communication Networks and Computer Engineering University of Stuttgart

  9. Firewall Control Frameworks MIDCOM Framework (RFC 3303) • abstract protocol semantics for NAT/FW control • abstract protocol entities MIDCOM policy impl. PDP repository specific MIDCOM policy SIP protocol protocol interface interface proxy MIDCOM packet filter SIP ("middlebox") RTP SIP UA SIP UA user A user B private domain public network (e.g., Internet) Institute of Communication Networks and Computer Engineering University of Stuttgart

  10. Firewall Control Frameworks MIDCOM/SIMCO • implementation of Midcom: simple middlebox control protocol (SIMCO), (RFC 4540) • NAT + Packet filter signaling – our focus: packet filter • enable (PER) and prohibit (PDR) pinholes (white list) • Pinhole - two "address tuples" (transport protocol, address, prefix, port, portrange) - ports and address wildcarding - inbound/outbound/bidirectional ➥ can be mapped on 5-Tuple with ranges Problem: multiple packet filters at network edge • must be handled by client, independent of packet filters • 1st possibility: know routing • 2nd possibility: open pinholes in every packet filter Institute of Communication Networks and Computer Engineering University of Stuttgart

  11. Firewall Control Frameworks IETF NSIS (next steps in signaling) • Framework for path-coupled signaling - idea: signal nodes on path independent of IP routing (e.g. for QoS) - generic messaging layer (General Internet Signaling Transport) • Datagram/Connection Mode • TCP, UDP, IPSec - NSIS Signaling Level Protocols (NSLP) on top of GIST • NAT/Firewall Control - NAT/Firewall control NSLP (draft-ietf-nsis-nslp-natfw-15.txt) - Authorizationbased on tokens (draft-manner-nslp-auth-03.txt) Institute of Communication Networks and Computer Engineering University of Stuttgart

  12. Firewall Control Frameworks Domain 1 Domain 2 SIP SIP B2BUA B2BUA packet SIP filter NSIS RTP packet filter NSIS Firewall Signaling: • Pinhole description based on existing flow - sub_ports: how many contiguous ports (0..1) - Allow/Deny - blocking traffic with EXT messages (for whole prefix, port wildcard) Institute of Communication Networks and Computer Engineering University of Stuttgart

  13. Requirements on an API There are several reasons for changing packet filter rules dynamically - firewall control protocols (our motivation) - ALG implementations - Intrusion detection systems Often realized by calling iptables, but libraries available are very specific (libiptc). Strong dependency on filter realization. ➥ Why not designing a common (high-level, userspace) API? ➥ We started based on requirements from a SIMCO-Prototype Institute of Communication Networks and Computer Engineering University of Stuttgart

  14. Requirements on an API (Our) Requirements • open/close pinholes • pinhole: 5-Tuple (incl. subnets + port ranges) - bidirectional: two pinholes • independent of filter-implementation (and OS) • transaction semantics • no control of whole packet filter, only dedicated rule sets (e.g. one chain) • fast - frequent rule changes (VoIP) - high packet rate Institute of Communication Networks and Computer Engineering University of Stuttgart

  15. Pinhole API for netfilter Vision Application/Daemon NSIS SIMCO IDS NATFW uniform interface enterPH removePH (OS independent) Clientlib unpriv. user translation plugin Backend priv. user (root) according to chains set+chains ... BSD OS/config/kernel capab. kernel chains ipset conntrack nf−hipac BSD PF Have a look into the details.. Institute of Communication Networks and Computer Engineering University of Stuttgart

  16. Pinhole API for netfilter Interface Example: C++ interface ruleManager.request(MODIFY_RULESET); int ruleID1 = ruleManager.addRule( "1.2.3.4", 24, 100, 200, "2.3.4.5",24, 300, 400, IPPROTO_UDP, AF_INET); ruleManager->commit(); ruleManager.request(MODIFY_RULESET); ruleManager.delRule(ruleID1); int ruleID2 = ruleManager.addRule( "5.6.7.8", 24, 100, 200, "6.7.8.9",24, 300, 400, IPPROTO_UDP, AF_INET); ruleManager->commit(); Institute of Communication Networks and Computer Engineering University of Stuttgart

  17. Pinhole API for netfilter Frontend init add del commit • keeps all rules/pinholes - optimization possible (hook) Transaction Manager while stil being able to delete rules per ID Optimizer rule set management - enables differential updates Control - failure: last known good last optimized current known • commit rules as batch to good backend - in intervals (with backoff-Alg) SIMCO Lite Client - currently: complete rule set - libiptc backend performance: changing or rewriting rules takes internal Interface (via Socket) almost the same time to Backend - socket communication: reuse of SIMCO message definition + added new control messages Institute of Communication Networks and Computer Engineering University of Stuttgart

  18. Pinhole API for netfilter Backend internal interface from Frontend • processing of frontend requests • translation of pinholes to netfilter rules Unix Domain Socket • notify frontend about status Adapter • failure recovery, e.g. frontend crash • only Translation module II is Simco Lite Server packetfilter-dependent Control Translation I SIMCO−>Intern Translation II Intern−>Netfilter init() flush() insert() del() add() commit() Institute of Communication Networks and Computer Engineering University of Stuttgart

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this

Netfilter updates: NetDev 2.1 <pablo@netfilter.org> Pablo Neira Ayuso What does this presentation cover? Not a tutorial... but incremental updates on Netfilter and nf_tables. For those new to nftables: See

615 views • 35 slides
The userspace solution for control groups Linux Kongress 2010 Dhaval Giani

The userspace solution for control groups Linux Kongress 2010 Dhaval Giani

The userspace solution for control groups Linux Kongress 2010 Dhaval Giani dhaval.giani@gmail.com RETIS Lab, Scuola Superiore SantAnna September 2010 Dhaval Giani The userspace solution for control groups Control Groups What are cgroups?

896 views • 70 slides
Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017)

Netfilter updates since last NetDev NetDev 2.2, Seoul, Korea (Nov 2017) <pablo@netfilter.org> Pablo Neira Ayuso What does this cover? Not a tutorial Incremental updates already upstream Ongoing development efforts

372 views • 21 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks July 8, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC July 8, 2014 1 / 43 Eric Leblond a.k.a Regit French Network security expert Free Software

667 views • 47 slides
Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond

Suricata 2.0, Netfilter and the PRC ric Leblond Stamus Networks April 26, 2014 ric Leblond (Stamus Networks) Suricata 2.0, Netfilter and the PRC April 26, 2014 1 / 52 Eric Leblond a.k.a Regit French Network security expert Free

536 views • 42 slides
AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry

AddressSanitizer/ThreadSanitizer for Linux Kernel and userspace. Konstantin Serebryany, Dmitry Vyukov Linux Collaboration Summit 15 April 2013 Agenda AddressSanitizer, a memory error detector (userspace) ThreadSanitizer, a data race

1.18k views • 69 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis &

LITE Kernel RDMA Support for Datacenter Applications Shin-Yeh Tsai , Yiying Zhang Time 2 Berkeley Socket Userspace Kernel Hardware Time 1983 2 Berkeley TCP Arrakis & Socket IX O ffl oad engine mTCP Userspace Kernel Hardware

1.34k views • 104 slides
XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon,

XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon,

XtreemFS: high- performance network file system clients and servers in userspace Minor Gordon, NEC Deutschland GmbH mgordon@hpce.nec.com HIGH PERFORMANCE Why userspace? COMPUTING 05/04/09 File systems traditionally implemented in the

275 views • 15 slides
Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data

Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data

Linux Plumbers Conference 2011 Userspace RCU Library: RCU Synchronization and RCU/Lock-Free Data Containers for Userspace E-mail: mathieu.desnoyers@efficios.com Mathieu Desnoyers September 8th, 2011 1 > Presenter Mathieu Desnoyers

589 views • 41 slides
Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010

Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010

Scaling Userspace @ Facebook Ben Maurer bmaurer@fb.com About Me At Facebook since 2010 Co-founded reCAPTCHA Tech-lead of Web Foundation team Responsible for the overall performance & reliability of Facebooks user-

537 views • 32 slides
NuFW The identity-based firewall or Why using Netfilter is cool ! Eric Leblond, eric@inl.fr

NuFW The identity-based firewall or Why using Netfilter is cool ! Eric Leblond, eric@inl.fr

NuFW The identity-based firewall or Why using Netfilter is cool ! Eric Leblond, eric@inl.fr Plan Introduction NuFW's genesis Presentation of the algorithm NuFW and nfnetlink What's next Conclusion In the beginning was

596 views • 25 slides
PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core

PostgreSQL Who, What, When, Where, Why, How? 1 QUIS? Who's involved with PostgreSQL? Core team: https://www.postgresql.org/community/contributors/ Large Users: https://www.postgresql.org/about/users/ Case Studies:

517 views • 7 slides
Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology

Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology

Introduction to the GNU GMP Library Salimova Diyora Swiss Federal Institute of Technology sdiyora@student.ethz.ch October 16, 2014 Salimova Diyora (ETHZ) Introduction to the GNU GMP Library October 16, 2014 1 / 14 Overview Presentation,

371 views • 14 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center

Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center

Create the future with the new style of business Rupert Holzbauer, Director SAP Competence Center EMEA, Hewlett-Packard 1 HP to separate into two new industry-leading public companies Hewlett Packard Enterprise HP Inc. Lea eadin ing p per

896 views • 27 slides
Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May

Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May

Introduction to rawsockets Mathias Habltzel 29 May 2013 Mathias Habltzel Rawsockets 29 May 2013 1 / 34 What is rawsocket Raw sockets allow new IPv4 protocols to be implemented in user space. A raw socket receives or sends the raw

285 views • 27 slides
Build Systems: Combining CUDA and Modern CMake GTC, San Jose, CA May, 2017 Robert Maynard

Build Systems: Combining CUDA and Modern CMake GTC, San Jose, CA May, 2017 Robert Maynard

Build Systems: Combining CUDA and Modern CMake GTC, San Jose, CA May, 2017 Robert Maynard Kitware, Inc. Founded in 1998 by five former GE Research employees 136 current employees; 47 with PhDs Privately held, profitable from

298 views • 29 slides
Virtual Labs with User Mode Linux Armin M. Warda, Postbank Systems AG, Germany Postbank Systems

Virtual Labs with User Mode Linux Armin M. Warda, Postbank Systems AG, Germany Postbank Systems

Virtual Labs with User Mode Linux Armin M. Warda, Postbank Systems AG, Germany Postbank Systems AG IBM eServer pSeries AIX & Linux 2004 Technical Conference, Munich/DE, 26-29 Oct Agenda Prsentationstitel Who is Postbank? And who is

1.18k views • 66 slides
Banque Saudi Fransi Investor Presentation | Q3 2019 Results INVESTOR PRESENTATION | DISCLAIMER

Banque Saudi Fransi Investor Presentation | Q3 2019 Results INVESTOR PRESENTATION | DISCLAIMER

Banque Saudi Fransi Investor Presentation | Q3 2019 Results INVESTOR PRESENTATION | DISCLAIMER This presentation is being provided to you for general information purposes. The information contained in the presentation has been obtained from

384 views • 22 slides

More recommend