bridge filtering with nftables
play

bridge filtering with nftables Florian Westphal 4096R/AD5FF600 - PowerPoint PPT Presentation

Sep 01, 2023 •518 likes •694 views

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge filtering with nftables Florian Westphal 4096R/AD5FF600 fw@strlen.de 80A9 20C5 B203 E069 F586 AE9F 7091 A8D9 AD5F F600 Red

  1. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge filtering with nftables Florian Westphal 4096R/AD5FF600 fw@strlen.de 80A9 20C5 B203 E069 F586 AE9F 7091 A8D9 AD5F F600 Red Hat February 2016

  2. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Intro ◮ same concept as netfilter ipv4/ipv6 ◮ “hooks” are placed at various spots in the bridge module ◮ kernel modules can register functions to be called at these hook points NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, br_handle_frame_finish); ◮ iterates over registered functions and calls them ◮ functions can decide fate of packet (continue, drop, . . . )

  3. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Kernel Bridge Hooks PREROUTING FDB FORWARDING POSTROUTING INPUT OUTPUT Host

  4. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) current state: ebtables ◮ cloned off iptables more than a decade ago ◮ offers a few (stateless) matches and targets ◮ ip/ip6 addresses, vlan id ◮ packet type (i.e. multicast, broadcast, . . . ) ◮ packet mark ◮ src/dst MAC rewrite, redirect to local stack support (routing, proxies) ◮ bridge netfilter hooks placed in bridge code, similar to ip stack ◮ no stateful matches, no connection tracking ◮ ebtables cannot use xtables targets or modules

  5. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) call-iptables (1) ◮ br_netfilter.ko – implements call-iptables mode: ◮ invoke ip/ipv6 nf hooks from the bridge path ◮ upside: ◮ provides all xtables modules and targets (via iptables ruleset on the bridge) ◮ conntrack support, L3/L4 NAT ◮ downside: ◮ many subtle layering violations and problems ◮ inet “owns” skb->cb[] : save/restore for each iptables trip ◮ in iptables indev and outdev is bridge, i.e. -i br0 instead of bridge port ◮ VLAN mess: allows temporary removal of VLAN header ◮ end host/router doesn’t care, filtering via ifname (” -i eth0.42 ”) ◮ VLAN data only accessible from bridge hooks

  6. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) call-iptables (2) – conntrack ◮ the good news: It’ll work ◮ unless you have overlapping addresses (different bridges, VLANs) ◮ unless you need/use NFQUEUE to have packets inspected by userspace (e.g. suricata). ◮ bridge has to consult ipv4 FIB to cope with NAT ◮ also needs to cope with e.g. re-lookup of the destination MAC address ◮ skb->nf_bridge exists only because of the call-iptables mode

  7. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Summary ◮ bridge filtering is usually done with both ebtables and iptables rulesets ◮ ... because thats the only way you get conntrack + iptables features ◮ at least one long standing oops (call-iptables+conntrack+nfqueue) remaining ◮ another problem: netfilter hooks are per namespace, not per bridge ◮ ebtables == ’iptables from 2001’ (e.g. rwlock in main traverser)

  8. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue ◮ pass packets to userspace via netlink ◮ userspace can drop or accept packet ◮ userspace can rewrite/replace payload ◮ backend is limited to ip and ipv6 ◮ netlink attributes provided (incomplete list): ◮ the family and hook that queued the packet ◮ in and outgoing interface index ◮ packet nfmark ◮ packet payload (starts w. network header – skb->data )

  9. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue for bridge ◮ most simple solution: just push/pull eth header ◮ i.e. payload attribute starts with ethernet header ◮ several issues with this approach ◮ VLAN untag or extra attribute? ◮ how to allow l2 header rewriting? Doesn’t really work since we might have to pull more data, e.g. added qinq ◮ seems preferable to add new netlink attributes ◮ bonus: can use this for netdev family too

  10. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue for bridge, plan ◮ add new attributes for L2 and VLAN header ◮ L2 – skb_mac_header() ◮ can add L2 header expansion/shrinking since attr size is known ◮ VLAN – serialize skb vlan metadata ◮ no need to untag queued skb ◮ allows later addition of VLAN header removal

  11. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Handling overlapping addresses ◮ distinct VLANs might have duplicate addresses ◮ already a problem w. call-iptables and bridge-nf-filter-vlan-tagged enabled ◮ partial workaround for conntrack with -j CT --zone x , but not for defrag ◮ requires manual setup ◮ not very efficient with lots of vlan zone pairs due to xtables limitations

  12. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Handling overlapping addresses (2) ◮ could extract vlan id and use that as additional key ◮ would need kernel change when e.g. asking to conntrack ip inside PPPoE frames ◮ in light of this manual setup doesn’t seem too bad nft would not suffer from ’linear ruleset’ xt problem, e.g. use map: add rule bridge track pre ct zone set vlan id map { 1 : 1, 2 : 2 ...

  13. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge conntrack plan: add new bridge ct expression ◮ serves as ingress hook point and conntrack-enable switch ◮ native bridge hooks for confirmation, helpers and reply direction ◮ look at skb->protocol , then do upcall to ipv4 or ipv6 ct handler ◮ no tracking for outgoing connections – ip(6) conntrack already does it

  14. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge conntrack hook overview add following bridge hooks: ◮ postrouting: ◮ helper ◮ confirmation ◮ prerouting: ◮ reply traffic handling, i.e. no NEW ctstate also handle IP(v6) defragmentation here ◮ absent: ◮ no input confirm (would be handled by ipv4/ipv6 hook) ◮ prerouting input for new connections – only via explicit rule

  15. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) no auto-defrag? ◮ ipv4/ipv6 conntrack forces defrag via module dependency ◮ ”How can I disable nf_defrag_ipv4 on ethX”? You can’t ◮ How would one go about to allow this? Best idea so far: defrag expression: add rule bridge track pre meta iif not ethX defrag ◮ Need for manual config doesn’t play nice with conntrack RELATED handling ◮ seems best to force-on once conntrack is used/activated

  16. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Future Work ◮ implement defrag+conntrack as outlined ◮ try to avoid dependencies – no ipv6 conntrack outload for example ◮ L3/L4 nat not planned at the moment ◮ can use ether set daddr plus pkttype set unicast to redirect packet to bridge for routing Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

Filtering May be Your Work Adaptive Information Filtering Using Bayesian Graphical Models Yi Zhang Baskin School of Engineering University of California Santa Cruz yiz@soe.ucsc.edu 1 2 Filtering May be Your Work Filtering May be Your Work

415 views • 8 slides
Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of

Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of

Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of Load Balancing with nftables Goal: High Performance Load Balancer Load Balancing Solutions Load Balancing Solutions Linux Virtual Server

1.31k views • 40 slides
Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering Rate limits Protection against traffic analysis Padding Routing control Lecture 9 Page 1 CS 236 Online Source Address Filtering

366 views • 11 slides
CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation decisions for a specific CS-490W user based on the judgments of users with similar tastes Collaborative Filtering Luo Si Train_User 1 1 5 3 3 4

628 views • 6 slides
5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with federal money Layout was approved 2017 MnDOT hosted several visual quality workshops where community members were able to select bridge

530 views • 13 slides
FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical theory of linear filtering was formulated independently by Norbert Wiener (1941) and Andrei Nikolaevich Kolmogorov (1941) during the Second World

437 views • 19 slides
Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic Bayesian Networks by Arnaud Doucet, Nando de Freitas, Kevin Murphy, and Stuart Russel Other sources Artificial Intelligence: A Modern

268 views • 26 slides
The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net>

The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net>

The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net> <pablo@netfilter.org> Netdev 0.1 February 2015 Ottawa, Canada Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada What is

499 views • 17 slides
1 Recap: Particle Filtering Video of Demo Moderate Number of Particles Particles: track

1 Recap: Particle Filtering Video of Demo Moderate Number of Particles Particles: track

Particle Filtering CSE 473: Artificial Intelligence Particle Filters Filtering: approximate solution 0.0 0.1 0.0 Sometimes |X| is too big to use exact inference |X| may be too big to even store B(X) 0.0 0.0 0.2 E.g. X is

463 views • 3 slides
The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart

The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart

The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart Villeneuve Director of Technical Research Citizen Lab, University of Toronto CACR 2004 The Filtering Matrix Technical & non-technical

534 views • 15 slides
Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit to Administrators Improvement in Standardized Test Scores Promote STEM Education Goals Students Learn Cooperation and Communication

531 views • 14 slides
Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation to Mobility Committee April 2015 PWD Bridge Program City of Austin has 447 rated bridges. Goal is to maintain all bridges in

623 views • 22 slides
SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed a desire not to replace or widen the existng q bridge on the dam the bridge hampers access requires stopping and controlling trafc maintenance

966 views • 10 slides
A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and

A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and

A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and its Applications and its Applications Sylvain Paris MIT CSAIL Pierre Kornprobst INRIA Odysse Jack Tumblin Northwestern University

421 views • 19 slides
Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010

Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010

Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010 Departement/Institut/Gruppe 2 Content-Based Methods Find other popular items by the same author or similar keywords Recommendation

858 views • 38 slides
Exploring Rimhook Rules and Quantum Schubert Calculus Elizabeth Beazley Haverford College Sage

Exploring Rimhook Rules and Quantum Schubert Calculus Elizabeth Beazley Haverford College Sage

Exploring Rimhook Rules and Quantum Schubert Calculus Elizabeth Beazley Haverford College Sage Days 45 at ICERM February 13, 2013 Elizabeth Beazley Exploring Rimhook Rules A First Example Consider projective space P 3 . Intersection theory

461 views • 45 slides
MEGACO/H.248 H323, SIP & MGCP, MEGACO SS7 PSTN CA SG MGCP GW TN GK GK GW TN PSTN

MEGACO/H.248 H323, SIP & MGCP, MEGACO SS7 PSTN CA SG MGCP GW TN GK GK GW TN PSTN

MEGACO/H.248 H323, SIP & MGCP, MEGACO SS7 PSTN CA SG MGCP GW TN GK GK GW TN PSTN CO TGW RGW H.323 RTP MCU TN TN MCU TN TN CA : Call Agent GW : Gateway TGW : Trunking Gateway GK : Gatekeeper RGW : Residential

657 views • 27 slides
A new method for directly determining the adhesive strength of conductors on micro structured MID

A new method for directly determining the adhesive strength of conductors on micro structured MID

A new method for directly determining the adhesive strength of conductors on micro structured MID H. Willeck, HSG-IMAT 4M2007 Conference on Multi-Material Micro Manufacture 3-5 October 2007 Borovets, Bulgaria www.hsg-imat.de Overview

461 views • 18 slides
Ak An Audio Toolkit for Tcl & Tk Andrew Payne Digital Equipment Corporation Cambridge

Ak An Audio Toolkit for Tcl & Tk Andrew Payne Digital Equipment Corporation Cambridge

Ak An Audio Toolkit for Tcl & Tk Andrew Payne Digital Equipment Corporation Cambridge Research Laboratory June, 1993 dT Slide 1 Outline t AudioFile t Ak details and code examples t Implementation t Future work dT Slide 2 AudioFile t

307 views • 8 slides
Feder ederal al Time Time and and Effort Effort Reporting Requirements Reporting

Feder ederal al Time Time and and Effort Effort Reporting Requirements Reporting

Feder ederal al Time Time and and Effort Effort Reporting Requirements Reporting Requirements Federal Funding Conference March 2020 What is Time What is Time and Effort? and Effort? Charges to Federal Awards for salaries and wages must

361 views • 19 slides
Ethics for Local Elected Officials Frayda Bluestein Norma Houston 2020 Live and On-Demand

Ethics for Local Elected Officials Frayda Bluestein Norma Houston 2020 Live and On-Demand

Ethics for Local Elected Officials Frayda Bluestein Norma Houston 2020 Live and On-Demand Webinar 1 Goals for Our Session: Distinguish between legal and ethical standards Identify key legal issues and ethical considerations

668 views • 20 slides
Health Care Innovation Awards ROUND TWO Webinar 7: Application Road Map July 18, 2013 Agenda

Health Care Innovation Awards ROUND TWO Webinar 7: Application Road Map July 18, 2013 Agenda

Health Care Innovation Awards ROUND TWO Webinar 7: Application Road Map July 18, 2013 Agenda Overview Application Package Helpful Hints 2 Innovation Awards Round Two Goals Engage innovators from the field to: Identify new

371 views • 36 slides
Javascript: the Basics Shan-Hung Wu and DataLab CS, NTHU HTML vs. CSS vs. Javascript HTML

Javascript: the Basics Shan-Hung Wu and DataLab CS, NTHU HTML vs. CSS vs. Javascript HTML

Javascript: the Basics Shan-Hung Wu and DataLab CS, NTHU HTML vs. CSS vs. Javascript HTML defines content and element structure The Nouns CSS defines how an element looks The Adjectives Javascript defines how an

1.82k views • 62 slides

More recommend