i p s e t Proceedings of NetDev 1.1: The Technical Conference on - - PowerPoint PPT Presentation

SLIDE 1

Netdev 1.1, Seville

i p s e t a t

• l

f

• r

f a s t e r , m

• r

e e ffj c i e n t fj r e w a l l i n g w i t h i p t a b l e s

J ó z s e f K a d l e c s i k < k a d l e c @b l a c k h

• l

e . k fl i . h u > M T A Wi g n e r F K

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 2

Netdev 1.1, Seville

C h a l l e n g e s t

• fj

r e w a l l i n g w i t h i p t a b l e s

• L

a r g e n u m b e r

• f

r u l e s

– R

u l e e v a l u a t i

• n

i s l i n e a r

• O

fu e n c h a n g e d r u l e s

– i

p t a b l e s m u s t h a n d l e t h e w h

• l

e t a b l e

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 3

Netdev 1.1, Seville

R u l e s

• F
• c

u s

• n

fj l t e r i n g

– E

x

• t

i c m a t c h e s , t a r g e t s a r e n

• t

c

• m

m

• n
• T

y p i c a l r u l e s

– A

l l

• w

/ d e n y a s e r v i c e a t a g i v e n s e r v e r ,

• p

t i

• n

a l l y l i m i t e d t

• g

i v e n c l i e n t s

– A

l l

• w

/ d e n y a s e r v i c e f

• r

a c l i e n t m a c h i n e ,

• p

t i

• n

a l l y l i m i t e d t

• g

i v e n s e r v e r s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 4

Netdev 1.1, Seville

I p p

• l
• 2

: J

• a

k i m A x e l s s

• n

: b i t m a p t y p e

• 2

1

• 2

2 : J

• a

k i m A x e l s s

• n

, P a t r i c k S c h a a f a n d M a r t i n J

• s

e f s s

• n

: m

• d

u l a r , b i t m a p a n d m a c i p m a p t y p e s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 5

Netdev 1.1, Seville

I p p

• l

I I .

• 2

3

• 2

4 : p a t c h e s f r

• m

m e

• 2

4 : P a t r i c k S c h a a f : R e g a r d i n g b a c k w a r d s c

• m

p a t i b i l i t y , m y v

• t

e w

• u

l d b e n

• t

t

• c

a r e , a n d n a m e t h e n e w t h i n g w i t h a n e w n a m e . P r

• p
• s

a l : i p s e t

• 2

1 1 : i p s e t 6 . x

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 6

Netdev 1.1, Seville

I p s e t I .

• D

a t a s e t s w h i c h c a n s t

• r

e g i v e n c

• m

b i n a t i

• n

s

• f

d a t a t y p e s

– I

P ( v 4 / v 6 ) a d d r e s s , n e t b l

• c

k

– M

A C a d d r e s s

– P

r

• t
• c
• l

a n d p

• r

t n u m b e r / t y p e

– I

n t e r f a c e n a m e

– M

a r k v a l u e

– S

e t n a m e

• K

e r n e l A P I

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 7

Netdev 1.1, Seville

I p s e t I I .

• D

i fg e r e n t s t

• r

a g e m e t h

• d

s :

– B

i t m a p

– H

a s h

– L

i s t

• S

e t e l e m e n t e x t e n s i

• n

s :

– T

i m e

• u

t

– C

• u

n t e r s

– C

• m

m e n t

– S

k b i n f

• S

e t d i m e n s i

• n

– b

i t m a p : i p

– h

a s h : i p , p

• r

t

– h

a s h : i p , p

• r

t , i p

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 8

Netdev 1.1, Seville

U s e r s p a c e t

• l
• ipset

:

• )
• M

i n i m a l d e p e n d e n c y

– l

i b m n l

• C
• m

m a n d l i n e s y n t a x s i m i l a r t

• ip

– B

a c k w a r d c

• m

p a t i b i l i t y k e p t w i t h

• l

d e r i p s e t s y n t a x

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 9

Netdev 1.1, Seville

C

• m

m a n d k e y w

• r

d s

• Wh
• l

e s e t :

–

c r e a t e , d e s t r

• y

, l i s t , s a v e , r e s t

• r

e , fm u s h , r e n a m e , s w a p

• S

e t e l e m e n t :

– a

d d , d e l , t e s t

• S

i n g l e l e tu e r e q u i v a l e n t s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 10

Netdev 1.1, Seville

C r e a t e a n d a d d , d e l , t e s t s y n t a x

• C

r e a t e a s e t : m e t h

• d

, d a t a t y p e s m u s t b e s p e c i fj e d

– m

e t h

• d

: d a t a _ t y p e [ , d a t a _ t y p e [ , d a t a _ t y p e ] # ipset create test hash:ip,port,ip

• A

d d / d e l e t e / t e s t e l e m e n t : c

• m

p

• n

e n t s i n t h e g i v e n

• r

d e r m u s t b e s p e c i fj e d

# ipset add test 192.168.1.1,udp:53,8.8.8.8 # ipset test test 192.168.1.1,udp:53,8.8.8.8

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 11

Netdev 1.1, Seville

B i t m a p m e t h

• d
• C
• n

t i n u

• u

s b i t v e c t

• r

w h e r e e v e r y b i t r e p r e s e n t s

• n

e a d d r e s s f r

• m

a r a n g e

• f

a d d r e s s e s : I P v 4 a d d r e s s = B a s e I P v 4 a d d r e s s + b i t p

• s

i t i

• n
• C

a n b e g e n e r a l i z e d t

• s

u p p

• r

t t

• s

t

• r

e

– S

a m e s i z e I P v 4 n e t b l

• c

k s

– I

P v 4 + M A C a d d r e s s p a i r s – M A C a d d r e s s e s s t

• r

e d i n a n

• t

h e r d a t a v e c t

• r

– T

C P

• r

U D P p

• r

t n u m b e r s

• L

i m i t e d t

• 6

5 5 3 6 e l e m e n t s ( / 1 6 )

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 12

Netdev 1.1, Seville

b i t m a p : i p

• S

t

• r

e I P v 4 a d d r e s s e s f r

• m

a r a n g e

ipset n set1 bitmap:ip range 10.0.0.0-10.0.0.255 ipset a set1 10.0.0.1 ipset a set 10.0.0.5-10.0.0.15

• S

t

• r

e s a m e s i z e I P v 4 n e t b l

• c

k s

ipset c set2 bitmap:ip 0.0.0.0/0 netmask 16 ipset a set2 10.1.0.0 # 10.1.0.0/16 ipset a set2 10.7.0.0 # 10.7.0.0/16

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 13

Netdev 1.1, Seville

b i t m a p : i p , m a c

• S

t

• r

e I P v 4 a n d M A C a d d r e s s p a i r s

– S

• u

r c e M A C a d d r e s s e s

• n

l y

– C

a n b e a d d e d w i t h

• u

t M A C a d d r e s s , fj r s t m a t c h w i l l fj l l

• u

t M A C

ipset c set3 bitmap:ip,mac 192.168.0.0/16 ipset a set3 192.168.1.1,00:01:23:45:67:89 ipset a set3 192.168.1.2

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 14

Netdev 1.1, Seville

H a s h i n g

• M

a p d a t a s p a c e i n t

• a

fj x e d d a t a s p a c e , w h e r e t h e a l g

• r

i t h m m u s t b e

– D

e t e r m i n i s t i c s

– U

n i f

• r

m

• L

i n u x k e r n e l

– j

h a s h

• C
• l

l i s i

• n

h a n d l i n g

– T

y p i c a l l y l i n k e d l i s t s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 15

Netdev 1.1, Seville

H a s h m e t h

• d
• H

a s h s i z e i s f

• r

c e d t

• p
• w

e r

• f

t w

• ,

f

• r

s p e e d

• C
• l

l i d e d e l e m e n t s a r e s t

• r

e d i n a r r a y s i n s t e a d

• f

l i n k e d l i s t s

– 4

• 1

2 x e l e m s i z e

– 1

2 x e l e m s i z e a r r a y f u l l : g r

• w

h a s h

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 16

Netdev 1.1, Seville

h a s h : i p

• S

t

• r

e r a n d

• m

I P a d d r e s s e s

ipset n set4 hash:ip hashsize 1024 ipset a set4 10.1.1.1 ipset a set4 192.168.168.168

• A

l s

• ,

c a n s t

• r

e s a m e s i z e n e t b l

• c

k s

ipset n set5 hash:ip family inet6 netmask 64 ipset a set5 2001:2001:2001:: ipset a set5 2001:2001:abcd::

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 17

Netdev 1.1, Seville

h a s h : n e t

• S

t

• r

e d i fg e r e n t s i z e d n e t b l

• c

k s

– /

n

• t

s u p p

• r

t e d

– „

n

• m

a t c h ” k e y w

• r

d t

• e

x c l u d e s u b n e t s

– S

p e e d i s p r

• p
• r

t i

• n

a l t

• t

h e n u m b e r

• f

d i fg e r e n t s i z e d n e t b l

• c

k s i n t h e s e t

ipset n set6 hash:net ipset a set6 192.168.0.0/24 ipset a set6 10.1.0.0/16 ipset a set6 10.1.2.0/24 nomatch

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 18

Netdev 1.1, Seville

H a s h m e t h

• d

a n d p

• r

t

• H

a s h m e t h

• d

c a n s t

• r

e d a t a d

• u

b l e s , t r i p l e s w i t h „ p

• r

t ” k i n d

• f

s u b

• d

a t a :

• M

e a n s p r

• t
• c
• l

a n d p

• r

t n u m b e r t

• g

e t h e r

–

T C P , U D P , S C T P , U D P L i t e , I C M P , I C M P v 6

– D

e f a u l t i s T C P

– F

• r

I C M P a n d I C M P v 6 : t y p e / c

• d

e i n s t e a d

• f

p

• r

t n u m b e r

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 19

Netdev 1.1, Seville

H a s h m e t h

• d

: s i n g l e , d

• u

b l e , t r i p l e

• h

a s h : i p

• h

a s h : i p , m a r k

• h

a s h : i p , p

• r

t

• h

a s h : i p , p

• r

t , i p

• h

a s h : i p , p

• r

t , n e t

• h

a s h : m a c

• h

a s h : n e t

• h

a s h : n e t , n e t

• h

a s h : n e t , p

• r

t

• h

a s h : n e t , p

• r

t , n e t

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 20

Netdev 1.1, Seville

h a s h : i p , p

• r

t e x a m p l e

• Tie

p u b l i c s e r v i c e s a v a i l a b l e f

• r

e v e r y

• n

e

ipset n services hash:ip,port ipset a services 192.168.1.1,icmp:ping ipset a services 192.168.1.1,udp:53 ipset a services 192.168.1.1,tcp:53 ipset a services 192.168.1.4,25 ipset a services 192.168.1.4,587

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 21

Netdev 1.1, Seville

h a s h : n e t , i f a c e

• S

p e c i a l t y p e t

• s

t

• r

e n e t b l

• c

k , i n t e r f a c e n a m e p a i r s

– /

s u p p

• r

t e d ipset n zones hash:net,iface ipset a zones 192.168.0.0/16,tenant1 ipset a zones 192.168.1.0/24,tenant2 ipset a zones 0/0,wan

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 22

Netdev 1.1, Seville

L i s t m e t h

• d
• l

i s t : s e t

– S

i m p l e l i n k e d l i s t t

• s

t

• r

e s e t s i n s e t s

– F

i r s t m a t c h w i n ipset n sets list:set ipset a sets set1 ipset a sets set2

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 23

Netdev 1.1, Seville

T i m e

• u

t e x t e n s i

• n
• E

l e m e n t s t i m e s

• u

t a u t

• m

a t i c a l l y

– G

a r b a g e c

• l

l e c t

• r

– C

r e a t e w i t h t h e t i m e

• u

t k e y w

• r

d a n d d e f a u l t v a l u e # ipset create test hash:ip timeout 600

– A

d d e l e m e n t s w i t h s p e c i fj c t i m e

• u

t v a l u e # ipset add test 10.0.0.1 timeout 1200 # ipset add test 10.0.0.2 timeout 0 # ipset add test 10.0.0.3

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 24

Netdev 1.1, Seville

C

• m

m e n t e x t e n s i

• n
• E

l e m e n t s m a y h a v e c

• m

m e n t s , m a x 2 5 5 c h a r s

– C

r e a t e t h e s e t w i t h t h e c

• m

m e n t k e y w

• r

d # ipset create test hash:net comment

– A

d d e l e m e n t s w i t h t h e c

• m

m e n t v a l u e # ipset add test 10.0.0.0/8 \ comment ”Private A block” # ipset add test 192.168.0.0/16 \ comment ”Private B block”

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 25

Netdev 1.1, Seville

C

• u

n t e r s e x t e n s i

• n
• E

l e m e n t s h a v e c

• u

n t e r s w h i c h a r e u p d a t e d a t e v e r y m a t c h i n t h e k e r n e l

– C

r e a t e t h e s e t w i t h t h e c

• u

n t e r s k e y w

• r

d # ipset create test hash:ip,port counters

– A

d d e l e m e n t s w i t h p r e d e fj n e d c

• u

n t e r v a l u e s # ipset add test 10.0.0.1:80 \ packets 8 bytes 1024

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 26

Netdev 1.1, Seville

S k b i n f

• e

x t e n s i

• n
• M

e t a i n f

• r

m a t i

• n

s c a n b e s t

• r

e d a n d a tu a c h e d t

• t

h e m a t c h i n g p a c k e t s

– s

k b m a r k : m a r k v a l u e

• r

m a r k / m a s k

– s

k b p r i

• :

t c c l a s s i n m a j

• r

: m i n

• r

f

• r

m a t

– s

k b q u e u e : h a r d w a r e q u e u e n u m b e r # ipset create test hash:net skbinfo # ipset add test 10.0.0.0/24 \ skbmark 0x1 skbprio 1:10 skbqueue 10

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 27

Netdev 1.1, Seville

I p s e t a n d i p t a b l e s

• I

p t a b l e s h a s n

• i

d e a w h a t k i n d

• f

s e t w e u s e

– N

a m e

– Wh

a t d i r e c t i

• n
• f

a g i v e n p a r a m e t e r s h

• u

l d b e f e t c h e d f r

• m

t h e p a c k e t w h e n c

• n

s t r u c t i n g t h e e l e m e n t t

• l
• k

u p

– Tie

d i r e c t i

• n

p a r a m e t e r s m u s t b e a t l e a s t a s m a n y a s t h e d i m e n s i

• n
• f

t h e s e t ipset n services hash:ip,port iptables -A FORWARD -m set \

• -match-set services dst,dst -j accept

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 28

Netdev 1.1, Seville

i p s e t a n d i p t a b l e s c

• n

t .

• Tie

a d d i t i

• n

a l d i r e c t i

• n

p a r a m e t e r s a r e i g n

• r

e d

ipset n public-services hash:ip,port ipset n restricted-services hash:ip,port,ip ipset n services list:set ipset a services restricted-services ipset a services public-services iptables -A FORWARD -m set \

• -match-set services dst,dst,src -j accept

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 29

Netdev 1.1, Seville

S E T t a r g e t

• We

c a n d i n a m i c a l l y a d d / d e l e t e e l e m e n t s t

• s

e t s

• I

d e a l t

• b

l

• c

k s c a n n e r s , w i t h t i m e

• u

t c

• m

b i n e d

ipset n scanners hash:ip timeout 1800 iptables -N deny iptables -A deny -j SET --add-set scanners src iptables -A deny -j NFLOG --nflog-prefix... iptables -A deny -j DROP

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 30

Netdev 1.1, Seville

S w a p s e t s

• A

t

• m

i c

• p

e r a t i

• n

f r

• m

i p t a b l e s p

• i

n t

• f

v i e w

ipset n hash:ip main iptables -A FORWARD -m set --match-set main.. ipset n hash:ip main-tmp … ipset swap main main-tmp ipset destroy main-tmp

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 31

Netdev 1.1, Seville

I p s e t a n d s e t s i n n fu a b l e s I .

• i

p s e t

– I

P v 4 a d d r e s s

– I

P v 6 a d d r e s s

– I

P v 4 n e t b l

• c

k

– I

P v 6 n e t b l

• c

k

– M

A C a d d r e s s

– P

r

• t
• c
• l

, p

• r

t

– M

a r k

– I

n t e r f a c e n a m e

– S

e t n a m e s

– F

i x e d c

• m

b i n a t i

• n

s

• n

fu a b l e s

– I

P v 4 a d d r e s s

– I

P v 6 a d d r e s s

– M

A C a d d r e s s ( e t h e r )

– P

r

• t
• c
• l

, p

• r

t

– M

a r k

– A

r b i t r a r y c

• m

b i n a t i

• n

s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 32

Netdev 1.1, Seville

I p s e t a n d s e t s i n n fu a b l e s I I .

• i

p s e t

– N

a m e d s e t s

– E

x t e n s i

• n

s

• T

i m e

• u

t

• C
• m

m e n t

• C
• u

n t e r s

• s

k b i n f

• n

fu a b l e s

– N

a m e d s e t s

– A

n

• n

y m

• u

s s e t s

• T

i m e

• u

t

• C
• m

m e n t

– M

a p s

– D

i c t i

• n

a r i e s

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 33

Netdev 1.1, Seville

I p s e t a n d s e t s i n n fu a b l e s I I I .

• i

p s e t

– B

i t m a p

– H

a s h

– L

i s t

– H

a s h :

• A

r r a y s

• G

r

• w
• n

l y

• n

fu a b l e s

– H

a s h

– H

a s h :

• L

i n k e d l i s t s

• G

r

• w
• s

h r i n k

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 34

Netdev 1.1, Seville

P e r f

• r

m a n c e , i p t a b l e s t e s t

• J

e s p e r D a n g a a r d B r

• u

e r

# Simple drop in raw table, single match rule iptables -t raw -N simple iptables -t raw -I simple -s 198.18.0.0/15 -j DROP iptables -t raw -I PREROUTING -j simple

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 35

P e r f

• r

m a n c e , i p s e t t e s t

# Dropping via ipset, 65k IP addresses echo ”create test hash:ip hashsize 65536” > test.set for x in `seq 0 255`; do for y in `seq 0 255; do echo ”add test 192.168.$x.$y” >> test.set done; done ipset restore < test.set iptables -t raw -N net198 iptables -t raw -I net198 \

• m set --match-set test src -j DROP

iptables -t raw -I PREROUTING -j net198

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 36

Netdev 1.1, Seville

P e r f

• r

m a n c e r e s u l t s

Generator sending 12.2Mpps Iptables, single matching IP rule 11.3Mpps Single matching ipset rule, 65k elements, before v 6.24 8.0Mpps Single matching ipset rule, 65k elements, with v 6.24 11.3Mpps

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)

SLIDE 37

Netdev 1.1, Seville

Tia n k y

• u

!

h tu p : / / i p s e t . n e t fj l t e r .

• r

g

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain)