bridge filtering with nftables
play

bridge filtering with nftables Florian Westphal 4096R/AD5FF600 - PowerPoint PPT Presentation

Sep 01, 2023 •518 likes •694 views

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge filtering with nftables Florian Westphal 4096R/AD5FF600 fw@strlen.de 80A9 20C5 B203 E069 F586 AE9F 7091 A8D9 AD5F F600 Red

  1. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge filtering with nftables Florian Westphal 4096R/AD5FF600 fw@strlen.de 80A9 20C5 B203 E069 F586 AE9F 7091 A8D9 AD5F F600 Red Hat February 2016

  2. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Intro ◮ same concept as netfilter ipv4/ipv6 ◮ “hooks” are placed at various spots in the bridge module ◮ kernel modules can register functions to be called at these hook points NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, br_handle_frame_finish); ◮ iterates over registered functions and calls them ◮ functions can decide fate of packet (continue, drop, . . . )

  3. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Kernel Bridge Hooks PREROUTING FDB FORWARDING POSTROUTING INPUT OUTPUT Host

  4. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) current state: ebtables ◮ cloned off iptables more than a decade ago ◮ offers a few (stateless) matches and targets ◮ ip/ip6 addresses, vlan id ◮ packet type (i.e. multicast, broadcast, . . . ) ◮ packet mark ◮ src/dst MAC rewrite, redirect to local stack support (routing, proxies) ◮ bridge netfilter hooks placed in bridge code, similar to ip stack ◮ no stateful matches, no connection tracking ◮ ebtables cannot use xtables targets or modules

  5. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) call-iptables (1) ◮ br_netfilter.ko – implements call-iptables mode: ◮ invoke ip/ipv6 nf hooks from the bridge path ◮ upside: ◮ provides all xtables modules and targets (via iptables ruleset on the bridge) ◮ conntrack support, L3/L4 NAT ◮ downside: ◮ many subtle layering violations and problems ◮ inet “owns” skb->cb[] : save/restore for each iptables trip ◮ in iptables indev and outdev is bridge, i.e. -i br0 instead of bridge port ◮ VLAN mess: allows temporary removal of VLAN header ◮ end host/router doesn’t care, filtering via ifname (” -i eth0.42 ”) ◮ VLAN data only accessible from bridge hooks

  6. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) call-iptables (2) – conntrack ◮ the good news: It’ll work ◮ unless you have overlapping addresses (different bridges, VLANs) ◮ unless you need/use NFQUEUE to have packets inspected by userspace (e.g. suricata). ◮ bridge has to consult ipv4 FIB to cope with NAT ◮ also needs to cope with e.g. re-lookup of the destination MAC address ◮ skb->nf_bridge exists only because of the call-iptables mode

  7. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Summary ◮ bridge filtering is usually done with both ebtables and iptables rulesets ◮ ... because thats the only way you get conntrack + iptables features ◮ at least one long standing oops (call-iptables+conntrack+nfqueue) remaining ◮ another problem: netfilter hooks are per namespace, not per bridge ◮ ebtables == ’iptables from 2001’ (e.g. rwlock in main traverser)

  8. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue ◮ pass packets to userspace via netlink ◮ userspace can drop or accept packet ◮ userspace can rewrite/replace payload ◮ backend is limited to ip and ipv6 ◮ netlink attributes provided (incomplete list): ◮ the family and hook that queued the packet ◮ in and outgoing interface index ◮ packet nfmark ◮ packet payload (starts w. network header – skb->data )

  9. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue for bridge ◮ most simple solution: just push/pull eth header ◮ i.e. payload attribute starts with ethernet header ◮ several issues with this approach ◮ VLAN untag or extra attribute? ◮ how to allow l2 header rewriting? Doesn’t really work since we might have to pull more data, e.g. added qinq ◮ seems preferable to add new netlink attributes ◮ bonus: can use this for netdev family too

  10. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) nfqueue for bridge, plan ◮ add new attributes for L2 and VLAN header ◮ L2 – skb_mac_header() ◮ can add L2 header expansion/shrinking since attr size is known ◮ VLAN – serialize skb vlan metadata ◮ no need to untag queued skb ◮ allows later addition of VLAN header removal

  11. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Handling overlapping addresses ◮ distinct VLANs might have duplicate addresses ◮ already a problem w. call-iptables and bridge-nf-filter-vlan-tagged enabled ◮ partial workaround for conntrack with -j CT --zone x , but not for defrag ◮ requires manual setup ◮ not very efficient with lots of vlan zone pairs due to xtables limitations

  12. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Handling overlapping addresses (2) ◮ could extract vlan id and use that as additional key ◮ would need kernel change when e.g. asking to conntrack ip inside PPPoE frames ◮ in light of this manual setup doesn’t seem too bad nft would not suffer from ’linear ruleset’ xt problem, e.g. use map: add rule bridge track pre ct zone set vlan id map { 1 : 1, 2 : 2 ...

  13. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge conntrack plan: add new bridge ct expression ◮ serves as ingress hook point and conntrack-enable switch ◮ native bridge hooks for confirmation, helpers and reply direction ◮ look at skb->protocol , then do upcall to ipv4 or ipv6 ct handler ◮ no tracking for outgoing connections – ip(6) conntrack already does it

  14. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) bridge conntrack hook overview add following bridge hooks: ◮ postrouting: ◮ helper ◮ confirmation ◮ prerouting: ◮ reply traffic handling, i.e. no NEW ctstate also handle IP(v6) defragmentation here ◮ absent: ◮ no input confirm (would be handled by ipv4/ipv6 hook) ◮ prerouting input for new connections – only via explicit rule

  15. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) no auto-defrag? ◮ ipv4/ipv6 conntrack forces defrag via module dependency ◮ ”How can I disable nf_defrag_ipv4 on ethX”? You can’t ◮ How would one go about to allow this? Best idea so far: defrag expression: add rule bridge track pre meta iif not ethX defrag ◮ Need for manual config doesn’t play nice with conntrack RELATED handling ◮ seems best to force-on once conntrack is used/activated

  16. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Future Work ◮ implement defrag+conntrack as outlined ◮ try to avoid dependencies – no ipv6 conntrack outload for example ◮ L3/L4 nat not planned at the moment ◮ can use ether set daddr plus pkttype set unicast to redirect packet to bridge for routing Questions?

Recommend

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe

Suricata IDPS and Nftables: The Mixed Mode Giuseppe Longo Stamus Networks Jul 5, 2016 Giuseppe Longo (Stamus Networks) Suricata IDPS and Nftables: The Mixed Mode Jul 5, 2016 1 / 60 Netfilter 1 Nftables Tables and chains Rules Suricata

1.09k views • 75 slides
1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

Filtering May be Your Work Adaptive Information Filtering Using Bayesian Graphical Models Yi Zhang Baskin School of Engineering University of California Santa Cruz yiz@soe.ucsc.edu 1 2 Filtering May be Your Work Filtering May be Your Work

415 views • 8 slides
Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of

Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of

Load Balancing with nftables by Laura Garca (Zen Load Balancer Team) Netdev 1.1 Prototype of Load Balancing with nftables Goal: High Performance Load Balancer Load Balancing Solutions Load Balancing Solutions Linux Virtual Server

1.31k views • 40 slides
Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering Rate limits Protection against traffic analysis Padding Routing control Lecture 9 Page 1 CS 236 Online Source Address Filtering

366 views • 11 slides
CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation decisions for a specific CS-490W user based on the judgments of users with similar tastes Collaborative Filtering Luo Si Train_User 1 1 5 3 3 4

628 views • 6 slides
5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with federal money Layout was approved 2017 MnDOT hosted several visual quality workshops where community members were able to select bridge

530 views • 13 slides
FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical theory of linear filtering was formulated independently by Norbert Wiener (1941) and Andrei Nikolaevich Kolmogorov (1941) during the Second World

437 views • 19 slides
Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic Bayesian Networks by Arnaud Doucet, Nando de Freitas, Kevin Murphy, and Stuart Russel Other sources Artificial Intelligence: A Modern

268 views • 26 slides
The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net>

The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net>

The nftables tutorial Patrick McHardy Pablo Neira Ayuso <kaber@trash.net> <pablo@netfilter.org> Netdev 0.1 February 2015 Ottawa, Canada Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada What is

499 views • 17 slides
1 Recap: Particle Filtering Video of Demo Moderate Number of Particles Particles: track

1 Recap: Particle Filtering Video of Demo Moderate Number of Particles Particles: track

Particle Filtering CSE 473: Artificial Intelligence Particle Filters Filtering: approximate solution 0.0 0.1 0.0 Sometimes |X| is too big to use exact inference |X| may be too big to even store B(X) 0.0 0.0 0.2 E.g. X is

463 views • 3 slides
The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart

The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart

The Filtering Matrix Interrogating Internet Filtering and Surveillance Practices Worldwide Nart Villeneuve Director of Technical Research Citizen Lab, University of Toronto CACR 2004 The Filtering Matrix Technical & non-technical

534 views • 15 slides
Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit to Administrators Improvement in Standardized Test Scores Promote STEM Education Goals Students Learn Cooperation and Communication

531 views • 14 slides
Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation to Mobility Committee April 2015 PWD Bridge Program City of Austin has 447 rated bridges. Goal is to maintain all bridges in

623 views • 22 slides
SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed a desire not to replace or widen the existng q bridge on the dam the bridge hampers access requires stopping and controlling trafc maintenance

966 views • 10 slides
A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and

A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and

A Gentle Introduction A Gentle Introduction to Bilateral Filtering to Bilateral Filtering and its Applications and its Applications Sylvain Paris MIT CSAIL Pierre Kornprobst INRIA Odysse Jack Tumblin Northwestern University

421 views • 19 slides
Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010

Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010

Collaborative Filtering Presentation by Alex Hugger Filtering Documents Mittwoch, 28. April 2010 Departement/Institut/Gruppe 2 Content-Based Methods Find other popular items by the same author or similar keywords Recommendation

858 views • 38 slides
Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods

Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods

Filtering Cubemaps Filtering Cubemaps Angular Extent Filtering and Edge Seam Fixup Methods Angular Extent Filtering and Edge Seam Fixup Methods John R. Isidoro 3D Application Research Group ATI Research Introduction Introduction Hardware

463 views • 25 slides
Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from Constraint Checkers Nicolas Beldiceanu(1), Mats Carlsson(2) and Thierry Petit(1) (1) LINA FRE CNRS 2729, Ecole des Mines de Nantes, FR-44307 Nantes Cedex

642 views • 40 slides
Computer Graphics Texture Filtering Philipp Slusallek Filtering Magnification (Zoom-in)

Computer Graphics Texture Filtering Philipp Slusallek Filtering Magnification (Zoom-in)

Computer Graphics Texture Filtering Philipp Slusallek Filtering Magnification (Zoom-in) Map few texels onto many pixels Pixel Reconstruction filter: Nearest neighbor interpolation: Take the nearest texel Bilinear

392 views • 26 slides
Lesson 7 Rate Conversion Filtering and Downsampling interchange Filtering and Upsampling

Lesson 7 Rate Conversion Filtering and Downsampling interchange Filtering and Upsampling

Lesson 7 Rate Conversion Filtering and Downsampling interchange Filtering and Upsampling interchange Polyphase decomposition Polyphase Filtering Polyphase Filtering Polyphase filtering Example Example Example Example -n -n Example

474 views • 16 slides
Matched filtering 6.011, Spring 2018 Lec 24 1 Matched filtering for detecting known signal in

Matched filtering 6.011, Spring 2018 Lec 24 1 Matched filtering for detecting known signal in

Matched filtering 6.011, Spring 2018 Lec 24 1 Matched filtering for detecting known signal in white Gaussian noise H 1 r [ n ] g [ n ] g [0] 7 LTI, h [ ] Threshold g 6 n = 0 H 0 2 Matched filter performance f ( g | H 1 )

333 views • 9 slides
Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning Department , Toronto Public Library Kristian Roberts, Partner, Nordicity Jan 31, 2020 What is Bridge? The Bridge Technology Services Assessment Toolkit

285 views • 28 slides
Filtering and the matrix step in NFS Thorsten Kleinjung Laboratory for Cryptologic Algorithms

Filtering and the matrix step in NFS Thorsten Kleinjung Laboratory for Cryptologic Algorithms

Filtering and the matrix step in NFS Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 17 Contents Overview NFS The matrix step Filtering A modified filtering approach 2 / 17

686 views • 22 slides
A/D Conversion and A/D Conversion Filtering for Ultra Low Filtering for Ultra Low A/D

A/D Conversion and A/D Conversion Filtering for Ultra Low Filtering for Ultra Low A/D

Advanced Digital IC Design Contents A/D Conversion and A/D Conversion Filtering for Ultra Low Filtering for Ultra Low A/D Converters Introduction Oversampling A/D Converters Power Radios modulator for Ultra Low Power Radios Measurement

631 views • 9 slides

More recommend