LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Implementing network channels

Implementing network channels

Posted May 4, 2006 14:05 UTC (Thu) by kfiles (subscriber, #11628)
In reply to: Implementing network channels by nix
Parent article: Implementing network channels

> I think the netfilter problems are more significant.

I don't see why. If I'm designing a server process that requires very high throughput, I'm not going to install iptables rules for established connections. That kind of performance hit just seems antithetical to high throughput.

I would think the following logic would be fine for users:
* If the iptables rules installed only filter on the first packet in a connection, network channels can be used for data reception.
* If per-packet (establisted connection) rules are in effect, disable network channels.

I'd be perfectly happy with such a compromise, and I can't imagine it would be to hard to set a /proc variable when iptables installs a rull for established connections.

--kirby

(Log in to post comments)

Implementing network channels

Posted May 4, 2006 21:02 UTC (Thu) by caitlinbestler (guest, #32532) [Link]

Or more generally, before binding a flow to a netchannel:

1) find all netfilter rules that would apply to the flow.
2) If the hardware end of the netchannel can implement those
restirctions then proceed, otherwise don't assign the
netchannel directly to the hardware.

The rule you cited deals with the easy subset: there are
no rules that apply once the connection is established.
And obviously any hardware would be able to implement
zero rules. But other hardware may be able to implement
*some* rules, the most important plausible probably being
to count every packet within the connection.

Implementing network channels

Posted May 4, 2006 22:19 UTC (Thu) by smoogen (subscriber, #97) [Link]

The case where I could see the need for high throughput and high integrity or modification would be in a router. In some cases you want the netfilter stack to be very low level. I could see netfilter in this 'world' to be split into a layered approach. A very high level port open/port closed ACL level, a lower related/established, and a very low level 'what the f is this doing in my packet level.'

routers / firewalls

Posted May 9, 2006 2:48 UTC (Tue) by xoddam (subscriber, #2322) [Link]

Packets don't go to userspace at all if they're going *through* a router.
But we still need this functionality for firewalls on the host.

Some firewall applications need to track connections, scan packets
within a connection, and even have the option of dropping connections
altogether (eg. intrusion protection). Netfilter will need some
rearrangement to achieve this if channels go direct to userspace.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds