Day 1: Tutorials: Advanced IP Packet Mangling in Linux 2.4

Rusty, who basically rewrote the firewalling code in 2.4, quite naturally gave a tutorial on his new code.

[picture]

Rusty also wrote ipchains in 2.2 and ended getting lots of support questions for things like masquerading, which he didn't write

.
Another problem with the networking code in 2.2 is that firewalling, port forwarding and such where hacked in by different people at different times. The end result was fairly fragile, and things like transparent proxying would end up braking too often (3 times by Rusty's recollection while other people where hacking on the stack).
It became obvious that a clean rewrite and infrastructure was needed, and that's what Rusty did.

Rusty put 5 hooks:

pre_routing
local_in
forward
local_out
post_routing

Each hook can alter packets and return NF_DROP, NF_ACCEPT, NF_QUEUE (queue for asynchronous handling by another piece of code in user space), NF_REPEAT (not used yet), NF_STOLEN (the packet is stolen by the code, it shouldn't be freed, it should just be forgotten)

In addition to IPV4, people have contributed support for IPv6, DECNET, Appletalk in IPX (and Rusty made humoristic comments on the important future of packet filtering on DECNET and Appletalk. Did I mention that Rusty is a really fun speaker? )
Netfilter has enough hooks to cleanly extend functionality for filtering, NAT, and random hacks and the plan is that we won't need yet another system with yet another interface in 2.5/2.6, although Rusty likes "Rusty chains" as a name for the next version

IP tables allows for several chains, like ipchains, but also for several tables (filter, NAT and Mangle). It now lets you target packets in 5 places (listed above), where (I quote) "god intended them to be"
NAT can be done in 3 places (pre_routing (dest rewrite), local_out (dest rewrite), and post_routing (source rewrite)). The main idea is that here, you can write your filtering rules independantly from the NAT rewriting.
The Mangle table is used for special effects and hacks.

User visible changes:

-i for input interface and -o for output interface
DROP is replaced by DENY
zeroing single chains while listing them works
because /proc has a limitation of 3K reads, which gives created problems because while you are listing rules, the counters change. There is now a hack for atomic reads
Chains names can now have 31 characters

All the match options are now extensions, which makes the everything extensible and makes adding more limits possible. A cool addition is the limit rule, which only returns true a certain number of times per unit of time. You can also check for MAC addresses, the UID of the process that created the packet, or whether the packet looks evil (depending on IP flags that are set)
Some other cool features let you mirror a packet and send it back to the sender (useful when you get portscanned)

Connection tracking is a new thing too. It's useful for connectionless protocols like UDP and ping. The default timeout for an open TCP connection was 10mn in 2.2, which closed open but idle connections like ssh way too quickly. The default is now changed to 5 days.
Under stress, the connection tracking code will drop unreplied connections early. What's cool is that the ftp connection tracking module lets you temporarly open the right ports long enough for an active ftp connection to be accepted.

As far as NAT is concerned, The code now offers SNAT (source NAT = masquerading) and DNAT (port forwarding and load balancing).
For NAT, you get to choose between dumb NAT, which is really fast and simple, and full NAT which has all the bells and whistles.

As always, attending one of Rusty's talks was both interesting and entertaining. I should also mention that rusty is a very professional hacker. He takes great care of not breaking anything, and does care about backward compatibility.
You can look at his slides here

Picture library

Back to Main Page

Email
Link to Home Page

2000/08/21 (20:25): Version 1.0