SlideShare una empresa de Scribd logo
1 de 34
Descargar para leer sin conexión
by Jesper Dangaard Brouer  <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
Who am I ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Presentation overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ComX Networks A/S ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Physical surroundings ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Linux box ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Issues and limitations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object]
Issue: Bad route performance ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Existing solutions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The categorization tasks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Solution: SubnetSkeleton ,[object Object],[object Object],[object Object]
SubnetSkeleton: Algorithm ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],10.1.2.3 10 .0.0.0/8 10.1.2 .0/24 10.1 .0.0/16
SubnetSkeleton: CIDR partitioning ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SubnetSkeleton: iptables ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use  IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24);  # prefix list my $name  = &quot;bw&quot;;   # Shortname for bandwidth my $table = &quot; mangle &quot;;  # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;,  &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
Full routing performance achieved ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Back to subject: Slow ruleset changes
Issue: iptables command slow ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Take advantage of libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Perl - IPTables::libiptc ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Next scalability issue: Chain lookup ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chains lookup: Solution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Mainline:  iptables ver.1.4.1 , git:2008-01-15 0 1 2 3 B D F H J L N C E O M K I G
Chain index: Insert chain ,[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name ,[object Object],0 1 2 3 B D F H J L N P C E A
Chain index: Delete chain ,[object Object],[object Object],[object Object],[object Object],[object Object],Chain index: Array Chain list: linked list, sorted by chain name Rebuild array 0 1 2 3 B D F H J L N C E O M K I G
Solving: Initial ruleset parsing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],mainline:  iptables ver.1.4.2-rc1 , git: 2008-07-03
Summary: Load time ,[object Object],[object Object],[object Object],[object Object],Machine with the most customers, has in filter table Chains: 9827 Rules:36532
Summary: Open Source ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Summary: Goal reached? ,[object Object],[object Object],[object Object],[object Object],[object Object]
The End ,[object Object],[object Object],81.161.128/0/18 195.135.216.0/22 87.72.0.0/16 82.211.224.0/19
Extra slides ,[object Object],[object Object],[object Object]
Route cache perf ,[object Object],[object Object],[object Object]
CPU util softirq ,[object Object],[object Object],[object Object]
More libiptc stats ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
BSD pf firewalling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Más contenido relacionado

La actualidad más candente

Bridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatBridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatNetProtocol Xpert
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)Netwax Lab
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)DH Da Lat
 
Lecture 02 lexical analysis
Lecture 02 lexical analysisLecture 02 lexical analysis
Lecture 02 lexical analysisIffat Anjum
 
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLANIndonesia Network Operators Group
 
Etherchannel
EtherchannelEtherchannel
EtherchannelRaj sekar
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Routing Protocol EIGRP
Routing Protocol EIGRPRouting Protocol EIGRP
Routing Protocol EIGRPDmitry Figol
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bullsSwapnil Kapate
 

La actualidad más candente (20)

Eigrp.ppt
Eigrp.pptEigrp.ppt
Eigrp.ppt
 
Bridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame FormatBridge Protocol Data Unit (BPDU) Frame Format
Bridge Protocol Data Unit (BPDU) Frame Format
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
 
Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)Cisco commands List for Beginners (CCNA, CCNP)
Cisco commands List for Beginners (CCNA, CCNP)
 
Router commands
Router commandsRouter commands
Router commands
 
Lecture 02 lexical analysis
Lecture 02 lexical analysisLecture 02 lexical analysis
Lecture 02 lexical analysis
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Mpls basic
Mpls basicMpls basic
Mpls basic
 
Cisco: QoS
Cisco: QoSCisco: QoS
Cisco: QoS
 
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
20 - IDNOG03 - Franki Lim (ARISTA) - Overlay Networking with VXLAN
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
Etherchannel
EtherchannelEtherchannel
Etherchannel
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & James
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Cs8591 Computer Networks
Cs8591 Computer NetworksCs8591 Computer Networks
Cs8591 Computer Networks
 
Routing Protocol EIGRP
Routing Protocol EIGRPRouting Protocol EIGRP
Routing Protocol EIGRP
 
Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
 

Destacado

Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
The 100 - {dive} : event
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : eventIRT b-com
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haimharryvanhaaren
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 RedHatTelco
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 

Destacado (20)

NOS Comparison
NOS ComparisonNOS Comparison
NOS Comparison
 
IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2IP Tables Getting Started - Part 2
IP Tables Getting Started - Part 2
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Iptables
IptablesIptables
Iptables
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
The 100 - {dive} : event
The 100 - {dive} : eventThe 100 - {dive} : event
The 100 - {dive} : event
 
TRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch HaimTRex Traffic Generator - Hanoch Haim
TRex Traffic Generator - Hanoch Haim
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
IP Address
IP AddressIP Address
IP Address
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configuration
 
Vagrant
VagrantVagrant
Vagrant
 

Similar a Netfilter: Making large iptables rulesets scale

Nad710 Network Address Translation
Nad710   Network Address TranslationNad710   Network Address Translation
Nad710 Network Address Translationtmavroidis
 
Ait235 Quizes Essay
Ait235 Quizes EssayAit235 Quizes Essay
Ait235 Quizes EssaySue Jones
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375  Enhance teaching / snaptutorial.comEcet 375  Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comDavis117a
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375     Education Redefined - snaptutorial.comEcet 375     Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comDavisMurphyC86
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comrobertlesew62
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comlechenau125
 
Questions With Explanation
Questions With ExplanationQuestions With Explanation
Questions With ExplanationStephanie King
 
Contextual Analysis Plan
Contextual Analysis PlanContextual Analysis Plan
Contextual Analysis PlanAnna Shaw
 
ECET 375 Effective Communication/tutorialrank.com
 ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.comjonhson203
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comledlang1
 
NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)olatunde ismaila
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address SchemeErin Rivera
 
Introduction to tcp ip linux networking
Introduction to tcp ip   linux networkingIntroduction to tcp ip   linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step  anung muhandanu Tutorial mikrotik step by step  anung muhandanu
Tutorial mikrotik step by step anung muhandanu Alessandro De Suoodh
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comHarrisGeorgx
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm1 2d
 

Similar a Netfilter: Making large iptables rulesets scale (20)

Nad710 Network Address Translation
Nad710   Network Address TranslationNad710   Network Address Translation
Nad710 Network Address Translation
 
Ait235 Quizes Essay
Ait235 Quizes EssayAit235 Quizes Essay
Ait235 Quizes Essay
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375  Enhance teaching / snaptutorial.comEcet 375  Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.com
 
Lab Network+
Lab Network+Lab Network+
Lab Network+
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375     Education Redefined - snaptutorial.comEcet 375     Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.com
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.com
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.com
 
Questions With Explanation
Questions With ExplanationQuestions With Explanation
Questions With Explanation
 
Contextual Analysis Plan
Contextual Analysis PlanContextual Analysis Plan
Contextual Analysis Plan
 
ECET 375 Effective Communication/tutorialrank.com
 ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.com
 
NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)NWI FOR OLATUNDE ISMAILA (G10B)
NWI FOR OLATUNDE ISMAILA (G10B)
 
The Network Ip Address Scheme
The Network Ip Address SchemeThe Network Ip Address Scheme
The Network Ip Address Scheme
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Introduction to tcp ip linux networking
Introduction to tcp ip   linux networkingIntroduction to tcp ip   linux networking
Introduction to tcp ip linux networking
 
IPv4 Addressing
 IPv4 Addressing   IPv4 Addressing
IPv4 Addressing
 
Firewall
FirewallFirewall
Firewall
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step  anung muhandanu Tutorial mikrotik step by step  anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.com
 
[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm[Ccna] subnetting & vlsm
[Ccna] subnetting & vlsm
 

Último

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Último (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Netfilter: Making large iptables rulesets scale

  • 1. by Jesper Dangaard Brouer <jdb@comx.dk> Master of Computer Science ComX Networks A/S OpenSourceDays 2008 d.4/10-2008 ComX Networks A/S
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Perl - IPTables::SubnetSkeleton #!/usr/bin/perl use IPTables::SubnetSkeleton ; my @CIDR = (8, 16, 24); # prefix list my $name = &quot;bw&quot;; # Shortname for bandwidth my $table = &quot; mangle &quot;; # Use “mangle” table my $subnet_src = IPTables::SubnetSkeleton::new(&quot;$name&quot;, &quot; src &quot;, $table, @CIDR); # Connect subnet skeleton to build-in chain &quot;FORWARD&quot; $subnet_src->connect_to(&quot;FORWARD&quot;); # Insert IP's to match into the tree $subnet_src->insert_element(&quot;10.2.11.33&quot;, &quot; userchain1 &quot;); $subnet_src->insert_element(&quot;10.2.10.66&quot;, &quot; userchain2 &quot;); $subnet_src->insert_element(&quot;10.1.2.42&quot;, &quot; userchain3 &quot;); $subnet_src->insert_element(&quot;10.1.3.123&quot;, &quot; userchain3 &quot;); # Remember to commit the ruleset to kernel $subnet_src->iptables_commit();
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.

Notas del editor

  1. TALK: First I&apos;ll focus on the routing performance issue I&apos;ll come back to slow rule changes later
  2. (To solve the routing performance issue, I had to: Make traffic categorizing scale!) (reducing the lookup time from O(n) to O(log(n)))
  3. (named skip-list search infrastructure by Thomas Jacob &lt;jacob@internet24.de&gt;) (In mainline, iptables version 1.4.1, git:2008-01-15) The runtime complexity is actually also affected by this &amp;quot;bucket&amp;quot; size concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
  4. (In mainline: iptables ver.1.4.2-rc1, git: 2008-07-03)