Netfilter Workshop Résumé

Userday presentation supports

The first day presentation supports are now available. In chronological order :

• Stephen-Hemminger_CLI-QoS.pdf
• David-Miller_Linux-Multiqueue-Networking.pdf
• Jesper-Brouer_Large-iptables-rulesets.pdf
• Pierre-Chifflier_NFQUEUE-Bindings.pdf
• Luc-Bourdot_Presentation-Eole.pdf
• Eric-Leblond_Ulogd2.pdf
• Jozsef-Kadlecsik_IPset.pdf

Eric Leblond and Pierre Chifflier: Ulogd2 status

I’ve made a status on the work I’ve done on Ulogd2 during the previous year.

Almost all plugins are now in a working state. Conntrack and packet logging input plugins are fully supported by the output plugins. And important things like NAT decisions can be stored for later interrogation.

The only plugins left in a non working state are:

• IPFIX
• SQLite

Pierre joined me after this status to explain how he designed the default database schemas which makes use of advanced database features.

I finished my presentation with a demonstration of nf3d, a visualisation tool which is able to display connections and packets logged in a PGSQL database by ulogd2.

Nf3d screenshot

NFWS2008 Group photo

Here’s 6th Netfilter workshop group photo:

Group photos

From left to right starting from top:

• Stephen Hemminger, Henrik Nordström, Harald Welte, Holger Eitzenberger, Sanjay Rao, Samir Bellabes, Pablo Neira Ayuso
• Nishit Shah, Jimit Mahadevia, Balazs Scheidler, Jesper Dangaard Brouer, Jozsef Kadlecsik, Pierre Chifflier, Jan Engelhart
• David Miller, Krisztián Kovács, Patrick McHardy, Moritz Grimm, Eric Leblond

Tproxy reaches net-next-2.6

Following the discussion on Tproxy, Krisztián Kovács has send his patch to the netfilter and netdev mailling list. Davem’s answer was fast, because the answer to the first patch of the patchset arrives in the minutes following the mail:

Applied to net-next-2.6

Tproxy will thus be merged into mainstream for 2.6.28.

Pablo Neira, Userspace library

libnfnetlink

There are two APIs

• old based on libnetlink (iproute tools)
• new API with better error handling

Eric Leblond contributes to ifindex2ifname based on Harald Welte’s work. This enables interface indexes to name resolution.

libnetfilter_queue

There is few changes since the last workshop. It uses old libnfnetlink API and lacks some helper functions mainly to treat packet mangling.

libnetfilter_log

There is no no changes. It is still using the old API.

Pablo Neira

libnetfilter_conntrack

Libnetfilter_conntrack has two APIs. The old one is completely deprecated. The new API is based on a setter/getter logic and offers a lot of helper functions (printing, comparing, copying).

Latest version introduces BSF filter that can be used to filter entry before they live kernel. With BSF filter you can for example avoid to fetch connection event for localhost.

Pablo Neira, conntrack-tools status

Conntrack-tools

Latest release was on May and the upcoming release should arrive next week.

Conntrack CLI

• Syntax is the same as iptables’
• It has filtering capabilities
• List, modify, destroy connections
• It supports event listening

Conntrackd

This is a daemon made for synchronisation of connection tracking. Currently, only primary backup is supported but the architecture allows multiprimary. It uses TLV based message (from 76 to 100 bytes).

There are multiple protocol messages:

• NOTRACK: simply send message without check
• ALARM:
• FT-FW: packet aknowlegement

Conntrackd development status

No need to disable TCP window tracking since 2.6.22. Support for netfilter kernel space filtering since 2.6.25 (you may chose only replicate TCP connexion).

IPv6 support is complete but requires more testing.

TODO list

• Redundant dedicated netlink
• Multi primary support

Pablo Neira, Bloom filters

Principle

Bloom invent his filter in the 70s. This filter give a compact representation of element.

It allows false positive: an element can said to be in a set without being. If we delete some element of the filter we can have the inverse. We thus need to treat carefully this step.

Pablo Neira

What use approximate firewalling ?

It can be used for maintining large set like spam lis. But we have false positives, does it make sense a firewalling solution that has false positive ?

Krisztián Kovács, tproxy status

Tproxy development has reached the goal fixed last year.

Krisztián Kovács

Every field from Netfilter part to routing part is ready for inclusion and patches asking for inclusion into mainstream will be sent soon.

Jozsef Kadlecsik, IPSET status

Latest developements

Latest developements include a new type ipportiphash which can be used to store IP address, arbitrary port number and setlist which is a union of sets.

Jozsef Kadlecsik

Milestone planning

Ipset 2.4 will be released in october and will feature the new modules. Around the end of 2008, ipset 3.0 should be released. It will feature a new protocol that will be netlink compatible TLVs and keep the previous for backward compatibility. If all is ok, ipset will be renamed to nfset and the old protocol will be suppressed (middle 2009). After nfset renaming the work will focus on IPv6 support and merging effort.

Yasuyuki Kosakai, MIPv6

IPV6 firewalling under Linux is a complete work. The remaining task is MIPV6.

Yasuyuki Kosakai

MIPV6 introduction

There are 2 mode :

• bidirectionnal tunneling: all traffic passes through Home
• routing optimization

Conntrack tuple definition

Conntrack has to be built to match this information. The choices are:

• nf_conntrack_ipv6 construct tuple by home address
• nf_conntrack_ipv6 handles it as tunneled

The first choice is the best one as it match internal behaviour. Furthermore, it is the endpoint address which is taken into account.

It is easy to send packets that include a spoofed home address. Thus the stateful filter can allow packet to pass if it does not check HAO and RT2.

Proposal

New helper inspects MIPv6 signaling (proto = 135) and maintains a list on authorized home gateway. By doing this we can reject forwarding of packets for unregistred gateways.

As usual, encryption can break everything. draft-irtf-mip6-cn-ipsec-05 introduces encryption of binding update/acknowledgement and there is no way of parsing this.