Secciones
Login Barrapunto
Gufete (1675)
Publicidad
Publicidad
Lunes, 23 de Enero 2006
El otro artículo que mandé a linux.com y me rechazaron...
09:23h.
Al hilo de mi anterior entrada en la bitácora, os pego el segundo artículo que mandé a Linux.com
Article title: Increasing the perfomance of your linux firewall with nf-hipac
My name is Javier de Miguel, I work as a senior contractor sysadmin for. I work daily with a myriad of operating systems in really big networks. Maybe my experience can be useful for NewsForge and Linux.com readers. I also was part of the organization committee of the Netfilter Workshop 2005
Introduction
Netfilter is the piece of software responsible packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.
Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. Netfilter/iptables is widely used in hundred of thousands (maybe millions) of Linux systems in the world, from home users to big enterprise networks
The combination of the flexible networking filtering and mangling capabilities of netfilter with the powerful load balancing & advanced routing features of the linux kernel make a killer combo over another comercial offerings. Linux is featurefull and very flexible as general purpose firewall system. But there is an important drawback: poor perfomance with large rulestes.
What's wrong with netfilter/iptables
Iptables, like most packet filters, uses a simple packet classification algorithm which traverses the rules in a chain linearly per packet until a matching rule is found (or not). Clearly, this approach lacks efficiency. As networks grow more and more complex and offer a wider bandwidth linear packet filtering is no longer an option if many rules have to be matched per packet. Higher bandwidth means more packets per second which leads to shorter process times per packet. Simply, with large rulesets iptables does not scale well.
For really high perfomance firewalling custom hardware (e.j: ASIC) is often used. In this camp, Linux is not a top player... until the arrival of nf-hipac.
A new approach: nf-hipac
nf-HiPAC is a full featured packet filter for Linux, created by Mara Systems . HiPAC is a novel framework for packet classification _which uses an advanced algorithm to reduce the number of memory lookups per packet_. It is ideal for environments involving large rulesets and/or high bandwidth networks. The most benefitiated would be high load enterprise firewall systems (ISP, Telcos, big companies..)
Must I learn a new filtering tool for my Linux System?
nf-HiPAC provides the same rich feature set as iptables Linux packet filter. The complexity of the sophisticated HiPAC packet classification algorithm is hidden behind an iptables compatible user interface which renders nf-HiPAC a drop-in replacement for iptables. Thereby, the iptables' semantics of the rules is preserved,. From a user's point of view there is no need to understand anything about the HiPAC algorithm.
Why should I care about nf-hipac? Who should use it?
nf-HiPAC outperforms iptables regardless of the number of rules, i.e. the HiPAC classification engine does not impose any overhead even for very small rule sets.The performance of nf-HiPAC is nearly independent of the number of rules. nf-HiPAC with thousands of rules still outperforms iptables with 20 rules.
Also, nf-HiPAC offers fast dynamic ruleset updates (ideal for IDS/IPS systems) without stalling packet classification in contrast to iptables which yields bad update performance along with stalled packet processing during updates. Big enterprises with complex networking filtering needs are the most benefitiated with nf-hipac
If you are a "home user" or a small company, you do not need nf-hipac. Iptables should suffice for you. But if you are developing an embebed linux firewall product (especially with low cpu power) or if you are a telco/isp/big company with linux firewalls, read this story to increase perfomance of your systems.
How do I install it?
Installation is pretty straightforward. You simple download a 2.6 kernel patch and a userspace tool, recompile the kernel and boot with the new enhanced system.
These are the steps to perfom to enable nf-hipac in a stock 2.6.13 kernel:
- Download vanilla kernel sources from kernel.org
- Download nf-hipac patch for kernel 2.6.13 from nf-hipac homepage
- Uncompress both tarballs
- Apply the patch
patch -p1 -F3
- Configure your kernel and enable nf-HiPAC: You can find the nf-hipac option in the "Netfilter Configuration" sub menu after you have enabled "IP tables support". Don't forget to also enable all the iptables matches and targets that you want to use with nf-HiPAC and for which nf-HiPac does not already offer native implementations.
- Compile, install and boot your nf-HiPAC enabled kernel.
- Compile and install the nf-HiPAC userspace tool:
Assuming that you want to install nf-hipac to /usr/local and that the iptables
userspace modules are located under /lib/iptables you have to type as root:
make install PREFIX=/usr/local IPT_LIB_DIR=/lib/iptables
This builds the userspace tool with support for iptables 1.3.x
And you are done, you have now a nf-hipac enabled firewall system.
If you want to use a different kernel version, visit the webpage of the project to get detailed install information.
Using nf-hipac
The nf-hipac userspace tool is designed to be as compatible as possible to 'iptables -t filter'. It even supports the full power of iptables targets, matches and stateful packet filtering (connection tracking) besides the native nf-HiPAC matches. This makes a switch from iptables to nf-HiPAC very easy: usually it is sufficient to replace the calls to iptables with calls to nf-hipac for your filter rules. That's all. It is a 'drop-in' replacement, you get extra perfomance with minimal effort.
As a rule of thumb: in your firewall script, do NOT change iptables for nf-hipac when you use "-t nat" or "-t mangle". In any other instance, you simply change iptables for nf-hipac. Example:
iptables -A INPUT [-t filter] -m state --state RELATED,ESTABLISHED -j ACCEPT
should be converted to
nf-hipac -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
With these simple steps you get an instant perfomance boost
Conclusion & Expected Mainstream adoption
Past October 6, 2005, during the 5th Netfilter Workshop, The Netfilter Core Team voted the integration of nf hipac inside Netfilter core. The discussion still continues on details but everybody seems to agree that iptables has to be suppressed and that a new configuration tool has to be written in order to interact with Hipac.
Integration in the main Linux kernel tree should occur for 2.6.16, so in the near future all Linux users will benefit from the improved netfilter filtering code, without the need of recompiling the kernel and patching it to support nf-hipac.
About the author:
Javier de Miguel works as IT consultant in the Spanish technology firm Dominion . He enjoys playing with his dogs and tinkering with really old computers. You can reach him in javier.miguel@talika.eii.us.es
Article title: Increasing the perfomance of your linux firewall with nf-hipac
My name is Javier de Miguel, I work as a senior contractor sysadmin for. I work daily with a myriad of operating systems in really big networks. Maybe my experience can be useful for NewsForge and Linux.com readers. I also was part of the organization committee of the Netfilter Workshop 2005
Introduction
Netfilter is the piece of software responsible packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.
Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. Netfilter/iptables is widely used in hundred of thousands (maybe millions) of Linux systems in the world, from home users to big enterprise networks
The combination of the flexible networking filtering and mangling capabilities of netfilter with the powerful load balancing & advanced routing features of the linux kernel make a killer combo over another comercial offerings. Linux is featurefull and very flexible as general purpose firewall system. But there is an important drawback: poor perfomance with large rulestes.
What's wrong with netfilter/iptables
Iptables, like most packet filters, uses a simple packet classification algorithm which traverses the rules in a chain linearly per packet until a matching rule is found (or not). Clearly, this approach lacks efficiency. As networks grow more and more complex and offer a wider bandwidth linear packet filtering is no longer an option if many rules have to be matched per packet. Higher bandwidth means more packets per second which leads to shorter process times per packet. Simply, with large rulesets iptables does not scale well.
For really high perfomance firewalling custom hardware (e.j: ASIC) is often used. In this camp, Linux is not a top player... until the arrival of nf-hipac.
A new approach: nf-hipac
nf-HiPAC is a full featured packet filter for Linux, created by Mara Systems . HiPAC is a novel framework for packet classification _which uses an advanced algorithm to reduce the number of memory lookups per packet_. It is ideal for environments involving large rulesets and/or high bandwidth networks. The most benefitiated would be high load enterprise firewall systems (ISP, Telcos, big companies..)
Must I learn a new filtering tool for my Linux System?
nf-HiPAC provides the same rich feature set as iptables Linux packet filter. The complexity of the sophisticated HiPAC packet classification algorithm is hidden behind an iptables compatible user interface which renders nf-HiPAC a drop-in replacement for iptables. Thereby, the iptables' semantics of the rules is preserved,. From a user's point of view there is no need to understand anything about the HiPAC algorithm.
Why should I care about nf-hipac? Who should use it?
nf-HiPAC outperforms iptables regardless of the number of rules, i.e. the HiPAC classification engine does not impose any overhead even for very small rule sets.The performance of nf-HiPAC is nearly independent of the number of rules. nf-HiPAC with thousands of rules still outperforms iptables with 20 rules.
Also, nf-HiPAC offers fast dynamic ruleset updates (ideal for IDS/IPS systems) without stalling packet classification in contrast to iptables which yields bad update performance along with stalled packet processing during updates. Big enterprises with complex networking filtering needs are the most benefitiated with nf-hipac
If you are a "home user" or a small company, you do not need nf-hipac. Iptables should suffice for you. But if you are developing an embebed linux firewall product (especially with low cpu power) or if you are a telco/isp/big company with linux firewalls, read this story to increase perfomance of your systems.
How do I install it?
Installation is pretty straightforward. You simple download a 2.6 kernel patch and a userspace tool, recompile the kernel and boot with the new enhanced system.
These are the steps to perfom to enable nf-hipac in a stock 2.6.13 kernel:
- Download vanilla kernel sources from kernel.org
- Download nf-hipac patch for kernel 2.6.13 from nf-hipac homepage
- Uncompress both tarballs
- Apply the patch
patch -p1 -F3
- Configure your kernel and enable nf-HiPAC: You can find the nf-hipac option in the "Netfilter Configuration" sub menu after you have enabled "IP tables support". Don't forget to also enable all the iptables matches and targets that you want to use with nf-HiPAC and for which nf-HiPac does not already offer native implementations.
- Compile, install and boot your nf-HiPAC enabled kernel.
- Compile and install the nf-HiPAC userspace tool:
Assuming that you want to install nf-hipac to
make install PREFIX=/usr/local IPT_LIB_DIR=/lib/iptables
This builds the userspace tool with support for iptables 1.3.x
And you are done, you have now a nf-hipac enabled firewall system.
If you want to use a different kernel version, visit the webpage of the project to get detailed install information.
Using nf-hipac
The nf-hipac userspace tool is designed to be as compatible as possible to 'iptables -t filter'. It even supports the full power of iptables targets, matches and stateful packet filtering (connection tracking) besides the native nf-HiPAC matches. This makes a switch from iptables to nf-HiPAC very easy: usually it is sufficient to replace the calls to iptables with calls to nf-hipac for your filter rules. That's all. It is a 'drop-in' replacement, you get extra perfomance with minimal effort.
As a rule of thumb: in your firewall script, do NOT change iptables for nf-hipac when you use "-t nat" or "-t mangle". In any other instance, you simply change iptables for nf-hipac. Example:
iptables -A INPUT [-t filter] -m state --state RELATED,ESTABLISHED -j ACCEPT
should be converted to
nf-hipac -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
With these simple steps you get an instant perfomance boost
Conclusion & Expected Mainstream adoption
Past October 6, 2005, during the 5th Netfilter Workshop, The Netfilter Core Team voted the integration of nf hipac inside Netfilter core. The discussion still continues on details but everybody seems to agree that iptables has to be suppressed and that a new configuration tool has to be written in order to interact with Hipac.
Integration in the main Linux kernel tree should occur for 2.6.16, so in the near future all Linux users will benefit from the improved netfilter filtering code, without the need of recompiling the kernel and patching it to support nf-hipac.
About the author:
Javier de Miguel works as IT consultant in the Spanish technology firm Dominion . He enjoys playing with his dogs and tinkering with really old computers. You can reach him in javier.miguel@talika.eii.us.es
Este hilo ha sido archivado.
No pueden publicarse nuevos comentarios.
El otro artículo que mandé a linux.com y me rechazaron...
|
Log in/Crear cuenta
| Top
| 4 comentarios
| Buscar hilo
Y recuerda: Los comentarios que siguen pertenecen a las personas que los han enviado. No somos responsables de los mismos.
Del sabio, poeta y loco, todos tenemos un poco.
Barrapunto © 1999-2007. Contenido disponible bajo licencia Creative Commons Reconocimiento 2.5
Aviso legal
Barrapunto © 1999-2007. Contenido disponible bajo licencia Creative Commons Reconocimiento 2.5
Aviso legal
Un par de preguntas....
(Puntos:2)( http://www.kdehispano.org/ | Última bitácora: Lunes, 14 Septiembre de 2009, 19:23h )
Muy bueno y aclaratorio el artículo, tan sólo un par de preguntas...
¿Podemos mezclar en un sistema reglas nf-hipac con reglas iptables ya que no se puede utilizar nat ni mangle con el primero?
¿Podráis explicar un poquitín el algoritmo que usa para optimizar la aplicación de reglas?. Ni en el artículo ni en la página de la empresa veo explicación alguna a cómo funciona internamente.
Pensaba que sería algo así como una optimización de reglas que hiciera que "paralelizara" las condiciones al igual que hace initng [escomposlinux.org] con el arranque, pero dado su parecido con iptables para su introducción en el sistema y que parece que ambos puedan ser usados conjuntamente, no estaría tan seguro de ello, de que paralelice, no de que no funcione ;-)
FDO. ER_MELENAS
No te preguntes sólo qué puede hacer el S.L. por ti, sino también qué puedes hacer tú por él
Gracias
(Puntos:1)( http://barrapunto.com/ | Última bitácora: Jueves, 04 Octubre de 2007, 21:49h )
Gracias por publicar aquí este interesante artículo que te habían descartado, y gracias por comentar en los comentarios de tu entrada anterior cómo usas subversion en la administración de sistemas.
Desconocía totalmente la existencia del nf-HiPAC, pero por lo que explicas va a ser bastante productiva su futura inclusión en el kernel.