72 lines
3.1 KiB
Plaintext
72 lines
3.1 KiB
Plaintext
- rule loadtime performance
|
|
- loading 10k rules in 1k chains takes 4'30min on P3-733
|
|
- 27seconds in kernelspace: mark_source_chains()
|
|
- reimplementation finished, needs more testing
|
|
- 4 minutes in userspace: Two n^2 complexity functions
|
|
- one of them could be removed in old chain_cache framework
|
|
- other function needs reimplementation (underway)
|
|
- ctnetlink still under development, used by a couple of large sites
|
|
- pkt_tables to be merged later in 2.6.x
|
|
- change to liked lists of rules in linked lists of chains
|
|
- use netlink-based kernel/userspace interface
|
|
- iptables2/pkttables userspace
|
|
- libnfentlink / libpkttnetlink as low-layer interface
|
|
- move all iptables functionality into libpkttables
|
|
- libpkttables provides query-interface
|
|
- what matches/targets does this system support?
|
|
- what parameters does match 'foo' support?
|
|
- what values are acceptable for param 'bar' of match 'foo'?
|
|
- what is the help message for param 'bar' of match 'foo'?
|
|
- nf-hipac as high-performance alternative to iptables
|
|
- very complex multi-dimensional tree structure
|
|
- 530kilobyte patch, 180k kernel module
|
|
- algorithm well-proven and regression-tested in userspace
|
|
- scales really good even with 100k rules
|
|
- now supports all iptables matches/targets
|
|
- cannot replace iptables because
|
|
- large footprint
|
|
- high memory usage
|
|
- most likely to be integrated after pkt_tables / pkttnetlink merge
|
|
- Session logging
|
|
- different implementations (SLOG one of them)
|
|
- best solution: ctnetlink event API
|
|
- problem: per-connection byte/packet counters in conntrack are
|
|
performance hit
|
|
- ipv6 connection tracking
|
|
- usagi people are working on this
|
|
- non-linear skb support (removal of skb_linearize())
|
|
- thanks to rusty, 2.5.x/2.6.x now has support
|
|
- changes in almost any netfilter/iptables API :(
|
|
- stateful failover / state synchronization
|
|
- no sponsor yet, but most likely in Q4/2003
|
|
- conntrack optimization
|
|
- new hashing algorithm in 2.4.21, should improve significantly
|
|
- locking optimization
|
|
- don't use timer per conntrack, but an expiration kernel thread
|
|
- TRACE target / raw table
|
|
- experimental patch in patch-o-matic
|
|
- enables tracing of packet through ruleset
|
|
- netfilter workshop, August 2003, Budapest, Hungary
|
|
- about 20 people will attend
|
|
- sponsored by Astaro Inc and KFKI Research Institute
|
|
- open to the public, registration needed
|
|
- we need more community
|
|
- developer diaries on netfilter homepage?
|
|
- wiki or similar tool ?
|
|
- announcement of IRC channel(s) on website
|
|
- patch-o-matic 2.6.x future?
|
|
- I will only maintain patch-o-matic for 2.6.x
|
|
- maybe somebody wants to backport patches?
|
|
- maybe an official 2.4.x maintainer?
|
|
- development of testing tools
|
|
- simple packet generator not suitable for stateful filtering
|
|
- even simple packet generators are very expensive
|
|
- connection generator
|
|
- user can specify profile of a connection
|
|
- e.g. HTTP: TCP, 500 bytes one direction, 10k other
|
|
- user can specify quantity and distribution
|
|
- i.e. 10k 'HTTP', from random source to single dest.
|
|
- first implementation will be userspace-only, may change later
|
|
- work will start in September/October, I'll post an RFC
|
|
- deprecate ipfwadm
|