An environment that can use from different packet
classification algorithm (eg. tuple) to support large rulesets (more than 10,000 rules)
for high bandwidth networks.
Licence: GNU GPLv2
Author: hamid jafarian (hm.t.) <hamid.jafarian@gmail.com>
Author: maryam geranian <m.geranian@gmail.com>
Contents
1. Introduction
2. New Code
3. Some Features
4. Classifiers
4-1. linear classifier
4-2. tuple cassifier
4-3. url classifier
5. TODO list
6. Opportunitis
1. Introduction:
In This version I tried to create the ability of Interactivity beside the ability of using Multiple And Different Classification Algorithms for every chain. In this version one chain (e.g. OUTPUT in filter) Can Use from "linear Classifier" (like of current version) and other chain (e.g. FORWARD in filter) can use from "tuple".
Implementation of Classification Algorithms Is like of Matches and Targets but they don’t have any User Space implementation (only one (or more) module).
An Important feature in this version is "Ranking". All of the rules base on their locations
(is defined in the "iptables" command when user add a rule) in the list of the rules of a Chain, get a Rank. Thus hashing the rules doesn't create any problem because the algorithm must test the rule with lowest rank from the rules that may match the packet. Thus the users can sit and think; "the rules are stored sequentially and also processed sequentially (like of current version)".
2. New Code:
In this version I was used "link list"s in the kernel, instead of continues memory (in the current version) for rule storage and also defined many useful and important structures for "Table", "Chain" and....
This code is different completely and also easy to understand absolutely.
New "iptables" command syntax has been not changed. "iptables-save" and "iptables-restore" are adopted.
You can use and develop "matches" and "targets" like before.
3. Some Features:
1. All Chains can get Policy:
Against the Current Version, the User Chains Like of Built-in Chains can get olicy.
2. All Chains can be used as Target:
you can use from every chain to reference to them as a Rule Target. against the
current Version that you should use only from User Chains as Target.
3. All Chains have reference number:
this define the number of references to the chain (i.e. number of rules that use it
as Target). At deletion time, this num ber must be zero (if not and you try to
delete the chain; you will receive an error message from IPtables).
4. RETURN can be Rule Target:
like of Current Version, in the called chains (Child Chains: referenced as a target
in one of the rules of Parent Chain), cause to return to the caller (Parent Chain)
and In the built chains, the Chain Policy will be used for the matched packet.
5. RETURN can be Chain Policy:
Against the Current Version. In the called chains (Child Chains) this cause to
return to the caller (Parent Chain) but in the Built-in Chains, this means DROP.
6. You can change Chain Classifier:
With -C option in the iptables command. for example: iptables -C INPUT tuple.
You can do this every time. by this option, base on the number of rules in the
chains;
you can select best Classification Algorithm for that chain and force it to use that.
7. pkt_tables namespace and framework
using pkt_tables namespace and create a common framework for all of the
*tables.
4. Classifiers
To now, we developed three classifiers for iptablestng:"linear", "tuple" and "url".
4-1: linear classifier
This is not a new approuch in rule search, like before he search rules
sequentially from first to last.
this is implemented for compatibility and also is appropriate for chains with few
rules.
4-2: tuple classifeir
this classifier, classifies packets base on their source/destination addresses. He
uses src/dst ips in the iptables rules to store them in his hash tables. then when
packets are recived, he retrive the addresses and search the rules that match
the packet.
The key note is that: this classifier is appropriate for rules that have source or
destination IP.
change classifier to tuple: # iptables -C INPUT tuple
4-3: url classifier
Filter "http" packets base on their domain name may be one of administrators
interests.
To now there are many user space applications that can do it. but doing this idea
in the kernel in a modular and flexible enviornment is new.
By IPtables-tng we can implement and use new classifiers for special porposes.
"url classifier" is an special porpose classifier that may be used to filter "http"
packets base on "HOST" field value in the "http request" packet.
4-3-1: Use instructions:
To fiter domain names, after installation of patches(read INSTALL file for more
info):
1- first: change the classifier of your chain to the "url":
# iptables -C YOUR_CHAIN_NAME url
2- second: add rules with domain names: e.g. to filter www.xxx.com
# iptables -A YOUR_CHAIN_NAME -m url --url www.xxx.com -j DROP
NOTE:
1- this classifier doesn't support rule deletion (iptables -D).
you can use -F to flush the chain.
2- he only matches "request" packets. target is triggerd on this packets.
3- he verfies the rule header (source/des IPs & ...) and also other matches to
match the packet.
4- "url" matched is used to tranfer urls to kernel and he dose nothing with
packets.
4-3-2: Implementaion notes:
he uses combination of Boolm Filter & hash tables.
5- TODO list
In progress work is focused on use of RCU for rule managemnt activities (search,
add, remove) instead of use of spin locks.
Also the next step will be use of NetLink for user/kernel communication(God Willing).
Implementation of new way to send classifier data (like urls for url classifier) instead
of using matches and also new aprouches to retrive data from packets are our goles.
6. Opportunities :
1. Upgrade IP6tables:
We can use from this implementation to upgrade ip6tables. The structures and
functions that is used in this implementation are general.
2. Implement More Classification Algorithms:
We can implement other Classification Algorithms for iptables e.g. HiCuts.
'컴맹의 컴퓨터 이야기 > 커널' 카테고리의 다른 글
| [루팅] 갤탭 루팅하기 (0) | 2012.04.19 |
|---|