Thomas Graf <tgraf@suug.ch> Netconf 2006 Thomas Graf <tgraf@suug.ch>

Slides:



Advertisements
Similar presentations
IPv6 Static Routes Overview.
Advertisements

IP Forwarding Relates to Lab 3.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Implementing Inter-VLAN Routing
© 2001, Cisco Systems, Inc. Ethernet over Multiprotocol Label Switching.
Chapter 5 - TCP/IP Discussion Related to Essay Question on Final Dr. V.T. Raja Oregon State University.
An Overlay Data Plane for PlanetLab Andy Bavier, Mark Huang, and Larry Peterson Princeton University.
CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)
Routing and Routing Protocols Introduction to Static Routing.
IP Routing: an Introduction. Quiz
Jan 10, 2008CS573: Network Protocols and Standards1 Virtual LANs Network Protocols and Standards Winter
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
ACE Address Configuration Executive. Why ACE? ACE provides access to several address resolution protocols under a single API ACE is the only API available.
IP Forwarding.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Modification of Pktfilter tool 10/9/2015Pktfilter modification - Brad Baker1 Brad Baker CS591 Spring 2007 Term project.
Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel.
Brad Baker CS591 Spring 2007 Term project 10/15/ Pktfilter modification - Brad Baker.
Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
Managing Networks and Network Devices
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
Switching Topic 2 VLANs.
Application configures network: specifics, problems, solutions Vasiliy Tolstoy EMC RCOE v 0.5.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Introduction to Mininet, Open vSwitch, and POX
Fall 2004FSU CIS 5930 Internet Protocols1 IP Routing Reading: Chapter 16.
 Router Configurations part2 2 nd semester
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
Watching and Manipulating Your Network Traffic. tcpdump - your binoculars $ sudo tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol.
Usability of Traffic Control Tools
Instructor Materials Chapter 2: Scaling VLANs
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
Product Configurator – A Customer Story
Course Overview, A&C, SLB
Programmable Overlays with VPP
IPSEC and Route Lookups
© 2002, Cisco Systems, Inc. All rights reserved.
EE 200 Design Tools Laboratory 14
ICMP ICMP – Internet Control Message Protocol
About CCNP Routing & Switching
Netconf 2006 Tokyo Paul Moore
Chapter 5: Switch Configuration
Chapter 2: Static Routing
CT1403 Lecture #3 Peer to Peer NWs
Virtual LANs.
SDN Overview for UCAR IT meeting 19-March-2014
Chapter 2: Scaling VLANs
Chapter 5: Switch Configuration
Access Control Lists CCNA 2 v3 – Module 11
An NP-Based Router for the Open Network Lab Overview by JST
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
Setting Up Firewall using Netfilter and Iptables
Rick Graziani Cabrillo College
Implementing an OpenFlow Switch on the NetFPGA platform
TC With Connection Tracking [and offload too :]
Empowering OVS with eBPF
Packet Scheduling in Linux
From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)
Networking and Network Protocols (Part2)
IP Forwarding Relates to Lab 3.
CISCO SWITCHING Hussein Salameh Network Administrator
Presentation transcript:

Thomas Graf <tgraf@suug.ch> Netconf 2006 Thomas Graf <tgraf@suug.ch>

Netlink Status Moving towards type safe interface Tons of bugs got fixed, some of them exploitable

Generic Netlink Lacking some documentation Users: TIPC, taskstats, NetLabel, 802.11 TODO: Conditional dumps, requires interface to access genl hdr/attrs via cb->skb or keep genl_info alive throughout dump iterations Finalize userspace tools

libnl status rtnetlink 90% complete starting to get shipped near 1.0 release (for real this time) New Stuff: genl xfrm keep caches up to date based on events

Cheap Routing Namespaces ingress eth0 local table 10.0.0.1/32 mark 1 192.168.1.32/32 mark 10 vlan0 vlan1 mark=1 mark=2 route must be added with !NLM_F_EXCL to avoid EEXISTS

Cheap Routing Namespaces egress table 1 Application 10.0.0.0/24 dev vlan0 default via 10.0.0.2 setsockopt(..., SO_MARK, 1) table 2 10.0.0.0/24 dev vlan1 10.1.0.0/24 dev vlan1 default via 10.1.0.1 rule mark == 1 lookup 1 rule mark == 2 lookup 2

SO_MARK similar semantics as SO_PRIORITY inherited to tcp replies can create sending namespaces by influencing route lookup

Virtual Device ingress eth0 eth1 vlan0 vlan1 vlan2 tc action mirred virt0 virt1 Application binds to virt0, assignment is dynamic w/o need for the application to rebind.

skb->mark nfmark has become generic, may just rename it to mark remove dependency on netfilter Increases usability due to easier configuration

tc action: mark Sets skb->mark to static value translates selector to mark value allows to execute expensive selector once and use fast mark selector afterwards

Mark support for ifa address Add mark to struct in_ifaddr/in6_ifaddr Assigns an address to a namespace Results in auto generated routes to inherit make

Extending Routing Rules New action FR_ACT_GOTO Jump to rule <priority> if selector matches 100: from any to any fwmark 0x10 goto 4000 200: from 10.0.0.0/24 to any UNREACHABLE 300: from any to 192.168.0.0/16 to any LOOKUP 10 400: from any to any BLACKHOLE 4000: from 10.0.0.0/24 to any lookup 20 4100: from any to any lookup default

Extending Routing Rules Routing direction based selector Pass cause of lookup to fib_lookup() (input, output, local_addr_check) Bitmask in struct fib_rule specifying for which lookups to enable a rule ip rule add from 10.0.0.0/24 for INPUT lookup 200

Extending Routing Rules Future Directions Consider packet data pointer as part of flowi where available to allow basing routing decisions on packet inspection Attach an ematch tree to a fib rule

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.