Presentation is loading. Please wait.

Presentation is loading. Please wait.

Perl iptables interface CPAN IPTables::libiptc Netfilter Workshop 2011 d.24/8-2011 by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S.

Published byEthan Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Perl iptables interface CPAN IPTables::libiptc Netfilter Workshop 2011 d.24/8-2011 by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S."— Presentation transcript:

1 Perl iptables interface CPAN IPTables::libiptc Netfilter Workshop 2011 d.24/8-2011 by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S

2 2 /10 CPAN IPTables::libiptc – Perl iptables interface Who am I ● Name: Jesper Dangaard Brouer – Edu: Computer Science for Uni. Copenhagen ● Focus on Network, Dist. sys and OS – Linux user since 1996, professional since 1998 ● Sysadm, Kernel Developer, Embedded – OpenSource projects, author of – ADSL-optimizer – CPAN IPTables::libiptc – IPTV-Analyzer ● Patches accepted into – Linux kernel, iproute2, iptables, libpcap and Wireshark

3 3 /10 CPAN IPTables::libiptc – Perl iptables interface Why name: IPTables::libiptc ● The libiptc comes from the iptables cache library – Perl module started linking with this C-library – Now (> v0.51) dynamic loading of ● libiptc.so ● libxtables.so – Still compile and include iptables.c ● In several versions ● Just to call do_command() – No need to support extensions in Perl ● Dyn-loaded by iptables.c

4 4 /10 CPAN IPTables::libiptc – Perl iptables interface Why is it so fast? ● Take advantage of how iptables talk to kernel – Iptables/libiptc transfers the entire ruleset ● (init) from kernel to userspace ● make several ruleset changes ● (commit) back from userspace to kernel – Atomic commit in kernel – Iptables command approach is stupid ● It only perform one change – Init → one-change → commit ● init+commit expensive operations

5 5 /10 CPAN IPTables::libiptc – Perl iptables interface How fast: stats(1) ● Completely rebuilding access control rules one machine – Number of calls:236645 – Libiptc time used :3.95667362 sec – Average per call:0.00001671 sec – Perl total time:16.5 sec ● Ruleset size (only filter table): – (Note: Both Access + Customer-firewall(bloated)) – Chains: 19886 – Rules: 79127 – Memory 19120128 =~ 19 MB ● Times 16 CPUs = 304 MB

6 6 /10 CPAN IPTables::libiptc – Perl iptables interface Detailed stats(2) ● Statistics per command action: ● Old method: Command line iptables 236645 calls, – init+commit overhead: 0.639 sec * 236645 = 42 hours!

7 7 /10 CPAN IPTables::libiptc – Perl iptables interface What could I wish for ● Some shared lib exporting iptables do_command() ● Not too many API/ABI changes, please. ● Locking around init() and commit() – Concurrent iptables call can clash ● Mostly one will fail during commit() ● Risk the wrong ruleset gets comitted.

8 8 /10 CPAN IPTables::libiptc – Perl iptables interface Future development ● Wrapper module: IPTables::Interface – Handles locking + singleton object init – Code in my SubnetSkeleton code, see: – https://github.com/netoptimizer/IPTables-SubnetSkeletonhttps://github.com/netoptimizer/IPTables-SubnetSkeleton – Move module to CPAN ● Perhaps in IPTables::libiptc package? ● Keep up with iptables versions ● Better exit on error handling

9 9 /10 CPAN IPTables::libiptc – Perl iptables interface Status ● IPTables::libiptc version 0.51 – supporting iptables above version 1.4.3.2 ● Due to API changes by Jan Engelhardt – up-to iptables version 1.4.10 ● Due to new API changes

10 10 /10 CPAN IPTables::libiptc – Perl iptables interface The End ● Is anybody using Perl and iptables? – Using my module? ● Please inform me: jdb@comx.dkjdb@comx.dk ● CPAN link: – http://search.cpan.org/perldoc?IPTables::libiptc http://search.cpan.org/perldoc?IPTables::libiptc ● Code Git tree: – https://github.com/netoptimizer/CPAN-IPTables-libiptc https://github.com/netoptimizer/CPAN-IPTables-libiptc

Download ppt "Perl iptables interface CPAN IPTables::libiptc Netfilter Workshop 2011 d.24/8-2011 by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S."

Similar presentations

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Google Bigtable A Distributed Storage System for Structured Data Hadi Salimi, Distributed Systems Laboratory, School of Computer Engineering, Iran University.

Google Bigtable A Distributed Storage System for Structured Data Hadi Salimi, Distributed Systems Laboratory, School of Computer Engineering, Iran University.
WWW.GEDAE.COM 0 HPEC 2010 Automated Software Cache Management.

0 HPEC 2010 Automated Software Cache Management.
Scheduling of Tiled Nested Loops onto a Cluster with a Fixed Number of SMP Nodes Maria Athanasaki, Evangelos Koukis, Nectarios Koziris National Technical.

Scheduling of Tiled Nested Loops onto a Cluster with a Fixed Number of SMP Nodes Maria Athanasaki, Evangelos Koukis, Nectarios Koziris National Technical.
I/O Systems ◦ Operating Systems ◦ CS550. Note:  Based on Operating Systems Concepts by Silberschatz, Galvin, and Gagne  Strongly recommended to read.

I/O Systems ◦ Operating Systems ◦ CS550. Note:  Based on Operating Systems Concepts by Silberschatz, Galvin, and Gagne  Strongly recommended to read.
Computers: Software Patrice Koehl Computer Science UC Davis.

Computers: Software Patrice Koehl Computer Science UC Davis.
Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.

Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.
UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.

UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
Operating System Principles Ku-Yaw Chang Assistant Professor, Department of Computer Science and Information Engineering Da-Yeh.

Operating System Principles Ku-Yaw Chang Assistant Professor, Department of Computer Science and Information Engineering Da-Yeh.
ICOM 5007 - Noack Operating Systems - Administrivia Prontuario - Please time-share and ask questions Info is in my homepage amadeus/~noack/ Make bookmark.

ICOM Noack Operating Systems - Administrivia Prontuario - Please time-share and ask questions Info is in my homepage amadeus/~noack/ Make bookmark.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
Fast Multi-Threading on Shared Memory Multi-Processors Joseph Cordina B.Sc. Computer Science and Physics Year IV.

Fast Multi-Threading on Shared Memory Multi-Processors Joseph Cordina B.Sc. Computer Science and Physics Year IV.
How to Use SVS Joseph Xu Soar Workshop 2012 1. History Soar Visual Interface (SVI) – Scott Lathrop Spatial Reasoning System (SRS) – Sam Wintermute Soar.

How to Use SVS Joseph Xu Soar Workshop History Soar Visual Interface (SVI) – Scott Lathrop Spatial Reasoning System (SRS) – Sam Wintermute Soar.
1 What is a Kernel The kernel of any operating system is the core of all the system’s software. The only thing more fundamental than the kernel is the.

1 What is a Kernel The kernel of any operating system is the core of all the system’s software. The only thing more fundamental than the kernel is the.
Processes and Threads CS550 Operating Systems. Processes and Threads These exist only at execution time They have fast state changes -> in memory and.

Processes and Threads CS550 Operating Systems. Processes and Threads These exist only at execution time They have fast state changes -> in memory and.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
© Janice Regan, CMPT 300, May 2007 0 CMPT 300 Introduction to Operating Systems Operating Systems Overview Part 2: History (continued)

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Overview Part 2: History (continued)
Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.

Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.
CE01000-3 Operating Systems Lecture 3 Overview of OS functions and structure.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Similar presentations

Ads by Google