Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modifying libiptc: Making large iptables rulesets scale

Published byArthur Davis Modified over 6 years ago

Similar presentations

Presentation on theme: "Modifying libiptc: Making large iptables rulesets scale"— Presentation transcript:

1 Modifying libiptc: Making large iptables rulesets scale
Netfilter Developers Workshop 2008 d.1/ by Jesper Dangaard Brouer Master of Computer Science ComX Networks A/S

2 Presentation overview
You will learn: That the entire ruleset is copied to userspace (libiptc) That libiptc contained some scalability issues About my modifications to libiptc, to make it scale Remaining issues with iptables userspace locking

3 Ruleset copied to userspace
Ran into scalability issues with iptables when having large amount of chain Discover how iptables works: Entire ruleset copied to userspace After possibly multiple changes, copied back to kernel Performed by a IPTables Cache library "libiptc" iptables.c is a command line parser using this library Profiling...

4 libiptc: scalability issues
Minor: Inline functions iptcc_is_builtin() and set_changed() Don't sort all chains on pull-out, only on insert Major: Initial ruleset parsing slow Chain name lookup slow

5 Issue: Initial ruleset parsing
First scalability issue identified: Initial ruleset parsing Problem: Resolving jump chains is slow O(Chain*Rules) Each jump chain resolved Linearly, offset based, search of chain list Postpone fix Take advantage pull-out and commit system Only one “initial ruleset parsing” penalty

6 Actually like pull-out and commit system
Take advantage of pull-out and commit system Pull-out ruleset (one initial ruleset parsing penalty) Make all modification needed Commit ruleset (to kernel) This is how iptables-restore works Extra bonus: Several rule changes appear atomic Update all rules related to a customer at once No need for temp chains and renaming

7 Perl - IPTables::libiptc
Cannot use iptables-restore/save SubnetSkeleton must have is_chain() test function Created CPAN IPTables::libiptc Chains: Direct libiptc calls Rules: Command like interface via iptables.c linking iptables extensions available on system, dynamic loaded No need to maintain or port iptables extensions Remember to commit() Postponed fixing "initial ruleset parsing"

8 Next scalability issue: Chain lookup
Slow chain name lookup is_chain() testing (internal iptcc_find_label()) Cause by: linearly list search with strcmp() Affects: almost everything Rule create, delete, even listing. Multiple rule changes, eg. iptables-restore, SubnetSkeleton Rule listing (iptables -nL) with 50k chains: Takes approx 5 minutes! After my fix: reduced to 0.5 sec.

9 Chains lookup: Solution
Mainline: iptables ver.1.4.1, git: Chains lookup: Solution Solution: binary search on chain names Important property chain list is sorted by name Keep original linked list data structure New data structure: "Chain index" Array with pointers into linked list with a given spacing (40) Result: better starting points when searching the linked list Chain index: Array 1 2 3 (named skip-list search infrastructure by Thomas Jacob (In mainline, iptables version 1.4.1, git: ) The runtime complexity is actually also affected by this "bucket" size concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN. B C D E F G H I J K L M N O Chain list: linked list, sorted by chain name

10 Chain index: Insert chain
Handle: Inserting/creating new chains Inserting don't change correctness of chain index only cause longer lists rebuild after threshold inserts (355) Inserting before first element is special Chain index: Array 1 2 3 A B C D E F H J L N P Chain list: linked list, sorted by chain name

11 Chain index: Delete chain
Handle: deletion of chains Delete chain not pointed to by chain index, no effect Delete chain pointed to by chain index, possible rebuild Replace index pointer with next pointer Only if next pointer not part of chain index Chain index: Array 1 2 3 Rebuild array B C D E F G H I J K L M N O Chain list: linked list, sorted by chain name

12 Solving: Initial ruleset parsing
mainline: iptables ver rc1, git: Solving: Initial ruleset parsing Back to fixing "initial ruleset parsing". Did have a fix, but was not 64-bit compliant ( ) Problem: Resolving jump rules is slow For each: Jump Rule Do a linearly, offset based, search of chain list Solution: Reuse binary search algorithm and data structure Realize chain list are both sorted by name and offsets Ruleset from kernel already sorted (In mainline: iptables ver rc1, git: ) Did have a fix, but was not 64-bit compliant ( )

13 Summary: Load time Personal firewall
Reload all rules on a production machine Chains: 5789 Rules: 22827

14 Summary: Open Source Open Source Status Chain lookup fix
In iptables version 1.4.1 50k chains, listing 5 min -> 0.5 sec Initial ruleset parsing fix In iptables version rc1 Production, reached 10 sec -> sec IPTables::libiptc Released on CPAN IPTables::SubnetSkeleton Available via

15 Remaining issue: No locking
Ruleset pull-out and commit system Problem: Userspace race condition Two processes pull-out ruleset Process#1 commit Process#2 commit ... what happens!? if ruleset entries are the same, p#2 overwrite p#1 rules possibly wrong counter updates if ruleset entries differ, p#2 fail with an errno=EAGAIN My solution: Simple file lock (flock) in /var/lock/ Discussion? Don't lock on “-L” listing, because cannot use in a pipe if ruleset entries differ, p#2 fail with an errno=EAGAIN Code: net/ipv4/netfilter/ip_tables.c: __do_replace() net/netfilter/xt_replace_table: xt_replace_table() line 585

16 The End Goodbye and thank you for accepting the patches...
/0/18 /19 /22 /16

17 Extra slides Bonus slides if time permits or funny questions arise

Download ppt "Modifying libiptc: Making large iptables rulesets scale"

Similar presentations

CpSc 3220 File and Database Processing Lecture 17 Indexed Files.

CpSc 3220 File and Database Processing Lecture 17 Indexed Files.
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
CS4432: Database Systems II Hash Indexing 1. Hash-Based Indexes Adaptation of main memory hash tables Support equality searches No range searches 2.

CS4432: Database Systems II Hash Indexing 1. Hash-Based Indexes Adaptation of main memory hash tables Support equality searches No range searches 2.
Linkage Editors Difference between a linkage editor and a linking loader: Linking loader performs all linking and relocation operations, including automatic.

Linkage Editors Difference between a linkage editor and a linking loader: Linking loader performs all linking and relocation operations, including automatic.
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
The Zebra Striped Network Filesystem. Approach Increase throughput, reliability by striping file data across multiple servers Data from each client is.

The Zebra Striped Network Filesystem. Approach Increase throughput, reliability by striping file data across multiple servers Data from each client is.
Discard Routes and Avoiding Routing Loops

Discard Routes and Avoiding Routing Loops
BTrees & Bitmap Indexes

BTrees & Bitmap Indexes
6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.
7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.

7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.
Database Management Systems, R. Ramakrishnan and J. Gehrke1 Tree-Structured Indexes Chapter 9.

Database Management Systems, R. Ramakrishnan and J. Gehrke1 Tree-Structured Indexes Chapter 9.
© Janice Regan, CMPT 128, Jan. 2007 0 CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
Networked File System CS 537 - Introduction to Operating Systems.

Networked File System CS Introduction to Operating Systems.
ITEC 502 컴퓨터 시스템 및 실습 Chapter 10-1: File Systems Mi-Jung Choi DPNM Lab. Dept. of CSE, POSTECH.

ITEC 502 컴퓨터 시스템 및 실습 Chapter 10-1: File Systems Mi-Jung Choi DPNM Lab. Dept. of CSE, POSTECH.
Eric Keller, Evan Green Princeton University PRESTO 2008 8/22/08 Virtualizing the Data Plane Through Source Code Merging.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
With Windows 7 Introductory© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Windows 7 Introductory Chapter 2 Managing Libraries Folders, Files.

With Windows 7 Introductory© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Windows 7 Introductory Chapter 2 Managing Libraries Folders, Files.
CHAPTER 09 Compiled by: Dr. Mohammad Omar Alhawarat Sorting & Searching.

CHAPTER 09 Compiled by: Dr. Mohammad Omar Alhawarat Sorting & Searching.
…using Git/Tortoise Git

…using Git/Tortoise Git
File Processing - Indexing MVNC1 Indexing Jim Skon.

File Processing - Indexing MVNC1 Indexing Jim Skon.
CS261 – Recitation 5 Fall 2013. Outline Assignment 3: Memory and Timing Tests Binary Search Algorithm Binary Search Tree Add/Remove examples 1.

CS261 – Recitation 5 Fall Outline Assignment 3: Memory and Timing Tests Binary Search Algorithm Binary Search Tree Add/Remove examples 1.

Similar presentations

Ads by Google