[RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Krishna Kumar <krkumar2@in.ibm.com>
To: netfilter-devel@vger.kernel.org
Cc: svajipay@in.ibm.com, vivk@us.ibm.com,
	Krishna Kumar <krkumar2@in.ibm.com>,
	sri@us.ibm.com
Subject: [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE
Date: Mon, 07 May 2012 11:33:38 +0530	[thread overview]
Message-ID: <20120507060338.19528.29403.sendpatchset@localhost.localdomain> (raw)

Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
NFQUEUE queue (default 1024 entries) fills up and connections fail
after large number of packets drop during enqueue. Increasing the
queue size delays the problem and also worsens latency.

This patch set implements a "failopen" support to help keep connections
open during such failures. This is achieved by allowing acceptance of
packets temporarily when the queue is full, which enables existing
connections to be kept alive. Customers prefer this option as similar
feature is available on other systems.

This patch set implements failopen for NFQUEUE (though a similar patch
for IPQUEUE is also implemented but not submitted at this time). I will
submit the iptables changes which controls turning failopen mode on/off
later. The original requirement for sysctl option is not implemented -
please let me know whether that is acceptable/preferable.

-------------------------- Results -----------------------------
		Server:
# iptables -A INPUT -p tcp -m mac --mac-source 00:00:C9:C6:4F:22 -j NFQUEUE --queue-num 0
# Run interceptor program with 50ms delay between packet processing, and
	also sets qlen to 8

		Client:
# netperf -v0 -H 10.0.4.1 -l 10
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
0.22 

# scp /tmp/LARGE_FILE_1 10.0.4.1:/tmp
/tmp/LARGE_FILE_1                          8% 8848KB  24.0KB/s 1:09:41 ETA
---------------------------------------------------------
		Server:
# iptables -A INPUT -p tcp -m mac --mac-source 00:00:C9:C6:4F:22 -j NFQUEUE --queue-num 0 --fail-open
# Run interceptor program with 50ms delay between packet processing, and
	also sets qlen to 8

		Client:
# netperf -v0 -H 10.0.4.1 -l 10
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
4184.48 

# scp /tmp/LARGE_FILE_2 10.0.4.1:/tmp
/tmp/LARGE_FILE_2                          100%  107MB 106.5MB/s   00:01    
---------------------------------------------------------

Please review and provide feedback/comments.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
---

next             reply	other threads:[~2012-05-07  6:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-07  6:03 Krishna Kumar [this message]
2012-05-07  6:03 ` [RFC] [PATCH 1/4] netfilter: Define FAILOPEN flag Krishna Kumar
2012-05-07  6:04 ` [RFC] [PATCH 2/4] netfilter: Add new argument to enqueue handlers Krishna Kumar
2012-05-07  6:04 ` [RFC] [PATCH 3/4] netfilter: Add support for failopen in nf_queue() Krishna Kumar
2012-05-07  6:04 ` [RFC] [PATCH 4/4] netfilter: Enable fail-open Krishna Kumar
2012-05-07  7:56   ` Florian Westphal
2012-05-07  9:04     ` Pablo Neira Ayuso
2012-05-07  8:10 ` [RFC] [PATCH 0/4] netfilter: "fail-open" feature support for NFQUEUE Florian Westphal
2012-05-07  9:14   ` Pablo Neira Ayuso
2012-05-07 13:51   ` Krishna Kumar2
2012-05-07 14:52     ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120507060338.19528.29403.sendpatchset@localhost.localdomain \
    --to=krkumar2@in.ibm.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=sri@us.ibm.com \
    --cc=svajipay@in.ibm.com \
    --cc=vivk@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).