From: Krishna Kumar <krkumar2@in.ibm.com>
To: kaber@trash.net, pablo@netfilter.org
Cc: vivk@us.ibm.com, svajipay@in.ibm.com, fw@strlen.de,
netfilter-devel@vger.kernel.org,
Krishna Kumar <krkumar2@in.ibm.com>,
sri@us.ibm.com
Subject: [v3 PATCH 0/1] netfilter: "fail-open" feature support for NFQUEUE
Date: Tue, 22 May 2012 17:40:37 +0530 [thread overview]
Message-ID: <20120522121037.880.44203.sendpatchset@localhost.localdomain> (raw)
Many users of an IBM security product, which uses netfilter's NFQUEUE
target to process packets in userspace, face a problem of dropped
connections during heavy load. Incoming packets are queued and
processed by the security module, which does deep packet analysis to
decide whether to accept or reject them. However during heavy load,
NFQUEUE queue (default 1024 entries) fills up and connections fail
after large number of packets drop during enqueue.
This patch implements a "failopen" support for NFQUEUE to help keep
connections open during such failures. This is achieved by allowing
acceptance of packets temporarily when the queue is full, which enables
existing connections to be kept open.
Failopen is enabled/disabled using a new call - nfq_set_flags(qh, mask,
flags), which makes use of two new netlink attributes:
1. NFQA_CFG_MASK: Specifies which flags are being modified.
2. NFQA_CFG_FLAGS: Set/reset the value for each of those flags.
Tests done:
------------
- netperf TCP_STREAM
- 64 netperf stress testing to ensure there are no memory leaks
- icmp (ping)
- enabling/disabling failopen in the middle of existing connections
- checksum verification of transferred files (scp)
- different flag/mask values to check that code handling NFQA_CFG_MASK
works as expected
Test results:
-------------
Server:
-------
# iptables -A INPUT -p tcp -m mac --mac-source 00:00:C9:C6:4F:22 \
-j NFQUEUE --queue-num 0
# Run interceptor program with 50ms delay between packet processing, and also
sets qlen to 16. After every read system call, this program tests and read's a
config file's contents (0 or 1) and calls nfq_set_flags(qh, mask, flags).
Client:
-------
---> failopen is disabled on server at this time
# netperf -v0 -H 10.0.4.1
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
0.16
---> failopen is enabled on server at this time
# netperf -v0 -H 10.0.4.1
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.0.4.1 (10.0.4.1) port 0 AF_INET
2292.82
---> failopen is disabled on server at this time
# scp FILE 10.0.4.1:/tmp
FILE 0% 2960KB 88.4KB/s 12:19:37 ETA
---> Enable failopen on server at this time
FILE 21% 809MB 44.2MB/s 01:08 ETA
---> Disable failopen on server at this time
FILE 23% 903MB 157.4KB/s 5:18:01 ETA
---> Enable failopen on server at this time
FILE 100% 3835MB 24.1MB/s 02:39
Changes from rev2:
------------------
1. Changed NFQA_CFG_FAIL_OPEN to generic NFAQ_CFG_FLAGS and NFAQ_CFG_MASK
2. Enqueue handler now returns -ENOSPC upon "fail-open".
3. Do not invoke okfn on ENOSPC, but process all hooks first. nf_hook_slow
has code to handle failopen.
Please review.
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk@us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala@us.ibm.com>
---
next reply other threads:[~2012-05-22 12:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-22 12:10 Krishna Kumar [this message]
2012-05-22 12:10 ` [v3 PATCH 1/1] netfilter: Add fail-open support Krishna Kumar
2012-05-22 14:38 ` Florian Westphal
2012-05-23 6:45 ` Krishna Kumar2
2012-05-23 7:54 ` Florian Westphal
2012-05-23 14:11 ` Krishna Kumar2
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120522121037.880.44203.sendpatchset@localhost.localdomain \
--to=krkumar2@in.ibm.com \
--cc=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sri@us.ibm.com \
--cc=svajipay@in.ibm.com \
--cc=vivk@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).