Hacking and Other Thoughts

Sun, 05 Oct 2008

Netfilter Workshop 2008, Paris

I just returned from Paris, and the 2008 Netfilter Workshop. Just like last year it was a blast, and there were lots of interesting things discussed as well as inbibed.

On the first day there was a users day where presentations were made aimed at a more user oriented audience. It seems that just about anyone who was aware could attend and hear the talks. I gave one on multiqueue networking. You can find my slides and other info here.

Tuesday and Wednesday were the main workshop days.

Of greatest interest to me were the descriptions given by Patrick McHardy for his new filtering framework, where all the complexity is in userspace and the kernel just runs filtering scripts and lookup datastructures fed to it by the user tools. In short, I think this stuff is great, and unlike some folks I don't think this will decrease netfilter participation by other developers at all.

And frankly, iptables was absolutely too accessible to contributors. Look at how much stinking poo is in the patch-o-matic, oft called "crap-o-matic".

Patrick's work is a wonderful centralized framework, and in fact the scripting is generic that you can build any tool to create these filtering instructions and subsidiary lookup tables.

We also made some headway with the tproxy stuff. All but one of the core networking patches are in the net-next-2.6 GIT tree. Indeed, this is a feature which has been missing for 5 years :-) I have to hand it to the balabit guys for sticking to it and working so hard for so long to get this merged.

Pablo gave some interesting presentations (3 at once!), and he is exploring some ways to perhaps make use of bloom filters. This is something Patrick has devoted some exploratory brian power to in the past, but it is often hard to find a use case for these inexact matches, although they are very cool.

Jozsef Kadlecsik gave his IPSET state of the union, discussing new features such as support for ip-port-ip hashing and set lists (which are unions of the existing set type).

Yasuyuki Kosakai gave a presentation on the road blocks that exist currently for doing proper connection tracking for MIPV6 nodes. The basic problem is that the persistent addresses (ie. the ones we'd want to use for connection tracking) exist in various locations in the IPV6 packet and extension headers.

Jesper talked about all of the userland scalability improvements he made to the iptables utilities. He also described a set of scripts he wrote to build optimized rule table trees.

Stephen Hemminger discussed some of the user visible interface work that Vyatta has been doing. Essentially these are a set of templated bash shell scripts and descriptor files that present a Cisco IOS like interface to administrators. He also talked about the performance issues surrounding the way in which iptables does packet counters, as well as the global conntrack table lock.

Harald Welte gave a talk about the current state of GPL violation enforcement. Things seem to have been going quite well, but it is becoming more and more important to give Harald more facilities by which to make air-tight arguments that he has enforcement rights to code which has been violated. One way for that to happen is for significant contributors to sign over their rights to him so that he can make enforcements on their behalf.

It seems that this is a very common stall tactic by the defence in such cases, to try and bring up some doubt about the code property ownership situation.

Of course, aside from the workshop itself there were plenty of parties. Even for lunch we had quite nice French cuisine and beverages, and the dinners were even nicer.

Tuesday night even included a full 4 hour boat cruise on the Seine, with tons of champaigne, wine, small bite size delicasies of all types, and lots of sweets.

Overall a wonderful time, the netfilter workshop never disappoints. A big thank you to the official organizers this year, INL.