Wednesday November 08, 2006 Weblog
Wednesday November 08, 2006 Packet Filtering Hooks integrated into Solaris Nevada
On the 20th of October, during the 1st week of build 52 of Solaris Nevada, the Packet Filtering Hooks project was finally putback into the main Solaris gate. The project took around 16 months to complete and whilst it started out with 5 developers working on it, in the end it finished up with 2: 2 people working on the project changed their careers within Sun from development to management and another was lost to another project. Of the 2 who were with it at the end, only myself was there from the start - the other project member joined the project early this year to cover someone else who left the company to live with his wife in another city.
The aim of this project is to be a first pass at introducing an API for the Solaris kernel that allows us to implement intercepting IP packets in Solaris without the need for a STREAMS module. The reliance on using a STREAMS module brought with it two major problems for Solaris 10:
- Unable to access packets flowing between zones
- Disables performance improvements from features such as hardware checksum, etc
In internal testing, the performance improvement with IPFilter using Packet Filtering Hooks vs the STREAMS module is between 20% and 30% in some tests - a very worthwhile gain!
There is one glaringly obvious limitation with the current implementation - it is limited to a single callback being registered for hook events that allow data to be modified. This limitation was brought about in discussion with PSARC where the requirement for making this capability available included solving the problem completely - i.e. in a more complete manner than simply assigning different modules a "priority". Amongst the projects we are currently looking at, layer 2 (or MAC layer) filtering is amongst them and with any luck, solving this problem can be wrapped up in this project!
For people who are fimiliar with Netfilter in Linux today, the table below compares the interception points available with Solaris and Linux today. The hooks that are defined in Solaris today have been defined because that is where we currently have someone interested in using them - we currently have nobody asking to use the interception points below that are unimplemented.
If you are developing a product on Solaris or porting a Linux product to Solaris and would benefit from having a hook that is currently unimplemented (such as Local In/Out), please get in contact with me so we can discuss your needs and what can be done to achieve them. Maybe there's scope for you to become involved in OpenSolaris as a developer and do the initial work to support them.
| Solaris Packet Filtering Hooks | Linux Netfilter |
| Loopback inbound | - |
| Loopback outbound | - |
| Physical In | Pre-Routing |
| Physical Out | Post-Routing |
| Forwarding | Forwarding |
| - | Local In |
| - | Local Out |
Trackback URL: http://blogs.sun.com/avalon/entry/packet_filtering_hooks_integrated_into
Post a Comment:
Posted by xunakaj on November 09, 2006 at 01:47 PM PST #
Posted by Darren on November 09, 2006 at 01:57 PM PST #
Posted by Rohit on November 30, 2006 at 12:51 AM PST #
Posted by ArunPrabhu.V on May 24, 2007 at 02:29 AM PDT #
Posted by Arunprabhu on June 07, 2007 at 11:43 PM PDT #
Hi.
I have enabled the ip filter by using svcadm enable newtork/ipfilter and add rules using ipf -FA -f ...conf.
It's working fine. But strange thing is if disable the IPF service using svcadm disable network/ipfilter. After disabling i issued the command ipf -E. then i loaded the rules. It is able to work. I checked the status using svcs network/ipfilter. its says disabled but ipfilter is blocking based on the rules i added.
Could please share what is the relation between ipf -E ipf -D and svcadm enable/disable network/ipfilter.
Thanks in advance
Posted by Chandan on May 07, 2009 at 11:59 PM PDT #