netfilter and iptables
5 likes5,296 views
netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different netfilter modules) and the chains and rules it stores. Many systems use iptables/netfilter, Linux's native packet filtering/mangling framework since Linux 2.4, be it home routers or sophisticated cloud network stacks. In this session, we will talk about the netfilter framework and its facilities, explain how basic filtering and mangling use-cases are implemented using iptables, and introduce some less common but powerful extensions of iptables. Shmulik Ladkani, Chief Architect at Nsof Networks. Long time network veteran and kernel geek. Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration. Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN. Recently he co-founded Nsof Networks, where he's been busy architecting network infrastructure as a cloud-based service, gazing at internet routes in astonishment, and playing the chkuku.
1 of 44
Downloaded 99 times
![static struct nf_hook_ops ipv4_synproxy_ops[] = {
{
.hook = ipv4_synproxy_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
.priv = NULL,
},
{
.hook = ipv4_synproxy_hook,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
.priv = NULL,
},
};](https://image.slidesharecdn.com/ladkani-netfilter-iptables-2017-170809143646/85/netfilter-and-iptables-14-320.jpg)
Ad
Recommended
Fun with Network Interfaces
Fun with Network InterfacesKernel TLV Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Zero Trust Network Access 
Zero Trust Network Access Er. Ajay Sirsat 1. Zero Trust Network Access (ZTNA) is a security model that provides secure remote access to applications and services based on defined access policies, unlike VPNs which grant complete network access. 2. ZTNA gives users access only to approved services without placing them on the network or exposing apps to the internet. 3. The document discusses the principles and methodology of ZTNA, including continuous authentication, authorization for every interaction, microsegmentation, and least privilege access.
Zero Trust Model Presentation
Zero Trust Model PresentationGowdhaman Jothilingam This document discusses Zero Trust security and how to implement a Zero Trust network architecture. It begins with an overview of Zero Trust and why it is important given limitations of traditional perimeter-based networks. It then covers the basic components of a Zero Trust network, including an identity provider, device directory, policy evaluation service, and access proxy. The document provides guidance on designing a Zero Trust architecture by starting with questions about users, applications, conditions for access, and corresponding controls. Specific conditions discussed include user/device attributes as well as device health and identity. Benefits of the Zero Trust model include conditional access, preventing lateral movement, and increased productivity.
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Linux Network Stack
Linux Network StackAdrien Mahieux - The document discusses Linux network stack monitoring and configuration. It begins with definitions of key concepts like RSS, RPS, RFS, LRO, GRO, DCA, XDP and BPF.
- It then provides an overview of how the network stack works from the hardware interrupts and driver level up through routing, TCP/IP and to the socket level.
- Monitoring tools like ethtool, ftrace and /proc/interrupts are described for viewing hardware statistics, software stack traces and interrupt information.
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationCSNP 1) The document discusses micro-segmentation as a better strategy than traditional network segmentation approaches for securing hybrid cloud environments. It argues micro-segmentation provides better visibility, faster deployment, and flexibility compared to VLANs.
2) Various use cases are presented where software-defined segmentation was able to simplify and accelerate compliance efforts for critical applications like SWIFT and PCI in complex, multi-cloud environments.
3) Guardicore is introduced as a company providing software-defined segmentation to securely protect critical assets across on-premises and cloud environments through a simple and intuitive centralized management platform.
Zero Trust Model
Zero Trust ModelYash 1) Zero Trust is a security model that does not inherently trust anything inside or outside its perimeter and instead verifies anything and everything trying to connect to its systems before granting access.
2) Traditional security models rely on physical or logical network boundaries to define what is trusted, but this is ineffective as users and devices can no longer be trusted once inside these boundaries.
3) The core tenants of Zero Trust include secure all communication, grant least permission, grant access to single resources at a time, make access policies dynamic, collect and use data to improve security, monitor assets, and periodically re-evaluate trust.
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
The linux networking architecture
The linux networking architecturehugo lu The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
introduction to linux kernel tcp/ip ptocotol stack 
introduction to linux kernel tcp/ip ptocotol stack monad bobo This document provides an introduction and overview of the networking code in the Linux kernel source tree. It discusses the different layers including link (L2), network (L3), and transport (L4) layers. It describes the input and output processing, device interfaces, traffic directions, and major developers for each layer. Config and benchmark tools are also mentioned. Resources for further learning about the Linux kernel networking code are provided at the end.
Linux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
Understanding DPDK
Understanding DPDKDenys Haryachyy 1. DPDK achieves high throughput packet processing on commodity hardware by reducing kernel overhead through techniques like polling, huge pages, and userspace drivers.
2. In Linux, packet processing involves expensive operations like system calls, interrupts, and data copying between kernel and userspace. DPDK avoids these by doing all packet processing in userspace.
3. DPDK uses techniques like isolating cores for packet I/O threads, lockless ring buffers, and NUMA awareness to further optimize performance. It can achieve throughput of over 14 million packets per second on 10GbE interfaces.
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor The document discusses various data structures and functions related to network packet processing in the Linux kernel socket layer. It describes the sk_buff structure that is used to pass packets between layers. It also explains the net_device structure that represents a network interface in the kernel. When a packet is received, the interrupt handler will raise a soft IRQ for processing. The packet will then traverse various protocol layers like IP and TCP to be eventually delivered to a socket and read by a userspace application.
Linux Networking Explained
Linux Networking ExplainedThomas Graf Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor This document discusses hardware offloading of VXLAN encapsulation and decapsulation in OVS-DPDK. It proposes representing virtual ports (vPorts) as tables to enable hardware offloading of VXLAN processing. Matching and actions on the vPort table would occur in hardware before decapsulation. Fallback processing using software would be used if full hardware offloading is not possible. The goal is to leverage intelligent NIC capabilities to accelerate VXLAN tunnel processing and improve performance for cloud, NFV, and storage workloads.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsVipin Varghese generic step by step debug and troubleshoot for performance and functional issues found commonly in packet processing with DPDK.
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV eBPF (Extended Berkeley Packet Filter) is an in-kernel virtual machine that allows running user-supplied sandboxed programs inside of the kernel. It is especially well-suited to network programs and it's possible to write programs that filter traffic, classify traffic and perform high-performance custom packet processing.
BCC (BPF Compiler Collection) is a toolkit for creating efficient kernel tracing and manipulation programs. It makes use of eBPF.
BCC provides an end-to-end workflow for developing eBPF programs and supplies Python bindings, making eBPF programs much easier to write.
Together, eBPF and BCC allow you to develop and deploy network functions safely and easily, focusing on your application logic (instead of kernel datapath integration).
In this session, we will introduce eBPF and BCC, explain how to implement a network function using BCC, discuss some real-life use-cases and show a live demonstration of the technology.
About the speaker
Shmulik Ladkani, Chief Technology Officer at Meta Networks,
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Meta Networks where he's been busy architecting secure, multi-tenant, large-scale network infrastructure as a cloud-based service.
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara The document provides step-by-step instructions for building and running Intel DPDK sample applications on a test environment with 3 virtual machines connected by 10G NICs. It describes compiling and running the helloworld, L2 forwarding, and L3 forwarding applications, as well as using the pktgen tool for packet generation between VMs to test forwarding performance. Key steps include preparing the Linux kernel for DPDK, compiling applications, configuring ports and MAC addresses, and observing packet drops to identify performance bottlenecks.
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy This presentation introduces Data Plane Development Kit overview and basics. It is a part of a Network Programming Series.
First, the presentation focuses on the network performance challenges on the modern systems by comparing modern CPUs with modern 10 Gbps ethernet links. Then it touches memory hierarchy and kernel bottlenecks.
The following part explains the main DPDK techniques, like polling, bursts, hugepages and multicore processing.
DPDK overview explains how is the DPDK application is being initialized and run, touches lockless queues (rte_ring), memory pools (rte_mempool), memory buffers (rte_mbuf), hashes (rte_hash), cuckoo hashing, longest prefix match library (rte_lpm), poll mode drivers (PMDs) and kernel NIC interface (KNI).
At the end, there are few DPDK performance tips.
Tags: access time, burst, cache, dpdk, driver, ethernet, hub, hugepage, ip, kernel, lcore, linux, memory, pmd, polling, rss, softswitch, switch, userspace, xeon
Dpdk performance
Dpdk performanceStephen Hemminger FOSDEM15 SDN developer room talk
DPDK performance
How to not just do a demo with DPDK
The Intel DPDK provides a platform for building high performance Network Function Virtualization applications. But it is hard to get high performance unless certain design tradeoffs are made. This talk focuses on the lessons learned in creating the Brocade vRouter using DPDK. It covers some of the architecture, locking and low level issues that all have to be dealt with to achieve 80 Million packets per second forwarding.
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley Learn about Transport Layer Development Kit and let us accelerate beyond the Layer 2/Layer 3.
Author: Muthurajan (M Jay) Jayakumar
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner This document discusses SIP attack handling in Kamailio. It provides an overview of common SIP attacks like denial of service and examples of attack traffic. It then outlines several Kamailio modules that can help mitigate attacks, including PIKE for rate limiting, SECFILTER for blocking lists, and HTABLE for temporary blocking. The document also discusses Kamailio configuration options for attack handling using these modules as well as other techniques like Fail2Ban, iptables-api, and APIBAN for sharing block lists.
eBPF maps 101
eBPF maps 101SUSE Labs Taipei The document provides an overview of eBPF maps and how they can be used to share data between eBPF programs running in the kernel and userspace applications. It describes how maps are created via the BPF syscall using the BPF_MAP_CREATE command. It also explains how keys and values can be looked up, updated, and deleted from maps using commands like BPF_MAP_LOOKUP_ELEM, BPF_MAP_UPDATE_ELEM, and BPF_MAP_DELETE_ELEM. Finally, it lists the different types of eBPF maps available.
BPF: Tracing and more
BPF: Tracing and moreBrendan Gregg Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
Complete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac bindingChanaka Lasantha 1. The document details the configuration of a transparent SQUID Linux firewall to cache and filter internet traffic for internal clients. Key steps include installing and configuring Squid, setting up IP forwarding, configuring iptables firewall rules, and binding MAC addresses to IP addresses in Squid for access control.
Ad
More Related Content
What's hot (20)
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
The linux networking architecture
The linux networking architecturehugo lu The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo This document provides an introduction and overview of the networking code in the Linux kernel source tree. It discusses the different layers including link (L2), network (L3), and transport (L4) layers. It describes the input and output processing, device interfaces, traffic directions, and major developers for each layer. Config and benchmark tools are also mentioned. Resources for further learning about the Linux kernel networking code are provided at the end.
Linux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei Linux Traffic Control allows administrators to control network traffic through mechanisms like shaping, scheduling, classifying, policing, dropping and marking. It uses components like queuing disciplines (qdiscs), classes, filters, and actions. The tc command can be used to configure these components by adding, changing or deleting traffic control settings on network interfaces.
Understanding DPDK
Understanding DPDKDenys Haryachyy 1. DPDK achieves high throughput packet processing on commodity hardware by reducing kernel overhead through techniques like polling, huge pages, and userspace drivers.
2. In Linux, packet processing involves expensive operations like system calls, interrupts, and data copying between kernel and userspace. DPDK avoids these by doing all packet processing in userspace.
3. DPDK uses techniques like isolating cores for packet I/O threads, lockless ring buffers, and NUMA awareness to further optimize performance. It can achieve throughput of over 14 million packets per second on 10GbE interfaces.
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor The document discusses various data structures and functions related to network packet processing in the Linux kernel socket layer. It describes the sk_buff structure that is used to pass packets between layers. It also explains the net_device structure that represents a network interface in the kernel. When a packet is received, the interrupt handler will raise a soft IRQ for processing. The packet will then traverse various protocol layers like IP and TCP to be eventually delivered to a socket and read by a userspace application.
Linux Networking Explained
Linux Networking ExplainedThomas Graf Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg USENIX LISA2021 talk by Brendan Gregg (https://www.youtube.com/watch?v=_5Z2AU7QTH4). This talk is a deep dive that describes how BPF (eBPF) works internally on Linux, and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor This document discusses hardware offloading of VXLAN encapsulation and decapsulation in OVS-DPDK. It proposes representing virtual ports (vPorts) as tables to enable hardware offloading of VXLAN processing. Matching and actions on the vPort table would occur in hardware before decapsulation. Fallback processing using software would be used if full hardware offloading is not possible. The goal is to leverage intelligent NIC capabilities to accelerate VXLAN tunnel processing and improve performance for cloud, NFV, and storage workloads.
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf This talk will start with a deep dive and hands on examples of BPF, possibly the most promising low level technology to address challenges in application and network security, tracing, and visibility. We will discuss how BPF evolved from a simple bytecode language to filter raw sockets for tcpdump to the a JITable virtual machine capable of universally extending and instrumenting both the Linux kernel and user space applications. The introduction is followed by a concrete example of how the Cilium open source project applies BPF to solve networking, security, and load balancing for highly distributed applications. We will discuss and demonstrate how Cilium with the help of BPF can be combined with distributed system orchestration such as Docker to simplify security, operations, and troubleshooting of distributed applications.
Debug dpdk process bottleneck & painpoints
Debug dpdk process bottleneck & painpointsVipin Varghese generic step by step debug and troubleshoot for performance and functional issues found commonly in packet processing with DPDK.
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV eBPF (Extended Berkeley Packet Filter) is an in-kernel virtual machine that allows running user-supplied sandboxed programs inside of the kernel. It is especially well-suited to network programs and it's possible to write programs that filter traffic, classify traffic and perform high-performance custom packet processing.
BCC (BPF Compiler Collection) is a toolkit for creating efficient kernel tracing and manipulation programs. It makes use of eBPF.
BCC provides an end-to-end workflow for developing eBPF programs and supplies Python bindings, making eBPF programs much easier to write.
Together, eBPF and BCC allow you to develop and deploy network functions safely and easily, focusing on your application logic (instead of kernel datapath integration).
In this session, we will introduce eBPF and BCC, explain how to implement a network function using BCC, discuss some real-life use-cases and show a live demonstration of the technology.
About the speaker
Shmulik Ladkani, Chief Technology Officer at Meta Networks,
Long time network veteran and kernel geek.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
Some billions of forwarded packets later, Shmulik left his position as Jungo's lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud-based service, focusing around virtualization systems, network virtualization and SDN.
Recently he co-founded Meta Networks where he's been busy architecting secure, multi-tenant, large-scale network infrastructure as a cloud-based service.
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara The document provides step-by-step instructions for building and running Intel DPDK sample applications on a test environment with 3 virtual machines connected by 10G NICs. It describes compiling and running the helloworld, L2 forwarding, and L3 forwarding applications, as well as using the pktgen tool for packet generation between VMs to test forwarding performance. Key steps include preparing the Linux kernel for DPDK, compiling applications, configuring ports and MAC addresses, and observing packet drops to identify performance bottlenecks.
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy This presentation introduces Data Plane Development Kit overview and basics. It is a part of a Network Programming Series.
First, the presentation focuses on the network performance challenges on the modern systems by comparing modern CPUs with modern 10 Gbps ethernet links. Then it touches memory hierarchy and kernel bottlenecks.
The following part explains the main DPDK techniques, like polling, bursts, hugepages and multicore processing.
DPDK overview explains how is the DPDK application is being initialized and run, touches lockless queues (rte_ring), memory pools (rte_mempool), memory buffers (rte_mbuf), hashes (rte_hash), cuckoo hashing, longest prefix match library (rte_lpm), poll mode drivers (PMDs) and kernel NIC interface (KNI).
At the end, there are few DPDK performance tips.
Tags: access time, burst, cache, dpdk, driver, ethernet, hub, hugepage, ip, kernel, lcore, linux, memory, pmd, polling, rss, softswitch, switch, userspace, xeon
Dpdk performance
Dpdk performanceStephen Hemminger FOSDEM15 SDN developer room talk
DPDK performance
How to not just do a demo with DPDK
The Intel DPDK provides a platform for building high performance Network Function Virtualization applications. But it is hard to get high performance unless certain design tradeoffs are made. This talk focuses on the lessons learned in creating the Brocade vRouter using DPDK. It covers some of the architecture, locking and low level issues that all have to be dealt with to achieve 80 Million packets per second forwarding.
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley Learn about Transport Layer Development Kit and let us accelerate beyond the Layer 2/Layer 3.
Author: Muthurajan (M Jay) Jayakumar
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner This document discusses SIP attack handling in Kamailio. It provides an overview of common SIP attacks like denial of service and examples of attack traffic. It then outlines several Kamailio modules that can help mitigate attacks, including PIKE for rate limiting, SECFILTER for blocking lists, and HTABLE for temporary blocking. The document also discusses Kamailio configuration options for attack handling using these modules as well as other techniques like Fail2Ban, iptables-api, and APIBAN for sharing block lists.
eBPF maps 101
eBPF maps 101SUSE Labs Taipei The document provides an overview of eBPF maps and how they can be used to share data between eBPF programs running in the kernel and userspace applications. It describes how maps are created via the BPF syscall using the BPF_MAP_CREATE command. It also explains how keys and values can be looked up, updated, and deleted from maps using commands like BPF_MAP_LOOKUP_ELEM, BPF_MAP_UPDATE_ELEM, and BPF_MAP_DELETE_ELEM. Finally, it lists the different types of eBPF maps available.
BPF: Tracing and more
BPF: Tracing and moreBrendan Gregg Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Similar to netfilter and iptables (20)
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
Complete squid & firewall configuration. plus easy mac binding
Complete squid & firewall configuration. plus easy mac bindingChanaka Lasantha 1. The document details the configuration of a transparent SQUID Linux firewall to cache and filter internet traffic for internal clients. Key steps include installing and configuring Squid, setting up IP forwarding, configuring iptables firewall rules, and binding MAC addresses to IP addresses in Squid for access control.
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov This document provides an overview of nftables, the new packet filtering framework that replaces iptables in the Linux kernel. It discusses the history and predecessors to nftables, how nftables works, key differences from iptables like its more flexible table and chain configuration, and examples of basic nftables rulesets. It also covers topics like matches, jumps, load balancing performance, and kernel configuration options for nftables.
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etcYukio Okuda Accelerate CPU bound codes of Python by on-the-fly packages with multi-cores and GPGPU.
Thread safe and GIL safe are discussed for error-free coding.
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV Ever needed to add your custom logic into the network stack?
Ever hacked the network stack but wasn't certain you're doing it right?
Shmulik Ladkani talks about various mechanisms for customizing packet processing logic to the network stack's data path.
He covers covering topics such as packet sockets, netfilter hooks, traffic control actions and ebpf. We will discuss their applicable use-cases, advantages and disadvantages.
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Getting Started With Raspberry Pi - UCSD 2013
Getting Started With Raspberry Pi - UCSD 2013Tom Paulus The document provides information to help get started with the Raspberry Pi. It recommends downloading the operating system image from the Raspberry Pi website. It then discusses setting up the SD card with the image for both Windows and Mac users. The document proceeds to provide examples of code to blink an LED using the GPIO pins and read analog sensor values using the SPI interface. It demonstrates connecting additional hardware like displays and buttons. The examples show how to smooth sensor readings and control the display. The document emphasizes cleaning up resources to avoid issues.
Debugging Ruby
Debugging RubyAman Gupta This document provides information on various debugging and profiling tools that can be used for Ruby including:
- lsof to list open files for a process
- strace to trace system calls and signals
- tcpdump to dump network traffic
- google perftools profiler for CPU profiling
- pprof to analyze profiling data
It also discusses how some of these tools have helped identify specific performance issues with Ruby like excessive calls to sigprocmask and memcpy calls slowing down EventMachine with threads.
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo ROP (return-oriented programming) is a technique that allows executing malicious code on systems with non-executable stacks by chaining short instruction sequences ("gadgets") already present in memory. The document provides an overview of ROP, including its origins as a generalization of ret2libc attacks. It describes how ROP chains gadgets by controlling the instruction pointer to execute desired sequences ending in return instructions. Finally, it walks through a simple ROP exploit on x86 as a demonstration.
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Dobrica Pavlinušić You have one of those fruity *Pi arm boards and cheep sensor from China? Some buttons and LEDs? Do I really need to learn whole new scripting language and few web technologies to read my temperature, blink a led or toggle a relay? No, because your Linux kernel already has drivers for them and all you need is device tree and cat.
A little systemtap
A little systemtapyang bingwu This document discusses the Linux tracing tool systemtap. It provides an overview of systemtap and what it can be used for, including tracing system calls, kernel functions, and application functions. It also discusses how systemtap works, how it uses debugging symbols, and how RPMs handle separate debug information files. Several examples are given of using systemtap probes to trace requests for Nginx, cURL, Redis, MySQL, and TCP retransmissions. The document suggests systemtap can be used beyond C for tracing languages like MySQL, Python and Java.
A little systemtap
A little systemtapyang bingwu This document discusses the Linux tracing tool systemtap. It provides an overview of systemtap and what it can be used for, including tracing system calls, kernel functions, and application functions. It also discusses how systemtap works, how it uses debugging symbols, and how RPMs handle separate debug information files. Several examples are given of using systemtap probes to trace requests for Nginx, cURL, Redis, MySQL, and TCP retransmissions. The document concludes by mentioning using DTrace for other languages beyond C, such as MySQL, Python, and Java.
Ipv6 test plan for opnfv poc v2.2 spirent-vctlab
Ipv6 test plan for opnfv poc v2.2 spirent-vctlabIben Rodriguez This document outlines test plans and requirements for testing IPv6 in an OPNFV PoC v2.0 environment using OpenStack Liberty and ODL Lithium SR2. It details:
(1) Setting up an IPv6 service VM in OpenStack with ODL controller capability for IPv6 routing and address advertisement.
(2) A test design and steps for setting up infrastructure, ODL and OpenStack controllers, and compute nodes.
(3) Positive test cases to validate IPv6 and IPv4 connectivity between VMs, routers and external DNS via ping, traceroute from the VM and service VM.
(4) References for IPv6 configuration and testing in Linux.
Osol Pgsql
Osol PgsqlEmanuel Calvo This document discusses PostgreSQL and Solaris as a low-cost platform for medium to large scale critical scenarios. It provides an overview of PostgreSQL, highlighting features like MVCC, PITR, and ACID compliance. It describes how Solaris and PostgreSQL integrate well, with benefits like DTrace support, scalability on multicore/multiprocessor systems, and Solaris Cluster support. Examples are given for installing PostgreSQL on Solaris using different methods, configuring zones for isolation, using ZFS for storage, and monitoring performance with DTrace scripts.
Xdp and ebpf_maps
Xdp and ebpf_mapslcplcp1 This document discusses XDP (eXpress Data Path), a high-performance network data path that allows programs to run on the receive path of a network interface card. XDP enables packet processing using eBPF programs before packets reach the Linux networking stack. The document provides an overview of XDP and its performance advantages over other packet processing methods. It also discusses XDP's current status and support in the Linux kernel as well as example use cases and benchmarks.
Debugging Ruby Systems
Debugging Ruby SystemsEngine Yard Aman Gupta's presentation about debugging ruby systems. To view the full recording of his talk, visit: http://www.engineyard.com/video/16710570
2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docxtarifarmarie 2.1
### uVision Project, (C) Keil Software
soln
0x4
ARM-ADS
6090000::V6.9::.\ARMCLANG
1
ARMCM4_FP
ARM
ARM.CMSIS.5.4.0
http://www.keil.com/pack/
IRAM(0x20000000,0x00020000) IROM(0x00000000,0x00040000) CPUTYPE("Cortex-M4") FPU2 CLOCK(12000000) ESEL ELITTLE
UL2CM3(-S0 -C0 -P0 -FD20000000 -FC1000)
0
$$Device:ARMCM4_FP$Device\ARM\ARMCM4\Include\ARMCM4_FP.h
0
0
0
0
0
0
1
.\Objects\
target_sim
1
0
0
1
1
.\Listings\
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
3
1
SARMCM3.DLL
-MPU
DCM.DLL
-pCM4
SARMCM3.DLL
-MPU
TCM.DLL
-pCM4
1
0
0
0
16
1
0
0
1
0
-1
1
BIN\UL2CM3.DLL
0
0
1
1
1
1
1
1
1
0
1
1
0
1
1
0
0
1
1
1
1
1
1
1
1
1
0
0
"Cortex-M4"
0
0
0
1
1
0
0
2
0
0
8
0
1
0
0
3
3
0
0
0
0
0
.
# peripheral registers .equ PWR_BASE0x40007000 .equ PWR_CR0x00 .docx
# peripheral registers .equ PWR_BASE0x40007000 .equ PWR_CR0x00 .docxmayank272369 # peripheral registers .equ PWR_BASE0x40007000 .equ PWR_CR0x00 .equ PWR_CR_PMODE0x4000 .equ RCC_BASE0x40023800 .equ RCC_CR0x00 .equ RCC_CR_HSEON0x00010000 .equ RCC_CR_HSERDY0x00020000 .equ RCC_CR_PLLON0x01000000 .equ RCC_CR_PLLRDY0x02000000 .equ RCC_PLLCFGR0x04 .equ PLL_M8 .equ PLL_N336 .equ PLL_P2 .equ PLL_Q7 /* PLL_VCO = (HSE_VALUE or HSI_VALUE / PLL_M) * PLL_N */ // #define PLL_M 8 // #define PLL_N 336 /* SYSCLK = PLL_VCO / PLL_P */ // #define PLL_P 2 /* USB OTG FS SDIO and RNG Clock = PLL_VCO / PLLQ */ // #define PLL_Q 7 .equ RCC_CFGR0x08 .equ RCC_CFGR_MCO1_MASK0x00600000 .equ RCC_CFGR_MCO1_HSI0x00000000 .equ RCC_CFGR_MCO1_LSI0x00200000 .equ RCC_CFGR_MCO1_HSE0x00400000 .equ RCC_CFGR_MCO1_PLL0x00600000 .equ RCC_CFGR_MCO2_MASK0xC0000000 .equ RCC_CFGR_MCO2_SYSCLK0x00000000 .equ RCC_CFGR_MCO2_PLLI2S0x40000000 .equ RCC_CFGR_MCO2_HSE0x80000000 .equ RCC_CFGR_MCO2_PLL0xC0000000 .equ RCC_CFGR_MCO2_Div_10x00000000 .equ RCC_CFGR_HPRE_DIV10x00000000 .equ RCC_CFGR_PPRE2_DIV20x00008000 .equ RCC_CFGR_PPRE1_DIV40x00001400 .equ RCC_CFGR_SW0x00000003 .equ RCC_CFGR_SW_PLL0x00000002 .equ RCC_CFGR_SWS0x0000000C .equ RCC_CFGR_SWS_PLL0x00000008 .equ RCC_PLLCFGR_PLLSRC_HSE0x00400000 .equ RCC_CIR0x0c .equ RCC_AHB1ENR0x30 .equ RCC_AHB1ENR_GPIOA_EN0x01 .equ RCC_AHB1ENR_GPIOB_EN0x02 .equ RCC_AHB1ENR_GPIOC_EN0x04 .equ RCC_AHB1ENR_GPIOD_EN0x08 .equ RCC_AHB1ENR_GPIOE_EN0x10 .equ RCC_APB1ENR0x40 .equ RCC_APB1ENR_PWREN0x10000000 .equ FLASH_BASE0x08000000 .equ FLASH_R_BASE0x40023c00 .equ FLASH_ACR0x00 .equ FLASH_ACR_ICEN0x00000200 .equ FLASH_ACR_DCEN0x00000400 .equ FLASH_ACR_LATENCY_5WS0x00000005 .equ VECT_TAB_OFFSET0x00 .equ SCB_BASE0xE000ED00 .equ SCB_VTOR0x08 .equ GPIOA_BASE0x40020000 .equ GPIOB_BASE0x40020400 .equ GPIOC_BASE0x40020800 .equ GPIOD_BASE0x40020C00 .equ GPIOE_BASE0x40021000 .equ GPIO_MODER0x00 .equ GPIO_MODER_IN0b00 .equ GPIO_MODER_OUT0b01 .equ GPIO_MODER_AF0b10 .equ GPIO_MODER_ANALOG0b11 .equ GPIO_OTYPER0x04 .equ GPIO_OTYPER_PP0b00 .equ GPIO_OTYPER_OD0b01 .equ GPIO_OSPEEDR0x08 .equ GPIO_OSPEEDR_LS0b00 .equ GPIO_OSPEEDR_MS0b01 .equ GPIO_OSPEEDR_FS0b10 .equ GPIO_OSPEEDR_HS0b11 .equ GPIO_PUPDR0x0c .equ GPIO_PUPDR_NOPUP0b00 .equ GPIO_PUPDR_PUP0b01 .equ GPIO_PUPDR_PDOWN0b10 .equ GPIO_IDR0x10 .equ GPIO_ODR0x14 .equ SYST_BASE0xE000E010 .equ SYST_CSR0x0 .equ SYST_RVR0x4 .equ SYST_CVR0x8 .equ SYST_CALIB0xC .equ SYST_RVR_MASK0x00ffffff .equ SYST_CSR_CLKSOURCE0x00000004 .equ SYST_CSR_TICKINT0x00000002 .equ SYST_CSR_ENABLE0x00000001
// file: rcc.s
.syntax unified
.thumb
.include "src/periph_regs.inc"
.text
.align 2
.global rcc_gpio_enable
.thumb_func
...
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationHamed Moghaddam Cisco CCNA/CCNP Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Linux networking
Linux networkingArie Bregman This document provides an overview of a presentation on Linux networking. The agenda includes topics like ARP, interface manipulation, network troubleshooting, routing, network bonding, network namespaces, kernel network parameters, and interview questions. It notes that the presentation will demonstrate over 30 commands related to networking and that there are often multiple ways to solve exercises. It encourages asking questions to aid learning.
Ad
More from Kernel TLV (20)
DPDK In Depth
DPDK In DepthKernel TLV DPDK in depth
This document provides an overview of DPDK (Data Plane Development Kit):
1. DPDK is an open source project for data plane programming and network acceleration. It started at Intel in 2010 and is now maintained by the Linux Foundation.
2. DPDK provides poll mode drivers (PMDs), libraries, and sample applications for fast packet processing. It uses hugepages and avoids kernel involvement for high performance.
3. The document outlines several DPDK projects, libraries, PMDs, advantages and disadvantages, development process, and demonstrates a simple DPDK application (l2fwd) and the testpmd tool.
SGX Trusted Execution Environment
SGX Trusted Execution EnvironmentKernel TLV Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM.
In this talk, we will:
* explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications,
* discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation.
* describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK.
* discuss how it is possible for the OS to manage secure memory without having access to it.
* explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations.
Ofir Weisse is a Researcher PhD Student at University of Michigan.
Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc
Fun with FUSE
Fun with FUSEKernel TLV Dima Krasner talks about FUSE, Filesystem in Userspace, its pros and cons, usage, tips and tricks, and more.
Dima is a senior developer at Sam Seamless Network.
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV Elad Wexler talks about the Proc Connector with regards to containers, shows it isn't supported inside a docker container and how it can be supported.
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV Nadav Markus goes over the path from a simple crash POC provided by Google Project Zero (for CVE-2015-7547), to a fully weaponized exploit.
He explores how an attacker can utilize the behavior of the Linux kernel in order to bypass ASLR, allowing an attacker to remotely execute code on vulnerable targets.
Present Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityKernel TLV "Present Absence - A character who does not appear for much of or all of the plot, but whose absence is most significant."
Linux filesystem security had appeared before security was an issue. It stagnated for a long time, while the world changed.
A look from the trenches on what is there, what the problems are and what is missing.
Older than he looks, Philip Derbeko has been programming for over 20 years.
He was using Linux since days of Slackware 3.0 with kernel 2.0
Most of the years worked on storage, security systems and machine learning.
Currently, develops and herds a team of Linux, OS X and Windows kernel developers at enSilo.
YouTube: https://www.youtube.com/watch?v=IC-Uf96aUj4
OpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV OpenWrt is a Linux distribution for embedded systems that runs on many routers and networking devices today. In this session we'll talk about OpenWrt's origins, architecture and get down to building apps for the platform.
Along the way we will touch on some basic firmware concepts and at last present the final working OpenWrt router and its capabilities.
Anton Lerner, Architect at Sitaro, computer geek, developer and occasional maker.
Sitaro provides total cyber protection for small business and home networks. Sitaro prevents massive scale IoT cyber attacks.
Find out more information in the meetup event page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV If you look under the hood, Linux containers are just processes with some isolation features and resource quotas sprinkled on top. In this talk, we will apply modern Linux performance tools to container analysis: get high-level resource utilization on running containers with docker stats, htop, and nsenter; dig into high-CPU issues with perf; detect slow filesystem latency with BPF-based tools; and generate flame graphs of interesting event call stacks.
Sasha Goldshtein is the CTO of Sela Group, a Microsoft MVP and Regional Director, Pluralsight and O'Reilly author, and international consultant and trainer. Sasha is the author of two books and multiple online courses, and a prolific blogger. He is also an active open source contributor to projects focused on system diagnostics, performance monitoring, and tracing -- across multiple operating systems and runtimes. Sasha authored and delivered training courses on Linux performance optimization, event tracing, production debugging, mobile application development, and modern C++. Between his consulting engagements, Sasha speaks at international conferences world-wide.
You can find more details on the meetup page - https://www.meetup.com/Tel-Aviv-Yafo-Linux-Kernel-Meetup/events/245319189/
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV In this talk, Dr. Amit Golander looks into emerging PM/NVDIMM devices, the value they bring to applications and most importantly how they revolutionize the storage stack.
In the second part, Boaz Harrosh and Shachar Sharon dive into new opportunities to develop memory-based filesystems in user space, leveraging a new open source project called ZUFS. ZUFS was presented in the last Linux Plumbers conference and unlike FUSE it focuses on delivering low latency and zero copy.
Dr. Amit Golander was the CTO of Plexistor, which developed the first enterprise-grade PM-based file system, and which was acquired earlier this year by NetApp.
Boaz Harrosh and Shachar Sharon are ZUFS maintainers and longtime Storage and Linux veterans.
File Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV Philip Derbeko presents past design decisions that influenced the design of current filesystems, takes a look at how Linux tackles those problems and compares it with other operating systems, and discusses the upcoming revolution in storage and filesystem design.
Older than he looks, Philip Derbeko has been programming for over 20 years.
He was using Linux since days of Slackware 3.0 with kernel 2.0
Most of the years worked on storage, security systems and machine learning.
Currently, develops and herds a team of Linux, OS X and Windows kernel developers at enSilo.
KernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernel TLV We strive to deliver quality talks in our meetups, so we wrote down some guidelines and tips for speakers.
Userfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentKernel TLV userfaultfd is a mechanism that allows user-space paging implementation. Originally designed for post-copy migration of virtual machines, it applies to different use cases, such as implementation of volatile ranges, container migration, improvement of robustness of shared memory, efficient memory snapshotting and more.
This talk covers the current status and supported features of userfaultfd, work currently in progress and future development plans.
Mike Rapoport
Mike has been hacking on the Linux kernel for over a decade. He has added his 2 cents to the mess in arch/arm, contributed to several device drivers and now he is focused on userfaultfd and CRIU.
Mike’s current position is a researcher at IBM.
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV The arrival of flash storage introduced a radical change in performance profiles of direct attached devices. At the time, it was obvious that Linux I/O stack needed to be redesigned in order to support devices capable of millions of IOPs, and with extremely low latency.
In this talk we revisit the changes the Linux block layer in the
last decade or so, that made it what it is today - a performant, scalable, robust and NUMA-aware subsystem. In addition, we cover the new NVMe over Fabrics support in Linux.
Sagi Grimberg
Sagi is Principal Architect and co-founder at LightBits Labs.
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV The Linux kernel has a rich and modular cryptographic API that is used extensively by familiar user facing software such as Android. It's also cryptic, badly documented, subject to change and can easily bite you in unexpected and painful ways.
This talk will describe the crypto API, provide some usage example and discuss some of the more interesting in-kernel users, such as DM-Crypt, DM-Verity and the new fie system encryption code.
Gilad Ben-Yossef is a principal software engineer at ARM. He works on the kernel security sub-system and the ARM CryptCell engine. Open source work done by Gilad includes an experiment in integration of network processors in the networking stack, a patch set for reducing the interference caused to user space processes in large multi-core systems by Linux kernel “maintenance” work and on SMP support for the Synopsys Arc processor among others.
Gilad has co-authored O’Reilly’s “Building Embedded Linux Systems” 2nd edition and presented at such venues as Embedded Linux Conference Europe and the Ottawa Linux Symposium, as well as co-founded Hamakor, an Israeli NGO for the advancement for Open Source and Free Software in Israel. When not hacking on kernel code you can find Gilad meditating and making dad jokes on Twitter.
DMA Survival Guide
DMA Survival GuideKernel TLV Ramon Fried covers the following topics:
* What DMA is.
* DMA Buffer Allocations and Management.
* Cache Coherency.
* PCI and DMA.
* dmaengine Framework.
Ramon is an Embedded Linux team leader in TandemG, leading various cutting edge projects in the Linux kernel.
He has years of experience in embedded systems, operating systems and Linux kernel.
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingKernel TLV Kirill Tsym discusses Vector Packet Processing:
* Linux Kernel data path (in short), initial design, today's situation, optimization initiatives
* Brief overview of DPDK, Netmap, etc.
* Userspace Networking projects comparison: OpenFastPath, OpenSwitch, VPP.
* Introduction to VPP: architecture, capabilities and optimization techniques.
* Basic Data Flow and introduction to vectors.
* VPP Single and Multi-thread modes.
* Router and switch for namespaces example.
* VPP L4 protocol processing - Transport Layer Development Kit.
* VPP Plugins.
Kiril is a software developer at Check Point Software Technologies, part of Next Generation Gateway and Architecture team, developing proof of concept around DPDK and FD.IO VPP. He has years of experience in software, Linux kernel and networking development and has worked for Polycom, Broadcom and Qualcomm before joining Check Point.
WiFi and the Beast
WiFi and the BeastKernel TLV In this talk, Ouri Lipner provides an introduction to the WiFi protocol and its implementations in the Linux kernel.
When not busy writing about himself in 3rd person, Ouri is a full time hacker of both cyber and kernel varieties.
Introduction to DPDK
Introduction to DPDKKernel TLV DPDK is a set of drivers and libraries that allow applications to bypass the Linux kernel and access network interface cards directly for very high performance packet processing. It is commonly used for software routers, switches, and other network applications. DPDK can achieve over 11 times higher packet forwarding rates than applications using the Linux kernel network stack alone. While it provides best-in-class performance, DPDK also has disadvantages like reduced security and isolation from standard Linux services.
FreeBSD and Drivers
FreeBSD and DriversKernel TLV Have you ever heard of FreeBSD? Probably.
Have you ever interacted with its kernel? Probably not.
In this talk, Gili Yankovitch (nyxsecuritysolutions.com) will talk about the FreeBSD operating system, its network stack and how to write network drivers for it.
The talk will cover the following topics:
* Kernel/User interation in FreeBSD
* The FreeBSD Network Stack
* Network Buffers API
* L2 and L3 Hooking
Linux Interrupts
Linux InterruptsKernel TLV In this talk Liran will discuss interrupt management in Linux, effective handling, how to defer work using tasklets, workqueues and timers. We'll learn how to handle interrupts in userspace and talk about the performance and latency aspects of each method as well as look at some examples from the kernel source.
Liran is the CTO at Mabel technology and co-founder of DiscoverSDK - Software Libraries directory and DiscoverCloud - Business Apps directory.
More than 20 years of training experience including courses in: Linux, Android, Real-time and Embedded systems, and many more.
Ad
Recently uploaded (20)
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Lionel Briand Keynote at RAISE workshop, ICSE 2025
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceThousandEyes How to Optimize Your AWS Environment for Improved Cloud Performance
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIdanshalev If we were building a GenAI stack today, we'd start with one question: Can your retrieval system handle multi-hop logic?
Trick question, b/c most can’t. They treat retrieval as nearest-neighbor search.
Today, we discussed scaling #GraphRAG at AWS DevOps Day, and the takeaway is clear: VectorRAG is naive, lacks domain awareness, and can’t handle full dataset retrieval.
GraphRAG builds a knowledge graph from source documents, allowing for a deeper understanding of the data + higher accuracy.
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Versionkashifyounis067 🌍📱👉COPY LINK & PASTE ON GOOGLE http://drfiles.net/ 👈🌍
Adobe Illustrator is a powerful, professional-grade vector graphics software used for creating a wide range of designs, including logos, icons, illustrations, and more. Unlike raster graphics (like photos), which are made of pixels, vector graphics in Illustrator are defined by mathematical equations, allowing them to be scaled up or down infinitely without losing quality.
Here's a more detailed explanation:
Key Features and Capabilities:
Vector-Based Design:
Illustrator's foundation is its use of vector graphics, meaning designs are created using paths, lines, shapes, and curves defined mathematically.
Scalability:
This vector-based approach allows for designs to be resized without any loss of resolution or quality, making it suitable for various print and digital applications.
Design Creation:
Illustrator is used for a wide variety of design purposes, including:
Logos and Brand Identity: Creating logos, icons, and other brand assets.
Illustrations: Designing detailed illustrations for books, magazines, web pages, and more.
Marketing Materials: Creating posters, flyers, banners, and other marketing visuals.
Web Design: Designing web graphics, including icons, buttons, and layouts.
Text Handling:
Illustrator offers sophisticated typography tools for manipulating and designing text within your graphics.
Brushes and Effects:
It provides a range of brushes and effects for adding artistic touches and visual styles to your designs.
Integration with Other Adobe Software:
Illustrator integrates seamlessly with other Adobe Creative Cloud apps like Photoshop, InDesign, and Dreamweaver, facilitating a smooth workflow.
Why Use Illustrator?
Professional-Grade Features:
Illustrator offers a comprehensive set of tools and features for professional design work.
Versatility:
It can be used for a wide range of design tasks and applications, making it a versatile tool for designers.
Industry Standard:
Illustrator is a widely used and recognized software in the graphic design industry.
Creative Freedom:
It empowers designers to create detailed, high-quality graphics with a high degree of control and precision.
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfTechSoup In this webinar we will dive into the essentials of generative AI, address key AI concerns, and demonstrate how nonprofits can benefit from using Microsoft’s AI assistant, Copilot, to achieve their goals.
This event series to help nonprofits obtain Copilot skills is made possible by generous support from Microsoft.
What You’ll Learn in Part 2:
Explore real-world nonprofit use cases and success stories.
Participate in live demonstrations and a hands-on activity to see how you can use Microsoft 365 Copilot in your own work!
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Allon Mureinik Tests, especially unit tests, are the developers’ superheroes. They allow us to mess around with our code and keep us safe.
We often trust them with the safety of our codebase, but how do we know that we should? How do we know that this trust is well-deserved?
Enter mutation testing – by intentionally injecting harmful mutations into our code and seeing if they are caught by the tests, we can evaluate the quality of the safety net they provide. By watching the watchmen, we can make sure our tests really protect us, and we aren’t just green-washing our IDEs to a false sense of security.
Talk from SciFiDevCon 2025
https://www.scifidevcon.com/courses/2025-scifidevcon/contents/680efa43ae4f5
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...AxisTechnolabs Interactive Odoo Dashboard for various business needs can provide users with dynamic, visually appealing dashboards tailored to their specific requirements. such a module that could support multiple dashboards for different aspects of a business
✅Visit And Buy Now : https://bit.ly/3VojWza
✅This Interactive Odoo dashboard module allow user to create their own odoo interactive dashboards for various purpose.
App download now :
Odoo 18 : https://bit.ly/3VojWza
Odoo 17 : https://bit.ly/4h9Z47G
Odoo 16 : https://bit.ly/3FJTEA4
Odoo 15 : https://bit.ly/3W7tsEB
Odoo 14 : https://bit.ly/3BqZDHg
Odoo 13 : https://bit.ly/3uNMF2t
Try Our website appointment booking odoo app : https://bit.ly/3SvNvgU
👉Want a Demo ?📧 [email protected]
➡️Contact us for Odoo ERP Set up : 091066 49361
👉Explore more apps: https://bit.ly/3oFIOCF
👉Want to know more : 🌐 https://www.axistechnolabs.com/
#odoo #odoo18 #odoo17 #odoo16 #odoo15 #odooapps #dashboards #dashboardsoftware #odooerp #odooimplementation #odoodashboardapp #bestodoodashboard #dashboardapp #odoodashboard #dashboardmodule #interactivedashboard #bestdashboard #dashboard #odootag #odooservices #odoonewfeatures #newappfeatures #odoodashboardapp #dynamicdashboard #odooapp #odooappstore #TopOdooApps #odooapp #odooexperience #odoodevelopment #businessdashboard #allinonedashboard #odooproducts
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureICS Wayland is revolutionizing the way we interact with graphical interfaces, offering a modern alternative to the X Window System. In this webinar, we’ll delve into the architecture and benefits of Wayland, including its streamlined design, enhanced performance, and improved security features.
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKyounisnoman75 ⭕️➡️ FOR DOWNLOAD LINK : http://drfiles.net/ ⬅️⭕️
Maxon Cinema 4D 2025 is the latest version of the Maxon's 3D software, released in September 2024, and it builds upon previous versions with new tools for procedural modeling and animation, as well as enhancements to particle, Pyro, and rigid body simulations. CG Channel also mentions that Cinema 4D 2025.2, released in April 2025, focuses on spline tools and unified simulation enhancements.
Key improvements and features of Cinema 4D 2025 include:
Procedural Modeling: New tools and workflows for creating models procedurally, including fabric weave and constellation generators.
Procedural Animation: Field Driver tag for procedural animation.
Simulation Enhancements: Improved particle, Pyro, and rigid body simulations.
Spline Tools: Enhanced spline tools for motion graphics and animation, including spline modifiers from Rocket Lasso now included for all subscribers.
Unified Simulation & Particles: Refined physics-based effects and improved particle systems.
Boolean System: Modernized boolean system for precise 3D modeling.
Particle Node Modifier: New particle node modifier for creating particle scenes.
Learning Panel: Intuitive learning panel for new users.
Redshift Integration: Maxon now includes access to the full power of Redshift rendering for all new subscriptions.
In essence, Cinema 4D 2025 is a major update that provides artists with more powerful tools and workflows for creating 3D content, particularly in the fields of motion graphics, VFX, and visualization.
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025kashifyounis067 🌍📱👉COPY LINK & PASTE ON GOOGLE http://drfiles.net/ 👈🌍
Adobe After Effects is a software application used for creating motion graphics, special effects, and video compositing. It's widely used in TV and film post-production, as well as for creating visuals for online content, presentations, and more. While it can be used to create basic animations and designs, its primary strength lies in adding visual effects and motion to videos and graphics after they have been edited.
Here's a more detailed breakdown:
Motion Graphics:
.
After Effects is powerful for creating animated titles, transitions, and other visual elements to enhance the look of videos and presentations.
Visual Effects:
.
It's used extensively in film and television for creating special effects like green screen compositing, object manipulation, and other visual enhancements.
Video Compositing:
.
After Effects allows users to combine multiple video clips, images, and graphics to create a final, cohesive visual.
Animation:
.
It uses keyframes to create smooth, animated sequences, allowing for precise control over the movement and appearance of objects.
Integration with Adobe Creative Cloud:
.
After Effects is part of the Adobe Creative Cloud, a suite of software that includes other popular applications like Photoshop and Premiere Pro.
Post-Production Tool:
.
After Effects is primarily used in the post-production phase, meaning it's used to enhance the visuals after the initial editing of footage has been completed.
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025mu394968 🌍📱👉COPY LINK & PASTE ON GOOGLE https://dr-kain-geera.info/👈🌍
Avast Premium Security is a paid subscription service that provides comprehensive online security and privacy protection for multiple devices. It includes features like antivirus, firewall, ransomware protection, and website scanning, all designed to safeguard against a wide range of online threats, according to Avast.
Key features of Avast Premium Security:
Antivirus: Protects against viruses, malware, and other malicious software, according to Avast.
Firewall: Controls network traffic and blocks unauthorized access to your devices, as noted by All About Cookies.
Ransomware protection: Helps prevent ransomware attacks, which can encrypt your files and hold them hostage.
Website scanning: Checks websites for malicious content before you visit them, according to Avast.
Email Guardian: Scans your emails for suspicious attachments and phishing attempts.
Multi-device protection: Covers up to 10 devices, including Windows, Mac, Android, and iOS, as stated by 2GO Software.
Privacy features: Helps protect your personal data and online privacy.
In essence, Avast Premium Security provides a robust suite of tools to keep your devices and online activity safe and secure, according to Avast.
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Versiontahirabibi60507 Copy & Past Link 👉👉
http://drfiles.net/
FL Studio is a Digital Audio Workstation (DAW) software used for music production. It's developed by the Belgian company Image-Line. FL Studio allows users to create and edit music using a graphical user interface with a pattern-based music sequencer.
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxCloudScouts Presentacion de la primera sesion de Zero to Platform Engineer
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...University of Hawai‘i at Mānoa This presentation explores code comprehension challenges in scientific programming based on a survey of 57 research scientists. It reveals that 57.9% of scientists have no formal training in writing readable code. Key findings highlight a "documentation paradox" where documentation is both the most common readability practice and the biggest challenge scientists face. The study identifies critical issues with naming conventions and code organization, noting that 100% of scientists agree readable code is essential for reproducible research. The research concludes with four key recommendations: expanding programming education for scientists, conducting targeted research on scientific code quality, developing specialized tools, and establishing clearer documentation guidelines for scientific software.
Presented at: The 33rd International Conference on Program Comprehension (ICPC '25)
Date of Conference: April 2025
Conference Location: Ottawa, Ontario, Canada
Preprint: https://arxiv.org/abs/2501.10037
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxlaravinson24 This presentation is a beginner-friendly guide to developing a crypto wallet from scratch. It covers essential concepts such as wallet types, blockchain integration, key management, and security best practices. Ideal for developers and tech enthusiasts looking to enter the world of Web3 and decentralized finance.
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilityJordi Cabot Towards a fairer, inclusive and sustainable AI that works for everybody.
Reviewing the state of the art on these challenges and what we're doing at LIST to test current LLMs and help you select the one that works best for you
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxPortli Discover the top 10 client portal software solutions for 2025. Streamline communication, ensure security, and enhance client experience.
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentShubham Joshi A secure test infrastructure ensures that the testing process doesn’t become a gateway for vulnerabilities. By protecting test environments, data, and access points, organizations can confidently develop and deploy software without compromising user privacy or system integrity.
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMaxim Salnikov Imagine if apps could think, plan, and team up like humans. Welcome to the world of AI agents and agentic user interfaces (UI)! In this session, we'll explore how AI agents make decisions, collaborate with each other, and create more natural and powerful experiences for users.
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...University of Hawai‘i at Mānoa
netfilter and iptables
- 6. …
- 8. ● ● ○ ○
- 11. /* * Main IP Receive routine. */ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig) { ... return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, net, NULL, skb, dev, NULL, ip_rcv_finish); }
- 12. /* Activate hook; either okfn or kfree_skb called, unless a hook returns NF_STOLEN (in which case, it's up to the hook to deal with the consequences). Returns -ERRNO if packet dropped. Zero means queued, stolen or accepted. */ static inline int NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, struct net_device *in, struct net_device *out, int (*okfn)(struct net *, struct sock *, struct sk_buff *), int thresh) { int ret = nf_hook_thresh(pf, hook, net, sk, skb, in, out, okfn, thresh); if (ret == 1) ret = okfn(net, sk, skb); return ret; }
- 13. int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops); int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, unsigned int n); int nf_register_hook(struct nf_hook_ops *reg); int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n);
- 14. static struct nf_hook_ops ipv4_synproxy_ops[] = { { .hook = ipv4_synproxy_hook, .pf = NFPROTO_IPV4, .hooknum = NF_INET_LOCAL_IN, .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1, .priv = NULL, }, { .hook = ipv4_synproxy_hook, .pf = NFPROTO_IPV4, .hooknum = NF_INET_POST_ROUTING, .priority = NF_IP_PRI_CONNTRACK_CONFIRM - 1, .priv = NULL, }, };
- 15. static unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *nhs) { if (...) return NF_ACCEPT; ... if (...) return NF_DROP; return NF_ACCEPT; }
- 16. ● ● ● ● ●
- 17. enum { NFPROTO_UNSPEC = 0, NFPROTO_INET = 1, NFPROTO_IPV4 = 2, NFPROTO_ARP = 3, NFPROTO_NETDEV = 5, NFPROTO_BRIDGE = 7, NFPROTO_IPV6 = 10, NFPROTO_DECNET = 12, NFPROTO_NUMPROTO, };
- 19. ● ● ● ● ○ ●
- 21. ● ●
- 24. # iptables -t filter -P INPUT DROP # iptables -P OUTPUT ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -j ACCEPT # iptables -A INPUT -s 40.5.6.7 -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -m mark --mark 0xE -j ACCEPT
- 25. # iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2 # iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss 1420 # iptables -t mangle -A OUTPUT -p TCP --dport 22 -j TOS --set-tos 0x10
- 26. # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 2.55.4.8-2.55.4.9 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 2.55.4.8 2.55.4.9
- 27. # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 2.55.4.9
- 28. # iptables -t nat -A PREROUTING -d 2.55.4.8 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 2.55.4.8 :80 2.55.4.9
- 30. ● ● ○ ○ ●
- 31. # iptables -t filter -P INPUT DROP # iptables -P OUTPUT ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
- 33. ● # iptables -A PREROUTING -m addrtype --dst-type MULTICAST -j DROP # iptables -A PREROUTING -m addrtype ! --dst-type LOCAL -j MARK --set-mark 2 ● # iptables -A FORWARD -m devgroup --src-group 27 -j ACCEPT ● # iptables -A FORWARD -m mark --mark 0x3/0x7 -j ACCEPT
- 34. ● // match IP packets with total length >= 256 -m u32 --u32 "0 & 0xFFFF = 0x100:0xFFFF" // TCP payload bytes 8-12 is any of 1, 2, 5 or 8 "6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8" ● -m bpf --bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0'
- 35. ● ● ● ● ● …
- 36. ● ● ● ●
- 37. ● ● ● ● …
- 38. # iptables -t filter -N NO-PRIVATE # iptables -A NO-PRIVATE -s 10.0.0.0/8 -j DROP # iptables -A NO-PRIVATE -s 172.16.0.0/12 -j DROP # iptables -A NO-PRIVATE -s 192.168.0.0/16 -j DROP # iptables -A INPUT -i eth0 -j NO-PRIVATE # iptables -A FORWARD -i eth0 -j NO-PRIVATE
- 39. // Calls the specified chain, continue processing in current chain if no match # iptables -A INPUT ... -j MY-CHAIN // Continue processing in the specified chain. return will not continue in current chain, but in the previous calling chain # iptables -A INPUT ... -g MY-CHAIN // Stop traversing, resume at the next rule in the previous calling chain # iptables -A MY-CHAIN ... -j RETURN
- 40. ● ● ●
- 44. ● ● ● ● ●