| | 1 | = Netfilter/iptables for ORBIT = |
| | 2 | |
| | 3 | This document briefly describes netfilter framework, and lists some of its |
| | 4 | capabilities. Motivation is to see how regular users of ORBIT can make use of |
| | 5 | it (if they will ever need it). |
| | 6 | |
| | 7 | |
| | 8 | == Overview == |
| | 9 | |
| | 10 | [http://www.netfilter.org/ Netfilter] is a packet filtering framework that appeared with Linux kernel version 2.4. |
| | 11 | It has a complete re-design and netfilter framework can be thought as a successor of ipchains/ipfwadm |
| | 12 | that were used with 2.0/2.2 kernels. |
| | 13 | |
| | 14 | In many contexts, netfilter and iptables are used interchangeably. The correct way to perceive this is |
| | 15 | explained as follows. Netfilter is the name given to the overall framework of this packet filtering oriented |
| | 16 | project. Under this project, there are four main components |
| | 17 | |
| | 18 | * '''netfilter''' |
| | 19 | This is at the heart of the framework (so, gives its name to the overall framework) and it provides a means for |
| | 20 | any given kernel module (not necessarily part of netfilter framework) to deal with network packets by letting them |
| | 21 | register callback functions with the network stack. |
| | 22 | |
| | 23 | * '''ip_tables''' |
| | 24 | Provides a generic table structure for rulesets and these rules are matched with packets to map them to |
| | 25 | specific actions. Similar to other components, it uses netfilter for this purpose. Also, (confusingly enough) |
| | 26 | the name of the userspace program that allows managing the rulesets of ip_tables is called iptables. |
| | 27 | |
| | 28 | * '''connection tracking''' |
| | 29 | Connection tracking is an integral part of NAT, but it is implemented as a separate module to allow for |
| | 30 | extensions. It is the `state' module of the framework. |
| | 31 | |
| | 32 | * '''NAT subsystem''' |
| | 33 | As the name implies, it realizes the NAT process except connection tracking part. NAT, in netfilter terms, should be |
| | 34 | considered as two different types: Source NAT (SNAT) and Destination NAT (DNAT). |
| | 35 | |
| | 36 | Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. |
| | 37 | Source NAT is always done post-routing, just before the packet goes out onto the medium. Masquerading is a specialized form of SNAT. |
| | 38 | |
| | 39 | Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. |
| | 40 | Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent |
| | 41 | proxying are all forms of DNAT. |
| | 42 | |
| | 43 | Currently, netfilter provides the following hooks to be excited: |
| | 44 | |
| | 45 | [[Image(netfilter1.png)]] |
| | 46 | |
| | 47 | |
| | 48 | The arrows indicate the travel direction of packet as it visits each netfilter hook. |
| | 49 | |
| | 50 | |
| | 51 | == Possible Usage Scenarios == |
| | 52 | |
| | 53 | |
| | 54 | * '''Easy Packet Filtering''' |
| | 55 | |
| | 56 | User's experiment is using any standard available routing protocol for Linux (AODV, DSR, Lunar etc.) and |
| | 57 | he/she is not modifying/maintaining this routing protocols source code. So, by employing iptables, he/she |
| | 58 | can do stateless or stateful packet filtering (IPv4 or IPv6) based on |
| | 59 | |
| | 60 | * host names, IP addresses, MAC addresses, or physical/logical interface itself |
| | 61 | * TCP, UDP, or ICMP protocols |
| | 62 | * TCP flags through TCP extensions |
| | 63 | * Packet lengths |
| | 64 | * Packet type (host/broadcast/multicast) |
| | 65 | * TTL / ToS / More Fragments etc. |
| | 66 | * IP states through connection tracking |
| | 67 | |
| | 68 | In addition to acting on the above stated conditions, user might use iptables only to |
| | 69 | log those cases, without doing anything. |
| | 70 | |
| | 71 | |
| | 72 | * '''Random Packet Drop''' |
| | 73 | User might use iptables easily to deploy a random packet drop probability between |
| | 74 | .1<=p<=.99 This way, a packet level link quality enforcement (including wired side) |
| | 75 | can be implemented |
| | 76 | |
| | 77 | * '''String Search in Packets''' |
| | 78 | User can specify strings to be matched and processed through iptables. This is |
| | 79 | rather useful for debugging purposes, not content based routing/filtering (it will |
| | 80 | be real slow otherwise). An example would be checking a custom routing protocols update |
| | 81 | message to see if a specific destination IP is included in payload. |
| | 82 | |
| | 83 | * '''IP Header modifications''' |
| | 84 | User can do some basic IP header field manipulations (mangling) like altering the |
| | 85 | TOS/DSCP/ECN bits of the IP header, without dealing with reading packet to userspace |
| | 86 | or modifying kernel source. |
| | 87 | |
| | 88 | * '''Rough Packet Timing''' |
| | 89 | Users may filter or log packets that belong to a time window based on their time |
| | 90 | of arrival. However, this would have a granularity of at most one minute. Might |
| | 91 | be used for analyzing a snapshot of packets during a long experiment. |
| | 92 | |
| | 93 | * '''Forwarding and NAT''' |
| | 94 | By making use of the above matching opportunities, users may define rules to bypass |
| | 95 | the existing routing mechanism on the node and forward/rewrite packets regardless |
| | 96 | of nodes normal action plan (by exciting prerouting chain). This can be used to enforce fixed |
| | 97 | routes, or pseduo multi-hops (through MAC address based drops). |
| | 98 | |
| | 99 | Also, if the experiment requires, user can implement a transparent proxy on a |
| | 100 | node to check the performance of the scheme under investigation with such a |
| | 101 | proxy in network. |
| | 102 | |
| | 103 | * '''More scenarios TBA''' |
