Analysis of Linux OS security tools for packet filtering and processing

Dmitrij Melkov; Šarūnas Paulikas

doi:10.3846/mla.2021.15180

DOI: https://doi.org/10.3846/mla.2021.15180

Abstract

Open-source software and its components are widely used in various products, solutions, and applications, even in closed-source. Majority of them are made on Linux or Unix based systems. Netfilter framework is one of the examples. It is used for packet filtering, load-balancing, and many other manipulations with network traffic. Netfilter based packet filter iptables has been most common firewall tool for Linux systems for more than two decades. Successor of iptables – nftables was introduced in 2014. It was designed to overcome various iptables limitations. However, it hasn’t received wide popularity and transition is still ongoing. In recent years researchers and developers around the world are searching for solution to increase performance of packet processing tools. For that purpose, many of them trying to utilize eBPF (Extended Berkeley Packet Filter) with XDP (Express Data Path) data path. This paper focused on analyzing Linux OS packet filters and comparing their performances in different scenarios.

Article in English.

Linux OS paketų filtravimo ir apdorojimo saugumo priemonų analizė

Santrauka

Atvirojo kodo priemonės plačiau naudojamos skirtinguose produktuose ir programose. Dauguma iš jų yra padaryta panaudojant Linux arba Unix sistemas. Netfiler tvarkyklė yra vienas iš pavyzdžių. Ji naudojama paketams filtruoti, apkrovai paskirstyti ir kitoms manipuliacijoms su paketais atlikti. Netfilter paketų filtras ipatables jau du dešimtmečius yra populiariausia Linux ugniasienė. Nauja ugniasienė nftables buvo pristatyta 2014 metais ir turėjo įveikti iptables trūkumus. Tačiau nftables taip ir negavo visuotinio pripažinimo, daug sistemų taip ir nebuvo perkeltos į iptables. Todėl pastaruosius metus mokslininkai ir programinės įrangos kūrėjai ieško naujo sprendimo padidinti paketų apdorojimo našumą. Tam jie bando išnaudoti tokias technologijas kaip eBPF ir XDP. Šio straipsnio tikslas padaryti Linux OS paketų filtro analizę ir palyginti jų našumą skirtinguose scenarijuose.

Reikšminiai žodžiai: Linux, Netfilter, iptables, nftables, eBPF, XDP, ugniasienė, paketų filtrai.

Keyword : Linux, Netfilter, iptables, nftables, eBPF, XDP, firewalls, packet filters

How to Cite

Melkov, D., & Paulikas, Šarūnas. (2021). Analysis of Linux OS security tools for packet filtering and processing. Mokslas – Lietuvos Ateitis / Science – Future of Lithuania, 13. https://doi.org/10.3846/mla.2021.15180

Published in Issue

Aug 24, 2021

Abstract Views

790

PDF Downloads

623

This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Bertrone, M., Miano, S., Pi, J., Risso, F., & Tumolo, M. (2018a). Toward an eBPF-based clone of iptables [Conference presentation]. The Technical Conference on Linux Networking, Montreal, Canada.

Bertrone, M., Miano, S., Risso, F., & Tumolo, M. (2018b). Accelerating Linux security with eBPF iptables [Conference presentation]. The ACM SIGCOMM 2018 Conference, Budapest, Hungary. SIGCOMM. https://doi.org/10.1145/3234200.3234228

Cisco DevNet. (2021). Open NX-OS Linux. https://developer.cisco.com/docs/nx-os/#!open-nx-os-linux/open-nx-os-linux

Citrix. (2017). How to check the version of FreeBSD on NetScaler. https://support.citrix.com/article/CTX221291

Juniper Networks. (2021). Junos OS Evolve overview. https://www.juniper.net/documentation/us/en/software/junos/evo-overview/topics/concept/evo-overview.html

Melkov, D., Šaltis, A., & Paulikas, Š. (2020). Performance testing of Linux firewalls [Conference presentation]. 2020 IEEE Open Conference of Electrical, Electronic and Information Sciences (eStream), Vilnius, Lithuania. IEEE. https://doi.org/10.1109/eStream50540.2020.9108868

Miano, S., Bertrone, M., Risso, F., Vásquez Bernal, M., Lu, Y., & Pi, J. (2019a). Securing Linux with a faster and scalable iptables. ACM SIGCOMM Computer Communication Review, 49(3), 2–17. https://doi.org/10.1145/3371927.3371929

Miano, S., Doriguzzi-Corin, R., Risso, F., Siracusa, D., & Sommese, R. (2019b). Introducing SmartNICs in server-based data plane processing: the DDoS mitigation use case. IEEE Access, 7, 107161–107170.
https://doi.org/10.1109/ACCESS.2019.2933491

Scholz, D., Raumer, D., Emmerich, P., Kurtz, A., Lesiak, K., & Carle, G. (2018). Performance implications of packet filtering with Linux eBPF [Conference presentation]. 30th International Teletraffic Congress, Vienna, Austria. IEEE.
https://doi.org/10.1109/ITC30.2018.00039

Suehring, S. (2015). Linux firewalls: Enhancing security with nftables and beyond (4th ed.). Addison-Wesley.

Sutter, P. (2017). Benchmarking nftables. Red Hat Developer blog. https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables

Tumolo, M. (2018). Towards a faster iptables in eBPF [Master thesis]. Politecnico di Torino.

Westphal, F. (2016). What comes after “iptables”? Its successor, of course “nftables”. Red Hat Developer blog. https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables