Analysis of Linux OS security tools for packet filtering and processing
Abstract
Open-source software and its components are widely used in various products, solutions, and applications, even in closed-source. Majority of them are made on Linux or Unix based systems. Netfilter framework is one of the examples. It is used for packet filtering, load-balancing, and many other manipulations with network traffic. Netfilter based packet filter iptables has been most common firewall tool for Linux systems for more than two decades. Successor of iptables – nftables was introduced in 2014. It was designed to overcome various iptables limitations. However, it hasn’t received wide popularity and transition is still ongoing. In recent years researchers and developers around the world are searching for solution to increase performance of packet processing tools. For that purpose, many of them trying to utilize eBPF (Extended Berkeley Packet Filter) with XDP (Express Data Path) data path. This paper focused on analyzing Linux OS packet filters and comparing their performances in different scenarios.
Article in English.
Linux OS paketų filtravimo ir apdorojimo saugumo priemonų analizė
Santrauka
Atvirojo kodo priemonės plačiau naudojamos skirtinguose produktuose ir programose. Dauguma iš jų yra padaryta panaudojant Linux arba Unix sistemas. Netfiler tvarkyklė yra vienas iš pavyzdžių. Ji naudojama paketams filtruoti, apkrovai paskirstyti ir kitoms manipuliacijoms su paketais atlikti. Netfilter paketų filtras ipatables jau du dešimtmečius yra populiariausia Linux ugniasienė. Nauja ugniasienė nftables buvo pristatyta 2014 metais ir turėjo įveikti iptables trūkumus. Tačiau nftables taip ir negavo visuotinio pripažinimo, daug sistemų taip ir nebuvo perkeltos į iptables. Todėl pastaruosius metus mokslininkai ir programinės įrangos kūrėjai ieško naujo sprendimo padidinti paketų apdorojimo našumą. Tam jie bando išnaudoti tokias technologijas kaip eBPF ir XDP. Šio straipsnio tikslas padaryti Linux OS paketų filtro analizę ir palyginti jų našumą skirtinguose scenarijuose.
Reikšminiai žodžiai: Linux, Netfilter, iptables, nftables, eBPF, XDP, ugniasienė, paketų filtrai.
Keyword : Linux, Netfilter, iptables, nftables, eBPF, XDP, firewalls, packet filters
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Bertrone, M., Miano, S., Risso, F., & Tumolo, M. (2018b). Accelerating Linux security with eBPF iptables [Conference presentation]. The ACM SIGCOMM 2018 Conference, Budapest, Hungary. SIGCOMM. https://doi.org/10.1145/3234200.3234228
Cisco DevNet. (2021). Open NX-OS Linux. https://developer.cisco.com/docs/nx-os/#!open-nx-os-linux/open-nx-os-linux
Citrix. (2017). How to check the version of FreeBSD on NetScaler. https://support.citrix.com/article/CTX221291
Juniper Networks. (2021). Junos OS Evolve overview. https://www.juniper.net/documentation/us/en/software/junos/evo-overview/topics/concept/evo-overview.html
Melkov, D., Šaltis, A., & Paulikas, Š. (2020). Performance testing of Linux firewalls [Conference presentation]. 2020 IEEE Open Conference of Electrical, Electronic and Information Sciences (eStream), Vilnius, Lithuania. IEEE. https://doi.org/10.1109/eStream50540.2020.9108868
Miano, S., Bertrone, M., Risso, F., Vásquez Bernal, M., Lu, Y., & Pi, J. (2019a). Securing Linux with a faster and scalable iptables. ACM SIGCOMM Computer Communication Review, 49(3), 2–17. https://doi.org/10.1145/3371927.3371929
Miano, S., Doriguzzi-Corin, R., Risso, F., Siracusa, D., & Sommese, R. (2019b). Introducing SmartNICs in server-based data plane processing: the DDoS mitigation use case. IEEE Access, 7, 107161–107170.
https://doi.org/10.1109/ACCESS.2019.2933491
Scholz, D., Raumer, D., Emmerich, P., Kurtz, A., Lesiak, K., & Carle, G. (2018). Performance implications of packet filtering with Linux eBPF [Conference presentation]. 30th International Teletraffic Congress, Vienna, Austria. IEEE.
https://doi.org/10.1109/ITC30.2018.00039
Suehring, S. (2015). Linux firewalls: Enhancing security with nftables and beyond (4th ed.). Addison-Wesley.
Sutter, P. (2017). Benchmarking nftables. Red Hat Developer blog. https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables
Tumolo, M. (2018). Towards a faster iptables in eBPF [Master thesis]. Politecnico di Torino.
Westphal, F. (2016). What comes after “iptables”? Its successor, of course “nftables”. Red Hat Developer blog. https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables