This is a caching system add-on for the Iptables/Netfilter in linux Kernel. Normally, you write rules for IP tables and these rules are applied to each packet that comes in. But, in most of the cases, the packet is part of an established connection and you get many packets with the same attributes. If one passes through the firewall, then all the subsequent packets that has the same attributes can be allowed without even consulting the rules.
The creators of Netfilter, already developed the framework by introducing flags which are set when a particular attribute is checked by the rule.
In the netfilter hacking HOWTO, Rusty
and Harald say:
important issue for netfilter (well, in the future) is caching. Each
skb has an `nfcache' field: a bitmask of what fields in the header were
examined, and whether the packet was altered or not. The idea is that
each hook off netfilter OR's in the bits relevant to it, so that we can
later write a cache system which will be clever enough to realize when
packets do not need to be passed through netfilter at all.
Why it was not implemented
is beyond me!
But Why ?
How it works ?
The rules in IP Tables are
implemented as series of Netfilter Hooks.
1) The basic idea is to store the packet
information (whatever is present in the SKB) in a AVL tree.
2) Check incoming packet before all the hooks for cache match and if so, set a flag in nfcache. A match is said to be present if the values for all the flags in the stored nfcache of any node match the incoming packet's values.
3) If the packet is destined for the local machine and the cache flag is set, don't pass through the IP Tables rules only (the whole chain)
(Right now it skips the whole NF_IP_LOCAL_IN hook! )
4) Check the packet that passed through the firewall after all the rules and add it to the cache with the result (Accepted or Rejected)
RFC: Proof of concept code:
I have written some crude code that
1) It is a system that keeps track of packets primarly using source address. (So even if you dont have a rule using source address, add a dummy rule that checks for some source address)
2) The caching is enabled only for packets destined to the local computer.
for 2.4.27 on UML:
Please mail me at
- ganhawk -at- yahoo -dot- com -