Netfilter Cache



What is it ?

This is a caching system add-on for the Iptables/Netfilter in linux Kernel.  Normally, you write rules for IP tables and these rules are applied to each packet that comes in. But, in most of the cases, the packet is part of an established connection and you get many packets with the same attributes. If one passes through the firewall, then all the subsequent packets that has the same attributes can be allowed without even consulting the rules.

The creators of Netfilter, already developed the framework by introducing flags which are set when a particular attribute is checked by the rule.

In the netfilter hacking HOWTO, Rusty and Harald say:

One important issue for netfilter (well, in the future) is caching. Each skb has an `nfcache' field: a bitmask of what fields in the header were examined, and whether the packet was altered or not. The idea is that each hook off netfilter OR's in the bits relevant to it, so that we can later write a cache system which will be clever enough to realize when packets do not need to be passed through netfilter at all.

Why it was not implemented is beyond me!


But Why ?

Why not ?
Performance is the foremost reason. Now memory is so cheap that every computer has tons of it and we are having access to higher and higher bandwidth. It can also be useful when we are avoiding DoS attacks. The rejected packets are cached and similar DoS packets are rejected automaticaly. It can even be used with something like Snort Inline. Netfilter (and IPTables) affect the throughput of the network interface directly. Moreover caching can be extended even to connection tracking.

How it works ?

The rules in IP  Tables are implemented as series of Netfilter Hooks.

1) The basic idea is to store the packet information (whatever is present in the SKB) in a AVL tree.

2) Check incoming packet before all the hooks for cache match and if so, set a flag in nfcache. A match is said to be present if the values for all the flags in the stored nfcache of any node match the incoming packet's values.

3) If the packet is destined for the local machine and the cache flag is set, don't pass through the IP Tables rules only (the whole chain)
(Right now it skips the whole NF_IP_LOCAL_IN hook! )

4) Check the packet that passed through the firewall after all the rules and add it to the cache with the result (Accepted or Rejected)


RFC: Proof of concept code:

I have written some crude code that implemens the above.

Note:
1) It is a system that  keeps track of packets primarly using source address. (So even if you dont have a rule using source address, add a dummy rule that checks for some source address)
2) The caching is enabled only for packets destined to the local computer.

NF Cache patch for 2.4 kernel

Individual Files

Developed for 2.4.27 on UML:

net/core/netfilter.c

include/linux/nfcache.h

include/linux/avltree.h


 

SourceForge.net Logo