List of user-day presentations
From 9th netfilter workshop
Revision as of 16:42, 4 April 2013 by NetOptimizer (Talk | contribs)
The public day of Netfilter Workshop, was held in co-operation with Open Source Days.
A total of 9 user-day talks, were given on a dedicated Netfilter Track during the Sunday of Open Source Days.
- Below we have collected slides and videos for these public talks.
Contents |
10:00 - 10:55 (slot 45min)
- Ulogd 2.0, firewall logging reloaded
- Speaker: Eric Leblond
- Slides and Video (download]
- Also see Blog for video demos
- Timing: 45 minutes
- Description: Ulogd2 is the successor of ulogd the historical Netfilter logging daemon. It provides packets logging but also connections logging and accounting. The talk will cover the architecture and usage of ulogd2 and show how the new features can be used to get a better understanding of your firewall and network activity.
- Bio:: Eric Leblond is a Free Software and Security hacker. He’s part of Netfilter coreteam where he mainly work on kernel and userspace interaction. He is the maintainer of ulogd2, the Netfilter’s userspace logging daemon. He has started working on the IDS/IPS Suricata in 2009 and he is currently working the OISF as developer. He is also consultant in free software and network security.
- Presented at Open Source Days
11:00 - 11:55 (slot 45 min)
- Beyond the existences of Bufferbloat, have we found the cure?
- Speaker: Jesper Dangaard Brouer
- Slides and video (download)
- YouTube recording from DevConf.cz (of almost the same talk)
- Time: 45 minutes
- Description: We have reached a point, where people have accepted bufferbloat does exist. Bufferbloat is the phenomenon of excessive network buffering causing high latency and jitter, as well as reducing the overall network throughput. But what about the solution? This talk is about, what techniques and solution we have (recently) implemented in the Linux kernel to mitigate (or solve?) bufferbloat. Subjects covered in detail are: TSQ (TCP Small Queue), BQL (Byte Queue Limit), CoDel (Controlled Delay active queue management).
- Bio: Senior Linux Kernel Engineer at Red Hat, Inc. Back in 2005, before bufferbloat got its name, he fixed bufferbloat on ADSL (with the ADSL-optimizer) during his Masters thesis in Computer Science. He has participated in several invitation only developer conferences, including NetConf and most of the Netfilter Developer Workshops. He is part of the team that maintains netfilter.org. He is a frequent speaker at technical conferences.
- Presented at Open Source Days
13:00 - 13:25 (slot 25 min)
- nftables: a new packet filtering framework for Netfilter
- Speaker: Pablo Neira Ayuso
- Slides and Video (raw video download)
- Time: 25 minutes
- Description: This talk will provide a report on the development status of nftables, a new in-kernel packet filtering framework for Netfilter. This new framework aims to resolve existing limitations in iptables and to prepare the ground for new major enhancements.
- Bio: Pablo Neira Ayuso is the current Netfilter maintainer. He works as teacher and researcher at the University of Seville (Spain). He is also the co-founder of a small IT consultancy company providing services in the field on computer networks and Linux. He is the author of several research articles on firewall technology and operating systems.
- Open Source Days
13:30 - 13:55 (slot 25 min)
- Oops, I did it: IPv6 NAT
- Speaker: Patrick McHardy
- Slides and Video (download) (funny video explaining it all)
- Time: 25 minutes
- Description: This talk discusses IPv6 NAT implementation details in Linux/Netfilter.
- Bio: Patrick McHardy is a Linux kernel hacker with more than 4000 contributions to the networking code.
14:00 - 14:55 (slot 45 min)
- Faster firewalling with ipset
- Speaker: Jozsef Kadlecsik
- Slides and Video (download)
- Time: 45 minutes
- Description: Building firewalls with netfilter/iptables is easy: the documentation is outstanding and there are countless of good tutorials, ready to use scripts which can be adapted to the given case. However it is a challenge to create a firewall with high number of rules, where either the rules have to be changed often or the system has to cope with high bandwidth. Here comes ipset, which gives us the missing piece to solve such cases. In this presentation we'll show how ipset works and how to build ipset based firewalls.
- Bio: Jozsef Kadlecsik is a long time member of the Netfilter Coreteam and the maintainer of ipset (http://ipset.netfilter.org/). He works as IT professional at the Wigner Research Centre for Physics at Hungary.
15:30 - 16:25 (slot 45 min)
- AFW: Automating host-based firewalls with Chef
- Speaker: Julien Vehent
- Slides (external link for slides) and Video (download)
- Time: 45 minutes
- Description: Virtualized web infrastructures often means having a bunch of web applications talking HTTP to each other all over your network. REST APIs everywhere, VMs appearing and disappearing every day, without any sort of ACL or passwords between them. From a firewall standpoint, manually managing the rules between those VMs is unrealistic, and often results in opening tcp/80 (and more) everywhere by default. This is obviously not ideal. Some have tried to deploy web application firewall, but few have survived to testify. AFW (http://github.com/jvehent/AFW) is a Chef cookbook that solves these problems by controlling host-based Netfilter/iptables firewalls on each system of a Chef provisioned environment. I will demonstrate how host-to-host rules can be created and kept up to date by using a set of generic rules expanded dynamically.
- Bio: Julien is a Security Engineer at AWeber.com. He specializes in Web Architecture’s Systems and Security, Networking and Cryptography. He build infrastructures from the ground up, in datacenters or in the cloud, and from the front firewall to the backend database.
16:30 - 16:55 (slot 25 min)
- ConnMan usage of Netfilter: a close overview
- Speaker: Tomasz Bursztyka
- Slides and Video (download)
- Time: 25 minutes
- Description: ConnMan, which stands for connection manager, is a daemon for managing network connections under Linux. It has been designed to be slim and resource friendly, thus it is being successfully used in various Linux embedded systems. ConnMan is also strongly modular and handles all wired and wireless connectivity technologies through plugins. Such modularity enables ConnMan to be extended easily to support various other technologies or specific features. As being recently enabled for Smartphone and IVI usage, ConnMan has started to use a lot more NetFilter, the network packet filtering stack of the Linux kernel. This talk will describe in details the use cases of such integration with NetFilter, the pitfalls and the plans to circumvent those.
- Bio: Tomasz Bursztyka is a Software Engineer at Intel as part of the team maintaining ConnMan, oFono, BlueZ and Neard projects, where he focus more specifically on ConnMan and NetFilter.
17:00 - 17:25 (slot 25 min)
- Linux's packet mmap(2), BPF, and the Netsniff-NG toolkit
- Slides (Open Source Days link) and Video (download)
- Speaker: Daniel Borkmann
- Time: 25 minutes
- Description: This talk will cover internals of the PF_PACKET socket in the Linux kernel, in particular the packet mmap() mechanism ("zero-copy") that is used to improve packet capturing and transmission performance from user space. In addition to that, the Berkeley Packet Filter will be partially covered with its built-in kernel space "virtual machine" and just-in-time compiler. As an application on top of that, the netsniff-ng toolkit will be presented (http://netsniff-ng.org/), which can be used to facilitate a network developer's daily kernel plumbing, but also the daily work of system administrators or security consultants.
- Bio: http://borkmann.ch
- Extra:
- blog writeup
- (VIDEO) Full-length talk given at DevConf.cz is avail on YouTube
17:25 - 17:30 (slot 15 min)
- Xtables2 for users
- Slides and Video (download)
- Speaker: Jan Engelhardt
- Time: 15 minutes (Lightning talk section)
- Description: Quick introduction to Xtables2, with focus on the userspace components that consist of "xtadm", the command-line frontend and the libnetfilter_xtables C library.
- Bio: Jan Engelhardt is an IT Consultant from Central Germany.
With about 13 years of experience in working with Linux server systems, he has come to dedicate himself to writing kernel/system-level software and distribution packaging. He is active in the field of Networking and is a major contributor to the Xtables/iptables packet filter. On the distro side, he maintains the Netfilter stack and other closely-related packages in the openSUSE Linux distribution.