Developer days

From Netfilter Workshop 2017
Jump to: navigation, search

Tuesday 4th July

A look at the ferm firewall

  • Who: Pablo Neira
  • Description: ferm is a wrapper for iptables, this tool allows you to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again.
  • Time: 9h30-10h30
  • Slides: File:Ferm.pdf

tcpmss and option mangling for nftables

  • Who: Florian Westphal
  • Description: tcp mss mangling for nftables, and how to best add TCPOPTSTRIP (option removal)
  • Time: 11-11:15
  • Slides: File:Tcpmss.pdf

conntrack for bridge

  • Who: Florian
  • Description: current state, open problems
  • Time: 11:15-11:30
  • Slides: File:Bridge-ct.pdf

nft error reporting

nftables performance evaluation

nftables set backend updates

  • Who: Pablo Neira
  • Description: Introduction to the nftables set backend from developer perspective, report on recent updates, performance evaluation and discussion.
  • Time: 14:30-15
  • Slides: File:Nft-set-backend.pdf

Bonsai Tree for Linux/nft

Wednesday 5th July

Netfilter and Offloading

  • Who: John Hurley
  • Description: The offloading of Linux kernel networking functionality to hardware accelerated platforms such as SmartNICs can be shown to improve throughput while freeing resources on the host server. This talk describes one model of how Open vSwitch, in conjunction with Netfilter Conntrack, has been offloaded. The desired outcome is to engage with the Netfilter community on how such offloads can become more compatible with the upstream kernel.
  • Time: 9.30-10.15

nftables at CICA, our experience

  • Who: Arturo Borrero Gonzalez
  • Description: We deployed nftables at CICA from iptables and would like to share our case
  • Time: 10.15-11.30
  • Slides: File:Cica nftables.pdf


  • Who: Pablo Neira Ayuso
  • Description: High level library for third party software
  • Time: 11.30-12
  • Slides: File:Libnftables.pdf

nft icmp type/code problems

  • Who: Phil Sutter/Pablo Neira
  • Description: icmp type/code listing is broken, discuss solutions.
  • Time: 13.45-14
  • Slides: File:Icmp code and echo.pdf

OVS metering using nft

  • Who: Joe Stringer
  • Description: The OVS community are looking to perform multi-band ratelimit (meter) to throttle traffic for connection logging and ISP use cases. This talk looks at the use cases, considers the paths for an upstream implementation, and presents an RFC implementation using NFT named objects.
  • Time: 14:15-14:45
  • Slides: File:Nfws-ovs-metering.pdf

speeding up nft -f

  • Who: Pablo Neira
  • Description: Discussing how to speed up nft -f.
  • Time: 15:45-15:55
  • Slides: File:Nft-f-speedup.pdf

MPTCP conntrack

  • Who: Florian
  • Description: do we need to start to look at multipath support for tcp conntrack?
  • Time: 15:55-16

nfqueue-based L7 filtering

  • Who: Florian
  • Description: nfqueue based l7 classification

hook compaction status

  • Who: Florian
  • Description: current status of hook compaction (linked list replacement)

Thursday 6th July

Netfilter hardware offloads

  • Who: Pablo Neira
  • Description: Discuss Netfilter hardware offloads, including nf_tables and conntrack.
  • Slides: File:Nft-hw-offload.pdf

nft ingress fast path

  • Who: Pablo Neira w/Steffen Klassert
  • Description: Discuss faster forwarding path ideas from nft ingress.

Packet batching with nft ingress fast path

  • Who: Steffen Klassert
  • Description: Discuss possibilities to batch packets based on traffic pattern matching.

Netfilter kernel updates summary

nft layer 7 matching

  • Who: Pablo Neira
  • Description: Add layer 7 protocol definitions, relatively easy for UDP, eg. dns, dhcp, tunneling, etc.
  • Estimated time: 30 minutes
  • Slides: File:Nft-l7.pdf

nftables netlink API issues

  • Who: Pablo Neira
  • Description: Remaining issues with netlink API, such as hook priorities for chain, non-empty chain deletion and netlink event overrun issues.
  • Slides: File:Nft-netlink-api.pdf

Netfilter userspace updates summary

Friday 7th July

Netfilter functional testing using TTCN-3 and Eclipse Titan

  • Who: Harald Welte
  • Description: The netfilter/iptables project unfortunately does not have a comprehensive set of functional testing at its disposal. It' therefore easy to introduce regressions unnoticed. In the projects' early days, Rusty Russel implemented 'nfsim', the netfilter simulator, which executed the entire netfilter/iptables kernel code inside a userspace process, providing stubs for all the kernel APIs. However, this has been unsupported and unmaintained for something like 15 years by now. In the ETSI/ITU telecom world, there is a domain specific programming lenguage for test specification called "TTCN-3". This language has unique characteristics, as it was specially designed only for the execution of functional tests against protocol implementations or protocol stacks. In more recent years, Ericsson has published their TTCN-3 compiler and development environment "Titan" under the umbrella of the Eclipse foundation. The presentation will introduce the basic concepts of TTCN-3 and provide a walk-through against some basic functional tests for the netfilter connection tracking engine. The goal of this talk is to try to infect the netfilter development community with the idea that there should be more functional testing, and that TTCN-3 has unique characteristics for writing such a new test suite.
  • Estimated time: 60 minutes.
  • Slides: ?

nft: what is missing?

  • Who: Pablo Neira
  • Description: Revisit what features are missing wrt. iptables
  • Estimated time: 15 minutes
  • Slides: File:Nft-missing.pdf

A look at Netfilter's bugzilla

  • Who: Pablo Neira
  • Description: Revisit existing issues at Netfilter's Bugzilla
  • Estimated time: 15 minutes

honor NFPROTO_INET as real family

  • Who: Pablo Neira
  • Description: NFPROTO_INET only works for nftables, move this new pseudofamily to the generic core hook infrastructure so we can kill a good bunch of complexity in nftables. Probably reuse this from helpers too?
  • Slides: File:Nf-nfproto-inet.pdf